Embed Size (px)
Citation preview
IoT security: how to use the IoT securelyPractical white paper for IoT projects
20202IoT-security
The IoT – short for Internet of Things – is an umbrella term for all devices that are connected to the internet. It stands for a new world in which smart devices communicate with one another via the internet. This offers unprecedented opportunities to consumers as well as to businesses and government bodies.
One of the benefits to businesses of using the IoT is to get
real-time insights into where equipment is located, thanks to
tags on the devices. And by using temperature sensors they
can see when cold stores or freezers are warming up, causing
food to spoil. Or they can monitor whether medicines are
being kept at the right temperature. Sensors can also be used
to measure how full containers or silos are, or what the water
level is.
The operational value of the IoT is often found in small
improvements in efficiency. A process, for example, costs
a little less time than before thanks to sensors, or less
manpower is needed. However, an IoT project can also lead to
an innovative product, such as a smart consumer device that
did not previously exist, or an improvement in the customer
relationship.
At the same time, there are certain risks associated with
the IoT. An ever-increasing number of devices have an
internet connection, so cybercriminals are also getting more
opportunities to attack consumers and businesses. In theory,
anything that has an internet connection can be hacked.
Especially if no attention has been paid to security when the
IoT devices were developed and during the implementation
of IoT solutions.
Agentschap Telecom (Radiocommunications Agency
Netherlands) has already sounded the alarm with regard
to the increasing number of unsafe IoT devices that are
connected to the internet1. If no measures are taken, the
unsecured devices could also be a danger to society.
A lot of IoT projects fail prematurely because of concerns
over security and privacy. Often unnecessarily. IoT security
is complex, but with the right precautionary measures the
availability, confidentiality and integrity of IoT data and
systems can be properly secured. In this white paper we look
at the security challenges of the IoT. And we give you ten tips
that will allow you to derive maximum benefit from the IoT.
Security is assured
20203IoT-security
Nowadays it is a well-known expression: The S in IoT
stands for security. In other words, there are frequently
no security measures in IoT applications. This is the
case in particular with consumer devices such as baby
monitors, dolls and thermostats that can connect to
internet.
A survey carried out for Agentschap Telecom confirms
this2. Only 5 of the 22 smart consumer devices surveyed
– including IP cameras, locks and routers – were rated as
‘relatively secure’. In the remaining cases the researchers
discovered problems such as unsecured connections and
standard settings that provide the user with inadequate
protection. Connected toys and baby monitors scored
particularly badly.
The use of poorly secured IoT devices is quite risky. For
instance, an ethical hacker from KPN Security discovered
a major leak in kids’ smartwatches that allowed attackers
to find out children’s locations3. They didn’t even have
to be in the vicinity. A few years ago ‘My Friend Cayla’
caused a commotion when it turned out that it was
simple to listen in to conversations via this talking doll.
Businesses too run a risk if they use unsecured Consumer
IoT. For example, hackers managed to gain access to the
network and other corporate resources of an American
casino via a poorly secured smart thermometer in
an aquarium4. Once inside, they stole a list of major
customers.
The threat does not always come from attackers.
Sometimes employees unwittingly share more data
than intended with the outside world. American
soldiers on a mission in Afghanistan and Syria, for
instance, unwittingly gave away the exact location of
the military base via the sports app Strava. Research by
De Correspondent and Bellingcat brought to light that
the identity and home address of high-ranking officers
and intelligence operatives could be easily to identified
via the sports app Polar5. In the case of the intelligence
operatives, it even turned out that state secrets were
made public.
The assertion that there is a total lack of security is not
entirely the case for IoT for businesses. This is achieved
mainly by the use of specialist sensors that measure data
such as the air pressure, fill-level or wear of a machine
and share that data with a central server via special
networks. These components – which together form the
IoT solution – are generally more ‘secure by design’ and
tested for security than is the case with Consumer IoT.
Nevertheless, things sometimes go wrong with IoT
applications for businesses. An example of this is the
malfunction following a software update at the Dutch
probation service, which meant that wearers of an ankle
bracelet could no longer be monitored6. Police and
other judicial bodies had to step in and take wearers of
an ankle bracelet into custody as a precaution. In that
context, the availability of the solution and the data
– also an important part of information security – left
something to be desired.
In June 2019 researchers warned that certain hospital
equipment for respiration and anesthesia was vulnerable
to hacks. Because of a software vulnerability, when such
a device was connected to the hospital network hackers
could muffle alarms, alter history logs and even change
the composition of anesthetic gases7.
Such incidents can be prevented only if businesses
embed security in their IoT projects from the outset. That
is not a straightforward task, however. Research carried
out by 451 Research shows that cybersecurity is the
greatest stumbling block in an IoT project8. More than
half of IT professionals consider security the ‘principal
concern’ during IoT projects. For some business leaders
the dangers of the IoT are so big that they are not even
making use of it at all. In other cases, IoT projects come
to a halt because of concerns over security.
Consumer IoT and security
IoT and security for businesses
20204IoT-security
The market for IoT devices is growing exponentially.
The number of smart devices connected to the internet
is increasing by the billion every year9. To benefit from
the huge demand for IoT devices – and so as not to
miss the boat – suppliers are putting new devices on the
market as quickly as possible. While the device is being
developed there is no time for security or for critical
questions from security experts.
IoT devices such as sensors generally have a limited
capacity. Security measures such as encrypting data
before storage and encrypting connections with TLS/SSL
are not always possible. And even when it is possible,
such measures are sometimes not taken, to save a
sensor’s battery for example. Another problem is that
a user interface is not always available, which makes it
harder to update a device.
IoT devices are by no means always secure within the
walls of a company. For instance, sensors that measure
the water level or the atmospheric humidity somewhere
in farming area’s; or GPS trackers that have no fixed
location. Such devices are simple prey for attackers who
want to influence the measurement data.
This was the case when the weather station in Arcen
was accused of cheating in the hot summer of 201810.
A strategically parked truck was intended to push the
temperature up further and give the Limburg village the
label ‘hottest place’.
As yet, there are no guidelines or legal requirements for
secure IoT devices. In many cases it is unclear to users
as well as suppliers what security standards they need to
apply to IoT devices.
This is going to change. The Netherlands promotes
laying down legal security standards for IoT devices in a
European context. The intention is that those standards
will be included in a new version of the Radio Equipment
Directive (RED)11. Additionally, the Dutch cabinet is in
favor of a CE mark for IoT devices, but that is not yet in
the pipeline.
For many users it is hard enough not falling for the
cunning tricks of hackers even without smart connected
devices. Enabling employees to withstand well-known
methods of attack such as phishing and malware attacks
via e-mail is a challenge in itself. The IoT makes things
even more complex for users.
Sometimes it is not clear to the user that a new machine
is ‘connected’ and provides valuable data that they need
to handle with great care. The organization uses that
data to drive processes, to improve its service or to form
the basis for important decisions. Such data is part of the
company’s crown jewels, so it is important for the data
to be available and untainted and to remain confidential.
The users have to be fully aware of this as well.
Why the S is missing
1. Lack of attention for security
2. The security potential is (some-times) limited
4. There are no guidelines for a se-cure IoT
5. Users are insufficiently aware of the risks
3. IoT devices are not always immedi-ately visible
Making IoT devices, the connections and the collected data secure can therefore be a major challenge. There are several reasons for this. They include:
20205IoT-security
Although the concerns over security are justified, they are certainly not a reason to disregard the IoT links. With the right measures it is perfectly possible to safeguard the availability, integrity and confidentiality (AIC) of IoT data and systems. We also know this ‘AIC triad’ from the ‘traditional’ IT security. The guiding principle is that security is a combination of the components that form the triad:
Secure use of IoT
If organizations become more
dependent on IoT, the standards set
for the availability of the solution
increase too. For example, do you
scan the vehicle number plates of
employees and visitors for entry
to the car park? The smart camera
system could be sabotaged, leading
to inconvenience in the form
of traffic congestion and angry
customers.
Although all three components
are important, the most attention
in IoT security is paid to the
reliability of the data. Monitoring the
temperature at which medicines are
kept, for instance. If that temperature
is supposed to be, say, 8 degrees
Celsius, you need to be completely
confident that the data has not
been manipulated. If the actual
temperature is higher than the 8
degrees Celsius indicated by the
sensors, the health of patients is at
risk.
If hackers gain access to sensors
that measure settings such as
temperature, confidentiality is not
necessarily an issue. This is not the
case, however, if an unauthorized
person can, for example, gain
access to privacy-sensitive data or
confidential business information via
an internet connection. GPS sensors
in bikes or cars are a case in point.
They show precisely where the user
of the vehicle lives and what routes
he or she takes. It could present a
problem if that data is made public.
1. Availability 2. Integrity 3. Confidentiality
20206IoT-security
We can talk of good IoT security only if all the aspects of the AIC triad have been assured. The following measures can help you to achieve this:
Ten tips for a more secure IoT
This is the first step in every IoT project. Take stock of what valuable data an IoT project provides and what ‘actors’ would benefit from stealing, ransoming or manipulating that data. Or from sabotaging devices. Those actors could be hackers that want to show what they are capable of, or they could be competitors or government bodies that are after your trade secrets.
Then consider what the likelihood is of such an actor making a successful attack and what the impact would be on your business operations. In other words, weigh up the likelihood of success against the impact. This will give you a picture of the risks you run.
1. Carry out a risk analysis
You should also expect your partners in an IoT project to do everything possible to make the implementation secure and to keep it that way. So keep on asking questions.
For instance, ask the supplier of an IoT device where the software and its components come from and what the company has done to ensure that those components are secure. Don’t simply take those partners at their word but ask for hard evidence. Are test reports available? Then the supplier must let you have them.
4. Obtain assurance
An IoT application is made up of several levels that you have to secure. In its IoT Reference Model Cisco defines seven: physical devices and controllers, connectivity, IoT devices that process their own sensor data, data accumulation, data abstraction, applications that work with the data, and collaboration and processes .
Security measures are required for all those levels. You can determine what the levels are by using the models that are available for that purpose. The Cybersecurity Framework of the American National Institute of Standards and Technology (NIST) is an example of that . This model shows what measures are needed to repel attacks and limit the impact of incidents (see also the text box).
3. Select the right security measures
Most organizations do not have the resources to tackle all the risks directly. So start with the biggest risks, i.e. obviating the attacks that have the greatest chance of succeeding and that would have a major impact on your business operations.
In some cases, you might come to the conclusion that you need to accept a risk, for example because there is no budget for the mitigating measures. That choice is defensible if, say, the likelihood of an attack is very slight.
2. Decide your risk appetite
If an IoT project requires the software to be designed from the foundation, make sure that it is fully secure by design. One of the important considerations is that the necessary security settings are activated as a matter of course, also for end users (security by default).
In this way you can ensure that you do not have to add security later. An ‘add-on’ is always more costly, is not always feasible and is less reliable than security that has been embedded at the design stage.
5. Insist on security by design
20207IoT-security
A frequent pitfall in IoT projects is that data is collected ‘because it can be’. Sensors collect data that is not relevant to the project but that might be sensitive. You must protect that data too.
In this case, less is more. Collect data selectively and throw away the data that you do not need anymore (privacy by design). Indeed, if an IoT project generates personal data, ‘data minimization’ is mandatory under the General Data Protection Regulation (GDPR)14.
6. Aspire to data minimization
Fostering security awareness was referred to obliquely in point 3. It is a security measure that in the NIST Cybersecurity Framework comes under the heading ‘Protect’. Nevertheless, it can do no harm to pay extra attention to this subject, outside and inside your organization. It is not inconceivable that employees still have no conception of the risks of the IoT, and when a new device is purchased do not even know that the device is connected.
So when giving security awareness training you should also devote time to the risks of the IoT, especially if the target group is using your IoT solution. And test out the security awareness of partners from time to time. It needs to be clear to suppliers that, for example, they must never send a firmware update by e-mail unencrypted.
9. Foster security awareness
There may be a variety of reasons for disposing of an IoT application. But do not do so in an uncontrolled manner. IoT devices are information carriers that contain a wealth of information, such as login data for the Wi-Fi network. The sensible thing is not to simply put them out with the rubbish.
And during the decommissioning don’t forget the IoT data that is being held by a partner, for instance in a cloud environment for analysis. Will the partner undertake to hand over the data entirely? This is something for which you can make arrangements at the start of an IoT project.
8. Controlled disposal
The security of an IoT environment is dependent to a large extent on the management of the devices. The location and the status of the assets must stay within sight at all times. For instance, is it known what maintenance the devices require, and how long the supplier will provide firmware updates? And who will implement those updates?
An IoT solution that is secure from the moment it is put into use can be totally insecure a few months later. Especially if firmware updates for security leaks are not implemented, or are not implemented (on time), because it is unclear who is supposed to do so. Or because devices are out of sight. And the threats themselves can change, making different security measures necessary. So good management means remaining alert at all times.
7. Manage the assets
Ultimately, everybody needs to be clear on what is required for the IoT to be used securely and who is responsible for what. You can lay this down in a security policy for IoT which must also be controlled.
That policy must include many of the points that we discussed earlier in this white paper. Who is responsible for security updates, for instance, and how are they to be sent to the devices? Are we securing a user portal with multi-factor authentication or is a simple username and password sufficient? What data is to be encrypted and what type of encryption will be used? These are all questions that have to be answered in the IoT security policy.
10. Design an IoT security policy
20208IoT-Security
KPN: always an appropriate solutionLots of things are involved in the secure use of the IoT, even
more than we could describe in this white paper. KPN is
happy to help you with this.
Monitoring the confidentiality of communication has been
the cornerstone of our business for more than a century. KPN
provides security not only for your ICT infrastructure but
also for your (privacy-sensitive) data, intellectual property,
your personal data and your reputation. Our customers can
rest assured that privacy and security are always our highest
priority. Naturally that is also the case in the context of the
IoT.
KPN has a nationwide IoT network and is the largest
security company in the Netherlands. KPN always offers a
suitable solution for relevant risks, such as DDoS attacks
and intrusions into corporate networks, as well as for the
continuity of business processes. Finally, KPN is a leading
player in the field of certification. With our authentication
services we provide solutions for secure access to websites,
equipment and processes.
Go to kpn.com/iot or kpn.com/security for more
information.
This phase covers such
areas as identifying
important assets and
security risks, raising
security awareness,
checking application
codes for vulnerabil-
ities and collecting
threat intelligence.
This includes measures
to protect data and
systems, such as iden-
tity management to
prevent unauthorized
access, encryption of
connections and data,
installing firewalls, and
training courses to fos-
ter security awareness.
This phase covers
topics that include
implementing solutions
such as intrusion
detection systems
(IPS/IDS) and Security
Information & Event
Management (SIEM)
for monitoring network
activity and applica-
tions, thereby ensuring
that any threats can
be detected at an early
stage.
This involves analyz-
ing and reacting to
signals from detection
systems, following
the incident response
plan, isolating and
mitigating incidents
and improving reactive
measures on the basis
of lessons learned.
After an incident an
IoT application must
be up and running
again as soon as possi-
ble. Ways of achieving
this include designing
processes for putting
back back-ups and for
organizing a disaster
recovery site where
work can be resumed
quickly.
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
NIST Cybersecurity Framework
The Cybersecurity Framework of the American National Institute of Standards and Technology (NIST) can be used as a basis for translating policy into concrete actions. This model categorizes technical, organizational and other measures into five different phases:
Appendix
https://magazines.agentschaptelecom.nl/staatvandeether/2017/01/onveilige-apparatuur-risico-voor-samenleving
https://www.agentschaptelecom.nl/documenten/rapporten/2019/09/25/rapport-digitale-veiligheid-van-iot-apparatuur https://www.kpn.com/zakelijk/blog/smartwatches-disclosing-childrens-location.htm https://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html https://decorrespondent.nl/8477/zo-haalden-we-binnen-2-minuten-staatsgeheimen-uit-een-fitness-app/412804469-9c16c5a3 https://www.rijksoverheid.nl/actueel/nieuws/2019/05/10/storing-in-elektronische-monitoring-enkelbanden https://www.us-cert.gov/ics/advisories/icsma-19-190-01 https://451research.com/blog/1934-survey-finds-security-continues-to-be-top-priority-in-deploying-iot-projects https://www.idc.com/getdoc.jsp?containerId=prUS45213219 https://www.metronieuws.nl/in-het-nieuws/2018/07/bedonderde-arcen-de-boel-om-de-warmste-plek-te-zijn https://ec.europa.eu/info/law/better-regulation/initiatives/ares-2018-6426936_en http://www.learniot.com/cisco-model https://www.nist.gov/cyberframework https://www.privacy-regulation.eu/nl/5.htm
01
02 03
04 05 06 07 08 09 10 11 12 13 14
Discover what the Internet of Things can mean for you.For more information, contact your KPN account manager or send an e-mail to [email protected]
AD-19163/01-2020/BRNVersionnumber: 1.0
