https://www.iotworldtoday.com/wp-content/themes/ioti_child/assets/images/logo/IoTWorldToday-mobile-logo.png
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
Iot World Today
  • NEWSLETTER
  • Home
  • News
    • Back
    • Roundups
  • Strategy
  • Special Reports
  • Business Resources
    • Back
    • Webinars
    • White Papers
    • Industry Perspectives
    • Featured Vendors
  • Other Content
    • Back
    • Q&As
    • Case Studies
    • Features
    • How-to
    • Opinion
    • Podcasts
    • Strategic Partners
    • Latest videos
  • More
    • Back
    • About Us
    • Contact
    • Advertise
    • Editorial Submissions
  • Events
  • newsletter
  • IIoT
  • Cities
  • Energy
  • Homes/Buildings
  • Transportation/Logistics
  • Connected Health Care
  • Retail
  • AI
  • Metaverse
  • Development
  • Security
ioti.com

Security


Getty Images

Addressing IoT Security Challenges From the Cloud to the Edge 

Confronting IoT security challenges requires an in-depth examination of hardware and software functionality. 
  • Written by Brian Buntz
  • 26th May 2020

Key takeaways:

  • Securing environments with IoT devices requires a comprehensive functionality assessment as well as access control measures. 
  • Addressing IoT security challenges is not possible without a mature security foundation, which many organizations still lack. 
  • As organizations build a robust security architecture, their focus can gradually shift from remediation to a more proactive stance, which is a theme also explored in the companion piece “Developing a Critical Infrastructure Cybersecurity Strategy”

Despite the wide variety of cybersecurity guidelines, relatively few organizations deploying emerging technology have a mature security strategy. While cybersecurity awareness has increased, businesses with an ineffective cybersecurity posture face mounting risks. Cyberattacks themselves have become more damaging, and regulatory pressures related to security and privacy have escalated.

The Internet of Things (IoT) continues to raise the stakes, extending digital technology’s reach into the physical realm. Thanks to the interface between the digital and physical world created by IoT technologies, a cyberattack could potentially prompt various scenarios, from business disruption to industrial accidents. In addition, as IoT technology becomes more sophisticated and distributed within IT environments from the cloud to edge architectures, cybersecurity grows more complex.

The question of what to defend has also grown murkier. Decades ago, organizations using computing technology had a clear perimeter to protect. Typically, their computing and networking hardware was located in one or more buildings. Similar to how nobility erected castles in the Middle Ages, computer security professionals built a series of defenses for assets. People and processes inside a defined perimeter were largely trusted, while those outside were not.

Although the castle approach remains, its limitations have grown more apparent. One of the central IoT security challenges is its incompatibility with a perimeter-based security model focused on guarding a homogenous set of computing assets. The popularity of cloud computing and remote working pose further hurdles. The increasing risk of attacks occurring within the traditional security perimeter is another worry. As Forrester observed, the castle model tends to create a network “with a hard, crunchy outside and a soft, chewy center.” Additionally, over the past decade, a series of organizations with substantial — often multimillion-dollar security budgets focused on perimeter-based defenses — have fallen prey to attacks exposing troves of data.

Identifying What to Protect 

One of the first steps in establishing a strong security foundation is to assess your various assets and related processes. Cybercriminals targeting your organization are likely to start with that same focus.

For manufacturers incorporating IoT functionality into products, this foundational stage involves addressing potential vulnerabilities early on as well as taking steps to harden products over time. While the need to incorporate baseline security in IoT devices is clear, until recently, manufacturers had little incentive to do so. Now, a growing body of legislation and regulatory precedent has spurred manufacturers to prioritize security.

“It is creating a commercial pressure [for manufacturers] to at least have a baseline security level, or you could face legal ramifications,” said Andrew Jamieson, director of technology and security at UL. 

Similarly, organizations building IoT technology into an environment should assess the risk of each node on a network while addressing potential vulnerabilities created by new technology interfacing with legacy software and hardware.

Such an assessment isn’t possible without an accurate asset inventory, which is difficult to create as connected devices proliferate. “One of the biggest challenges is that there are so many different industry verticals and different kinds of devices,” said Zulfikar Ramzan, chief technology officer at RSA.

Possible Attack Types
Hijacked processor Cryptocurrency mining
Unsecured data storage  Identity theft, data theft or data modification 
Weak authentication on IoT device Distributed denial-of-service attacks that can interfere or disable business services 
Espionage, blackmail or intellectual property theft
Remote control of assets by an attacker
Potential breach to other networked assets as an attacker moves into a personal or corporate network after compromising an IoT device 
Unsecured firmware  “Bricking” devices in which an attacker with firmware access could render them unusable 
Safety or physical-security incident where an attacker with the ability to modify firmware of a connected vehicle or piece of industrial machinery could interfere with the function of devices. 

The goal of establishing an accurate inventory is challenging for many industrial organizations. “Because of the proliferation of IoT devices on [operational technology] networks, there’s a large discrepancy between what they think they have and what they actually have,” said Dave Weinstein, expert associate partner at McKinsey & Co. Further, in industrial and enterprise contexts many IoT devices are unmanaged. “You’ve got folks who install them on an as-needed basis,” Weinstein said.

There is also a challenge in defining normal behavior for a given connected device. “It’s one thing to know there is, for instance, an MRI machine on the network. It is another to know if it is being used for some nefarious purpose,” Ramzan said.

Macro- to Micro-Level Risk Assessment 

Once an organization creates a comprehensive asset inventory, it can perform an in-depth analysis of its attack surface, which consists of various entry points attackers could abuse. The process is multifaceted, including analyzing how devices communicate, how they are administered, and the software and hardware they use.

This step involves documenting physical assets, IoT endpoints and related workstations and networking hardware, digital assets (including databases and cloud capabilities) and assessing who can access them. Another consideration is the communication and interaction among various components and assets. While few organizations understand their entire inventory, such knowledge can assist in identifying, prioritizing and remediating vulnerabilities.

A sample high-level network architecture illustrating cloud and edge functionality as well as potential attack vectors.

A sample high-level network architecture illustrating cloud and edge functionality as well as potential attack vectors. Image incorporates Getty Images art.

A first step in creating a risk-based security strategy is establishing a bird’s-eye view of assets. But more challenging is quantifying the risk these assets pose. Once a baseline schematic is created, the next step is to take a closer look at the various components in the architecture and the attack surface they create. Given the broad and often malleable definition of IoT technology, “one of the first things you have to do is decide on a taxonomy of what these systems are,” Jamieson said. “And as our ability to understand security increases, we’re going to see an evolution of that taxonomy.”

Organizations can start by creating functional block diagrams for individual IoT devices that cite the software stack they use, including relevant software frameworks, third-party tools and so forth.

Relevant software considerations include security controls of the following:

    • What degree of control does the software have over assets and what type of data does it store? How could an attacker exploit those elements? 
    • Does the software have known vulnerabilities or include back doors?
    • How does the software respond to various hardware malfunctions or performance problems? 
    • What type of encryption and authentication does the software support? 
    • What kind of code review has the software received?
    • Is there a secure infrastructure for regular automatic software updates, including for firmware?
    • How secure is the authentication process? 
    • Does the software collect sensitive data? If so, are there defined procedures for protecting it?

Many IoT devices feature lightweight computing capabilities and rely on cloud-based services for some degree of their functionality. For cloud-based IoT services, organizations should ensure that off-premises software is configured correctly and that appropriate access controls are in place. Lax cloud security controls have fueled myriad data breaches in recent years. 

Conversely, secure cloud infrastructure can enable organizations to streamline security operations. Consider the benefits for IoT device makers relying on cloud functionality for their products. The centralization of cloud architecture enables manufacturer agility in terms of software updates that improve security while maintaining interoperability and functionality. “If we have a mature cloud framework interacting with IoT systems, you can use that framework to benefit new products … and currently fielded products as well,” Jamieson said.

Despite hardware costs declining, IoT devices have matured in processing capabilities and functionality. The edge computing model, which brings computation and data storage closer to the data source, is becoming more prevalent. Given that edge computing deployment is initial, edge-specific cyberattacks are still minimal.

But IoT deployments using an edge computing architecture often deserve special security consideration. First, edge computing devices communicating with gateway devices can complicate network visibility. Second, as endpoints gain functionality, they demand more sophisticated software. “As you increase the amount of code, you increase the attack surface,” Jamieson said. Similar to the situation with the cloud, the expanding capabilities of edge computing offer pros and cons from a security perspective. On the one hand, it potentially allows attackers to run more code to survey network components, perform crypto-mining and so forth. On the other, the increase in processing capabilities enables IoT implementers to take advantage of more sophisticated security software agents.

Given the “Internet of Things” moniker, two foundational security considerations are networking and hardware. While IoT promises a dramatic increase in the types of networked devices, the basic architectural underpinning in most implementations remains broadly similar to traditional networking deployments. For that reason, traditional reference architecture models such as the Open Systems Interconnection (OSI) model and the Purdue Model of Control Hierarchy for industrial control systems can benefit IoT deployments, depending on the context. While such models can help organizations evaluate architectural hierarchy and interconnection between assets, they are no substitute for a security reference architecture.

Networking and hardware considerations relevant to cybersecurity include the following criteria:

What types of communication protocols and wireless authentication methods does the system use? 

  • What type of network security features are supported? 
  • Is end-to-end encryption supported and feasible? 
  • How secure is the hardware? Do endpoints include embedded security features such as trusted platform modules or hardware security modules? 
  • What threat might the hardware or networking gear pose to an attacker who is physically present, (i.e., vandalism and tampering)?

The OSI model can be valuable when assessing a range of networking attacks.An essential element is to implement the principle of least privilege, which limits to the greatest extent possible access control without interfering with core processes. Organizations can also improve their maturity to embrace cryptographically protected and multi-factor authentication where feasible. 

One element that can complicate a centralized approach to access control is third-party business relationships with business and channel partners. A variety of vendor security assessment tools are available. Frameworks such as the recently released Department of Defense’s Cybersecurity Maturity Model Certification can also be valuable in assessing third-party cybersecurity maturity.

Putting the Pieces Together, Securely

Once organizations have addressed basic and intermediate-level cyber-hygiene issues, their focus can become more proactive validating security controls and enhancing them over time. Organizations pursuing advanced cybersecurity maturity stand to not only reduce a vital element of business risk, but also stand to safeguard their reputation and the potential to differentiate themselves in the marketplace. 

Such maturity isn’t possible without factoring in cybersecurity from the beginning of a relevant process, whether designing a new product or rolling out a smart factory. “Organizations need to shift security earlier in the process,” said Sean Peasley, a partner at Deloitte.

While regulations such as the European Union’s General Data Protection Regulation and the California IoT Security Law are helping drive security awareness, they are less valuable to organizations with ambitions to make considerable progress in optimizing security controls. “They are a minimum set of requirements,” Jamieson said. “If you are a company that wants to market on security, the baseline is not good enough. You need to represent to your customers that you go beyond that.”

Tags: Security Special Reports Features IoT Security Summit

Related Content


  • Caltech campus
    Robots Could Gain Sense of Touch, With New Artificial Skin
    New design can help businesses determine the presence of hazardous materials, offer greater safety for workers
  • Clearview AI Fined $9.4M Over Facial Data Scraping
    The company was ordered to delete any data it held on U.K. citizens.
  • Microsoft Ramping up Cybersecurity Service Offerings
    Three new managed services will boost the company’s presence in the security space
  • IoT Product Roundup
    IoT Product Roundup: PTC, Nokia, Arm and More
    All the latest Internet of Things products

Leave a comment Cancel reply

-or-

Log in with your IoT World Today account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

  • Microsoft Extends Secured-Core Program to IoT Devices
  • Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration
  • Unmanned Robotic Combat Vehicle Being Tested
  • Image shows a Close up of lens on black background
    Carnegie Mellon Researchers Invent System to Find Hidden Cameras

Roundups

View all

IoT Product Roundup: Canonical, InfluxData, Wiliot and More

23rd June 2022

IoT Product Roundup: Cisco, Telit, Draganfly and More

9th June 2022

IoT Deals, Partnerships Roundup: Google, Arm, Senet and More

26th May 2022

White Papers

View all

The Role of Manufacturing Technology in Continuous Improvement Ebook

6th April 2022

IIoT Platform Trends for Manufacturing in 2022

6th April 2022

Latest Videos

View all
Image shows Unilever's Alberto Prado at AI Summit 2022 in London

AI Summit 2022: Unilever’s Alberto Prado

Prado talks about how Unilever is using AI to accelerate the speed of new discoveries and gives them access to more breakthrough innovation

Image Shows John Lewis' Barry Panai at AI Summit London 2022

AI Summit 2022: John Lewis’ Barry Panayi on AI in Retail

Panayi talks about data and AI in retail and how individuals and the technology can work together

E-books

View all

How Remote Access Helps Enterprises Improve IT Service and Employee Satisfaction

12th January 2022

An Integrated Approach to IoT Security

6th November 2020

Webinars

View all

Rethinking the Database in the IoT Era

18th May 2022

Jumpstarting Industrial IoT solutions with an edge data management platform

12th May 2022

AI led Digital Transformation of Manufacturing: Time is NOW

9th December 2021

Special Reports

View all

Omdia’s Smart Home Market Dynamics Report

7th January 2022

Cybersecurity Protection Increasingly Depends on Machine Learning

28th October 2020

IoT Security Best Practices for Industry and Enterprise

20th October 2020

Twitter

IoTWorldToday, IoTWorldSeries

🤔 Looking for 3 Strategies to Avoid IoT Key Theft? We’ve got you covered! As tech companies continue to develop an… twitter.com/i/web/status/1…

5th July 2022
IoTWorldToday, IoTWorldSeries

AI Summit 2022: Unilever’s Alberto Prado dlvr.it/STMpRN https://t.co/1dyLREr8N6

5th July 2022
IoTWorldToday, IoTWorldSeries

Seoul Robotics Expands 3D Perception Platform across South America dlvr.it/STMhSV https://t.co/a10l3Eb2Kn

5th July 2022
IoTWorldToday, IoTWorldSeries

Microsoft Extends Secured-Core Program to IoT Devices dlvr.it/STMg4k https://t.co/laBPF5VjC4

5th July 2022
IoTWorldToday, IoTWorldSeries

Spot the Robot Dog Helps Police Ahead of Boston’s Fourth of July Celebration dlvr.it/STKWjb https://t.co/LdRg7a2xqU

4th July 2022
IoTWorldToday, IoTWorldSeries

Another 59,000 @Teslas being recalled over a software glitch affecting the vehicle’s Emergency Call safety system… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

Join us in the premier #tech destination of #Austin this November 2-3 for our next #IoT event. Connect and collabo… twitter.com/i/web/status/1…

4th July 2022
IoTWorldToday, IoTWorldSeries

SoftBank, May Mobility Team on Autonomous Driving dlvr.it/STJrW0 https://t.co/mOYoBsgs14

4th July 2022

Newsletter

Sign up for IoT World Today newsletters: vertical industry coverage on Tuesdays and horizontal tech coverage on Thursdays.

Special Reports

Our Special Reports take an in-depth look at key topics within the IoT space. Download our latest reports.

Business Resources

Find the latest white papers and other resources from selected vendors.

Media Kit and Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • IoT World Series
  • Channel Futures
  • RISC-V
  • Dark Reading
  • ITPro Today
  • Web Hosting Talk

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Login/Register

FOLLOW IoT World Today ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookies Policy
  • Terms
Copyright © 2022 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X