IoT is multivendor, multi-nodal and distributed and therefore it is obvious prone for cyber-attacks. Experts in IoT do not deny the high possibilities of hacking and privacy breach in IoT.
Things connected over digital mesh includes mobile phones and tablets for communication with things over internet, Wi-Fi or Bluetooth to control and provide commands, extract data, audio and videos things capture and synchronize data with the cloud. Mobile phones and tablets are yet to reach appropriate security standards and are the new targets for hackers and adding IoT to it is another avenue for hackers.
IoT for personal use is considered unsafe as many individuals who will be using IoT for home automation, healthcare and personal wearable are not tech savvy and are not trained to tackle with security issues.
In industries IoT can be more vulnerable to threats as operational technology will be under attack from hackers. This will be a major concern on implementing IoT in public or private enterprise and will need stringent security solutions to take care of potential and futuristic threats.
In IoT there are ongoing efforts on bringing all things and other elements of the ecosystem under standard security policies and procedures. Also, there are ongoing researches on developing distributed IoT rather than keeping a centralized control. Centralized operations of IoT can be easy to attack and can damage complete IoT set up. However; using distributed or rather individual type of control can secure other elements even if the individual or group of elements is attacked. Emergence of IPv6 will be an added advantage for this new set of theories of making distributed IoT.
The nature of business in IoT involves variety of equipment / device types, software and other applications and platforms each comprising multivendor and multisystem in nature. Following are few key security challenges Mind Commerce have identified in developing security solutions for IoT.
This huge network of devices uses sensors of various types to read and send data to other devices or to the store. Devices attached to each other can be from different vendors with different hardware and firmware combinations and standards. That means the devices connected will be multivendor and heterogeneous in nature making it difficult for a system administrator to use proper access control and security deployments for IoT system. Also the growth of device connectivity can be a mammoth in case of good results which will need an agile and accelerated deployment of security solutions to the connected world.
Manufacturer of network is not a manufacturer of thing and manufacturer of thing is not a provider of analytics and similar can go with sensors, devices, applications, software and also for security solution providers. Therefore, one needs to consider the diversity a varied nature of IoT as a challenge in identifying and deploying appropriate security solution.
The approach security solutions providers are taking about IoT is based on bottom up technique of starting securing entire IoT cycle from physical devices to data analytics. There will be stages and efforts will be to secure each stage according to its type of operation and characteristics.
To secure elements in IoT a typical layering structure is considered which exposes each layer and its functionality and measures to curb potential and futuristic attacks at each level.
Securing device through its entire lifecycle is one of the key solutions to avoid further threats to IoT. There are various stages and steps through which a device can be secured throughout its lifecycle.
Secure booting is one of the initial steps of securing device. It is applied when the power is first introduced to device to verify authenticity and integrity of the software. It is done by using cryptographically generated digital signature. This is the foundation of securing device and building trust I first place.
Next to secure booting are access controls which help in limit the privilege of using device or provide role based access control to the users. These are built in operating system either as mandatory or role based controls. In case where any component is compromised access control makes sure that intruder will have minimal access to other systems as possible. Device-based access control mechanisms are analogous to network-based access control systems such as Microsoft Active Directory and compromised information will remain limited to those credentials assigned to the access holder. It is onus of network administrator to properly plan and execute access controls to minimal possible levels.
Device authentication mechanism can be introduced prior to its plugging into the network for receiving or transmitting data. It is especially required when devices are not monitored under human control. Authentication allows device to access a network based on credentials designed by network administrator and stored in a secured storage area.
Regular supply of software updates and patches helps device to be less vulnerable to newer threats developed by hackers. During developing updates and patches the administrators should take few cares. The devices in IoT are in thousands and are tiny to small objects and thus it is advisable to develop updates and patches that will not break or stop working of these devices for updating. Most devices have key role in mission critical functions and cannot afford to distract from the activity. Also, the updates and patching should conserve and use limited bandwidth and avoid irregular connectivity of an embedded device and absolutely eliminate the possibility to compromise device functionality.
Devices use different protocols to communicate with each other. These protocols are different from common IT protocols which vary from applications and also by vendor. This is where industry specific protocol filtering and capabilities for deep packet inspection become necessary to identify malicious pay loads hidden in non IT protocols. This is highly required for devices that are situated in remote or inaccessible places to filter the specific data destined to terminate on that device with optimal use of available limited computational resources.
IoT sensors and sensing devices are connected through various types of protocols. Securing these protocols help securing sensing devices from vulnerabilities.
Cryptographic protocol or encryption protocol is an abstract or concrete protocol applies cryptographic methods, such as sequences of cryptographic primitives to perform functions related to security.