IoT Security Takes The Centerstage In The Post-COVID-19 World
Blog: NASSCOM Official Blog
Security is a ‘state of mind’ and not an end state. It has been a popular philosophical thought, but what it eludes is the fact of investment towards security. IoT has exploded with the onset of new smart tech gadgets. Though businesses today exercise security and safety measures within their organizations, it isn’t easy to keep upgrading an organization’s infrastructure to encompass these technology updates. Reverse engineering systems have always remained the passcode for unlocking backdoors to capitalize on security vulnerabilities. The best example of such a scenario is the 2016 MIRAI botnet attack. The attack caused massive DDoS attacks on large enterprises on Atlanta’s city administration and the ATL airport. IoT still lacks immunity against ransomware attacks and many new age cyberattacks.
In a nutshell, the dictionary of attacks is ever-expanding. The inclusion of new devices within the IoT ecosystem is ever-growing. Tons of sensitive data is getting channeled through these each day. Security has thus, taken centerstage in the IoT world, specifically during these crisis times, to tighten all the loose ends of the modern state of the art infrastructure & legacy technologies.
‘Security to the core’ has become a must in IoT due to the increased attack surface vectors like web interfaces, crypto methods, outdated firmware, intercepting unencrypted comms, and quite common clear text passwords. Hence it is mandated to embed security throughout the IoT supply chain. The landscape of attacks has widened significantly across both hardware and software. Software attack follows the usual protocol of getting access to firmware and analyzing it with few attacker tools. Hardware attacks span mainly into non-invasive attacks, which provide no chip access but only have external signals to intercept semi-invasive attacks, which provide limited access to the hardware and fully invasive attacks with full access to hardware. Mostly practiced non-invasive attacks are hardware fuzzing, timing attacks, hardware glitching, and power analysis aimed towards crashing the device. Semi-invasive attacks involve light emission analysis, which provides a photonic image of the chipset PCB, while fully invasive raids are conducted by linear code extraction.
Industry reports predict the mixed impacts of COVID-19 on the IoT market. From the technology perspective, enterprises are looking at CAPEX reduction over the short term and automating processes to make supply chain and manufacturing more flexible over the long term. Specific IoT applications like remote asset tracking, drones, healthcare, smart cities with easy to install IoT solutions will have an uptake over the coming weeks. The challenge will be from the demand side than the supply side over the coming few months across below market areas.
From the industrial IoT side, APAC is expected to lead the push for industrial automation, specifically affected countries like China, Japan & South Korea, while EMEA & Americas will be progressing gradually. Business models will be shifted from selling hardware to selling services, and so will be for IoT and security markets. Industry experts suggest the adoption of an outcome-based business model along with free access to services with proof-of-concept based projects can yield better returns over the long run. Current challenges in IIoT implementation are lack of employee skills & knowledge, legacy equipment & infrastructure & ability to collect & derive results from operational data. Healthcare and telehealth markets are looking at a reduced cost of in-person visits and increased adoption of new tools for detecting temperature and social distancing. The entire supply chain is looking to gain insights from inventory and customer demand data exploring new technology options like Blockchain. The focus on security has increased multi-fold, emphasizing the need for safety across hospitals & connected medical devices based on issues like device upgrade and unsecured legacy infrastructure. Both corporate and home networks have collided, giving a push for expansion of remote working environments with secured network connections for desktops, VPNs, and industrial control systems as both industrial and critical infrastructure are under danger of cyberattacks. Hence there has been a push for the ‘secure by design’ principle in setting up new technology plans. Some of the real-life IIoT attacks are UART, where device usually boots into a particular console, U-Boot allows access to the bootloader shell, command injection attack downgrades device to older firmware and EEPROM reading. Few best practices exercised are a timely check of stack overflow, avoid SQL injection of webservers, update firmware over TLS with crypto-signatures, secure sensitive data with token-based identity management, harden toolchains and libraries, keep kernel and frameworks up to date, and devise threat modeling with IDS. Enterprises have been widely focusing on the different facets of IoT security throughout the supply chain right from chip manufacturing to device assembly.
- Data Security: Clear text or default passwords have always been a source of opening backdoors by a brute-force attack. Password authentication has been the key to access control over devices. However, with same or default passwords given on publication can be the initial cause of brute force attacks. Tokens can be an excellent alternative to sharing sensitive data such as usernames and passwords over unsecured networks. Encryption on tokens can assure no communication of such private data. These tokens provide a light-weight framework that has time validity and other security attributes that can authenticate and manage keys using data encryption. JSON web tokens are popularly used as a suitable option for tokens. With new data security laws like GDPR, there is a whole new focus on securing sensitive data. Tokenization is one such method where the sensitive data, e.g., user’s SSN, is converted into a token. The authorized applications can retrieve the original data from the token.
- Cloud Security: Cloud has been a preferred business choice for flexibility across remote access, mobility, and cost-efficient control of IT systems. With this advancement, many mission-critical applications have also been migrated to the cloud, which has raised concerns on data privacy and security. Insecure APIs and data loss are the most common vulnerabilities among cloud applications. Distributed DoS attacks have emerged as a significant threat that can cause severe outages and even exposure to sensitive data. Experts suggest PKI as one of the effective ways of securing data in motion and mitigating identity theft by asymmetric encryption using digital certificates. With more devices enrolling within the IoT network, managing certificates and rotating or revoking them timely becomes a hassle.
- Application Security: The application layer is difficult to defend as it is more accessible to the external world, which makes it less immune to vulnerabilities that can trespass intrusion detection systems. Malware, DDoS attacks, and SQL injections formulate the top three application security attacks where attackers could manipulate web application input to obtain confidential information without getting sniffed by defense systems, which are classified as zero-day vulnerabilities. It demands an adaptive intelligence ML algorithm that can classify such unknown vulnerabilities and detect IP threat packet patterns.
- Device Security: IoT devices are under siege as Kaspersky confirmed more than 100mn attacks on their decoy servers popularly called as ‘Honeypots’ just in one half of the year. The prime intent of attackers is to capitalize on the weak security of IoT products and monetize on IoT botnets for stealth-like attacks, which are majorly conducted by groups of malware – Mirai using exploits, Nyadrop & Gafgyt using brute-force techniques. This makes firewalling unauthenticated devices with robust, secure, and updated network access authentication frameworks over wired and wireless interfaces. In today’s scenario, embedding the SSL layer on devices demands processing and memory power of the device along with the implementation and modification of the cipher-suites.
- Identity Access Management: Enterprises today apply user identity and access management (IAM) to safeguard their IT assets against user credential compromise and new age ransom attacks. Device provisioning and authentication is a mandate for all devices within the enterprise network. Some of the common challenges are flashing the firmware on each device with default config settings at the manufacturing level and upgrading config files from known secured servers using identifiers. This, in turn, has to pre-configured with specific certificates and depending on third-party certificate authority for authentication. Enterprises and service providers may have hundreds to thousands of gateways and thousands to millions of sensors, actuators, and other devices. The manual and time-consuming process of onboarding IoT devices pose a real-time issue of scaling deployments.
- Blockchain: Businesses are researching options to enhance the security of IoT devices with increased trust and transparency using Blockchain, as it provides a decentralized environment to the IoT ecosystem. Although the immutability feature is seen as a USP for Blockchain, many businesses are hesitant towards investing in real-life use cases. Supply chain & automotive industries are the next best fit for Blockchain beyond the financial market.
(This article was originally published here)