Security for the Internet of Things (IoT) is critical given the potential damage hackers can cause by attacking its infrastructure or hijacking it. But enterprise IoT awareness is very poor, with many IoT products on the market having no security protocols whatsoever.
It’s a Jungle Out There
HP’s Security Research Cyber Risk Report 2015 showed that 27% of the IoT control systems in existence have been compromised or infected, which is not surprising at all considering that 80%+ of IoT devices have simple passwords, 80% of devices retain hardware debug interfaces, 70% of device communication processes are not encrypted, and over 90% of device firmware updates are not signed or verified. And what’s more, many IoT communications protocols lack security mechanisms.
The ramifications of this carelessness are growing: an Internet outage over a large swathe of the US. A simulated attack on a Tesla car. A power blackout in Ukraine. And this is just the beginning. The large-scale US Internet outage on October 21, 2016, was the worst DDoS (distributed denial-of-service) attack in its history, leading to Internet services going down over a large area of the east coast.
The attack originated from tens of millions of IP addresses – mostly IoT devices such as DVRs, IP cameras, routers, Linux servers, all infected with the Mirai virus. These devices were vulnerable because they were using standard, fixed, hardcoded passwords, along with other unsecured elements.
Three Major Challenges
IoT security faces three major challenges. The first is complexity. The more complex a system is, the more weaknesses it’s likely to have. And for an IoT deployment, weak links can be found in any one of its many communication protocols or connected devices, or in the divergent security requirements that different industries have.
The second challenge is finite computing and network resources. Certain IoT sensors and gateways are subject to cost and power consumption constraints, and often have limited computing power and storage capacities, making the running of complex security protocols difficult. Network bandwidth may be also limited, with many local networks only offering tens of kbps of shared bandwidth.
And the third challenge, as always, is human carelessness, which still plays a pivotal role in most successful cyberattacks.
Weak and Strong IoT Principles
The security requirements for IoT devices, networks, platforms/clouds, applications, and privacy compliance are much more demanding than for traditional networks. The key to IoT security lies in building device-level security and protection capabilities.
IoT devices can be roughly divided into two categories – weak and strong. The differences between the security threats for each are extensive.
Weak devices have few basic security requirements (DTLS/+, remote upgrade, password management), are defined by limited computing power and memory resources, and are used in scenarios where cost and power consumption restrictions often come into play, such as water and gas metering, smart parking, logistical tracking, wearables, and agriculture. Vulnerabilities with these devices revolve around the basics, such as weak or non-existent passwords, lack of certification, lack of upgradeability, and easy theft or counterfeiting.
Strong devices, on the other hand, are often mission-critical, and therefore have more security requirements in place, such as system hardening, PKI, TPM/TEE, virus protection, intrusion detection, and secure startup, but their robust computing power can actually be a two-way street, given that an embedded OS (such as LiteOS) can mean more doorways to attack, and those attacks having greater impact. Applications are typically Internet of Vehicles (IoV), surveillance, IoT gateway, and interactive handheld devices, and threats can involve illegal startup, illegal upgrades, plaintext storage, virus attacks, and system defects.
What are the Security Essentials?
Access and data processing with massive numbers of devices, particularly in highly concurrent scenarios, make surge attacks and their ilk a huge challenge for IoT networks and platform security. With a lot of devices and data on the network and platform side, timely detection of malicious device behaviors, such as DDoS attacks or malicious tampering, is critical, and must be followed-up with rapid threat assessment/response via warning and isolation.
With data such as user location, consumption data, and health status now common on IoT Cloud platforms, privacy compliance and data protection requirements are stringent, especially in verticals such as electricity and IoV. But the cloudification of IoT services brings greater challenges in terms of end-to-end (E2E) security operations and management, including smart security inspection and situational awareness.
Detect and isolate
To quickly detect and identify malicious behavior in massive numbers of IoT devices, and isolate them accordingly, network and IoT platforms require malicious terminal detection and isolation technologies. First, the network side needs to have surge and DDoS attack protection capabilities. Second, the network must be able to coordinate with the IoT platform to identify malicious devices using rule matching, big data analysis, machine learning, and other rapid detection algorithms for behavior traces, traffic anomalies, and packet analysis. The IoT platform also needs to be able to quickly diagnose and respond to device behavior according to the application scenario and specific situation, based on device behavior detection results. Responses might include early warnings, observations, isolation and forcing devices offline, and instructing networks to take appropriate measures.
Platform and data protection
Cloud is also an essential piece of the security puzzle. Coordinated device and cloud defense systems will enable security situation awareness, monitoring, and device upgrades on the cloud. But the requirements for cloud platforms and data protection are much higher for IoT, including for the platform’s own security, data storage, processing, transmission, and sharing functions. In addition to cloud-native security measures such as WAF, firewalls, and HIDS, data privacy protection and various other measures are required to meet specific IoT data protection requirements. For example, data lifecycle management, data API security authorization, tenant data isolation, and encrypted video data storage, plus compliance with whatever government-mandated IoT data privacy requirements are in place.
Security operations and management
O&M system tools and the acumen of O&M personnel are critical to IoT security. For the coordinated handling of layered device-pipe-cloud architecture, O&M system tools must provide E2E network visualization of security, daily assessments, O&M reports, and smart security inspection.
Security guidance for IoT O&M personnel, and standard security operating procedures for O&M operations, enables both O&M personnel and policy makers to perform service management, thus improving the entire security system, from preventative early warning, to detection and analysis during events, to dealing with them after they occur.
An Ecosystem is Essential
An IoT security ecosystem must focus on device security, but the device capabilities for many IoT verticals are very limited. Huawei OpenLabs is helping industry partners to develop them.
OpenLabs provides E2E IoT security testing and verification services for not only devices, but also networks and platforms, with security features comprising a key part of IoT partner certification. OpenLabs provides partners with tech specs and test cases for IoT device security, enabling the corresponding black box testing tool development to ensure access security for different devices.
To build a healthy and open IoT security ecosystem, Huawei has also opened its IoT network and platform security capabilities and O&M tools to carriers and vertical industry partners. With research on IoT security ecosystems and standards development just getting underway, Huawei believes that collaboration which combines the strengths of upstream and downstream manufacturers will lead to trials and experiments that drive the maturity of key technologies, solutions, testing and verification, and industrial applications in IoT security.
Huawei will also encourage industry standards organizations to develop and improve IoT security standards as quickly as possible, and regulate IoT security certification to secure the rapid development of the IoT industry.