Today more and more everyday devices are interconnected. While they are certainly making life easier, they have also created new attack vectors for hackers. As we begin to enter the world of IoT it is important to be aware of and understand the new and expanded security risks involved and how to combat them with IoT security.
■ by Gerhard Kafka
Now that we are going to connect everything to the Internet, new opportunities are arising for cybercrime. The IoT refers to any object or device which connects to the Internet to automatically send and/or receive data. These include automated devices which remotely or automatically adjust lighting or HVAC (heating-ventilationair-conditioning), security systems, such as security alarms or Wi-Fi cameras, including video monitors used in nursery and daycare settings, medical devices, such as wireless heart monitors or insulin dispensers, thermostats, wearables, such as fitness devices, modules which activate or deactivate lights, smart appliances, such as smart refrigerators and TVs, office equipment, such as printers, entertainment devices to control music or televisionfrom a mobile device, and fuel monitoring systems, just to name a few. As organizations and vendors rush to create a totally connected society, they are typically faced with two daunting questions.
The first: How to develop products quickly enough to gain a time-to-market advantage, with the markets and applicable regulators dictating requirements and thus the level of investment in product security by vendors. And the second: How to embed security throughout the lifecycle of IoT product development, as this will result in higher costs and slower time to market, albeit clearly adding value in the short, medium, and long term. Both are tough questions, but unless cyber-security is considered in every phase of IoT development, including requirement setting, product design and developmental, as well as deployment, the problems companies have encountered with embedded systems in the past will seem like child’s play.
A word of warning from the FBI
A public service announcement by the Federal Bureau of Investigation released last September details a number of specific IoT risks, and it warns companies and the general public to be aware of new vulnerabilities that cybercriminals could exploit. Specifically, the FBI worries that exploiting the Universal Plug and Play protocol (UPnP) widely used in many modern IoT devices will be a pathway of choice for many cybercriminals. UPnP is a set of networking protocols that permits networked devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. Unfortunately, UPnP was originally intended only for residential networks and not for enterprise-class devices.
Intelligence services will use the IoT to gain access to networks
James R. Clapper
Director of US National Intelligence
Other scenarios to Feds worry about are the possibility of compromising IoT device to cause physical harm, to overload them, thus rendering them inoperable, and to intercept and interfere with business transactions.
On the other hand security leaks could be used by intelligence services to get access to areas of interest. James R. Clapper Director of US National Intelligence has made an according statement in the report “Worldwide Threat Assessment of the US Intelligence Community”, published in February 2016: “Smart devices incorporated into the electric grid, vehicles – including autonomous vehicles – and household appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”In July 2015 Gartner published the fourth edition of the IoT Hype Cycle. IoT has the potential to transform industries and the way we live and work. This Hype Cycle helps enterprises assess the levels of risk, maturity and hype that are associated with a transformative trend.
IoT device manufacturers fail to implement basic secuity standards
Global Head of Security Research, Sophos
Predicting security for IoT
Digital security is defined as a combination of current cybersecurity and risk practice with digital business practice to protect all digitalized assets of an organization, whether at the core of the enterprise or at its edge. It is the alignment of information security, IT security, operational technology security, IoT security and physical security to form cybersecurity solutions. An IoT business solution is a heterogeneous mix of several assets including IoT endpoints such as sensors, devices, multidevice systems, fleets, and actors, one (or more) IoT platform(s), and various nonIoT back-end systems which all have to be included into an overall security solution. An IoT platform is a software suite or cloud service (IoT PaaS) that facilitates operations involving IoT endpoints, cloud and enterprise resources. Looking for IoT platform offerings, the advice for CIOs, planners and architects not only should include device and its application software management, data aggregation, integration, transformation, storage and management, event processing, analysis and visualization, self-service user interface, but also security.
To protect hardware and firmware from compromising attacks and assist in the delivering integrity and confidentiality of the data those systems process it is recommended to implement embedded software and systems (ESS) security which is practice and technology designed for engineers and developers. The requirements of ESS are complex, because the devices have long field lives, are often accessible to attackers, andneed policies and mechanisms for provisioning and patching. Cybersecurity planners and architects must gain a full understanding of these issues. Thus CIOs and CISOs must embrace new governance and planning practices that include ESS needs. Assign one or more individuals on your security team to fully understand the magnitude of how the IoT will need to be managed and controlled. “Since 2014 we’ve seen more evidence that manufacturers of IoT devices have failed to implement basic security standards – either they haven’t learned from the long and painful history of failures of mainstream computing or, in their rush to go to market, they just don’t care”, explains James Lyne, Global Head of Security Research, Sophos in his report “Security Threat Trends 2015” “Companies are constantly under attack, fuelled by the proliferation of the number and different types of devices connecting to the network. Traditional security tools lack visibility of these devices,” said Myles Bray, Vice President of EMEA Sales at ForeScout Technologies, Inc., “but ForeScout’s innovative agentless approach makes the invisible visible – including Internet of Things devices. Coupled with flexible, automated response capabilities and extensive third party integrations, ForeScout is uniquely positioned to help organizations protect and secure their network, with optimum efficacy.”
According to Mika Stahlberg, F-Secure Director of Strategic Threat Research, these security concerns are quite understandable considering the kinds of devices consumers are adopting. “After entertainment, IoT adoption is focusing on quality of life products. Products like security cameras, smart locks, and smart cars all play significant roles in physical security. So online threats will take on a real-world element as more people start using these devices, and people are right to be concerned about this.”
Planning for IoT security
Internet-connected computing capabilities related to smart building, industrial control systems and medical applications were the most commonly cited concerns after consumer products. While these types of applications do not receive much IoT hype in the press, the use of embedded computing in those devices will cause major breakage in existing IT management and IT security visibility, vulnerability assessment, configuration management and intrusion prevention processes and controls.
LSEC, an internationally renowned Information security cluster, a notfor-profit organization that has the objective to promote Information Security and the expertise in BeNeLux and Europe, wants to help to understand the needs from the user community. LSEC recommends end-to-end security implementation for the Industrial Internet. Implementation must provide protected deviceto-device communications, confidentiality and privacy of the data collected, remote security management and monitoring.
Our goal must be flexible and secure end-to-end communication and collaboration
CEO of regify GmbH
Source: regify GmbH
Simultaneously, they need to address both existing as well as new technologies, seamlessly spanning both Information Technology (IT) and Operational Technology (OT) as well as subsystems and processes without interfering with operational business processes.
The Industrial Data Space initiative which emerged from the research project Industrial Data Space (IDS) of the German Federal Ministry of Education and Research aims at creating a secure data space that supports enterprises of different industries and different sizes in the autonomous management of data. A total of 18 companies and organizations are among the founding members. Launched by the Fraunhofer Society, the strategic initiative aims to create a secure data room. It will enable secure exchange of data and provisioning of networked services for collaboration in value networks. Kurt Kammerer, CEO of regify GmbH recommends the IDS approach from Fraunhofer. Where IoT data and services need to be available in and across business networks, regify offers an IDS solution (“regispace”) which protects IoT and other data against unauthorized access and enables data owners to make their data available to partners on granular level and in an end-to-end secured process. „For companies that want to benefit from IoT/Industry 4.0, we offer a networked solution for flexible communication and collaboration“, Kurt Kammerer maintains.
Cybersecurity for medical devices
According to a new market research report “IoT Healthcare Market by Components, Application, End-User – Global Forecast to 2020”, published by MarketsandMarkets, the global IoT in healthcare market is expected to grow from US$ 32.47 Billion in 2015 to US$ 163.24 Billion by 2020. Thus security threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices and thus represents also dangers for the human being. Just imagine what could happen if somebody tries to remote control your pacemaker.
All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against.
Associate Director FDA Center for Devices and Radiological Health
In January, the U.S. Food and Drug Administration (FDA) issued draft guidance outlining important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect public health. The draft guidance details in a separate chapter “Medical Device Cybersecurity Risk” the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market.
“All medical devices that use software and are connected to hospital and health care organizations’ networks have vulnerabilities—some we can proactively protect against, while others require vigilant monitoring and timely remediation,” said Suzanne Schwartz, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health. She believes that “today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”