Hardening Security For The Internet Of Things
A Layer By Layer Security Review Approach For The Internet Of Things Solutions
Emerging technology stacks bring new business challenges. Security for IoT (Internet of Things) has become a global issue, thus attracting business executives who invest enormous funds for cybersecurity and overall security of IoT initiatives. Many large business ventures invest in education, maintenance, and prevention activities in this domain. In addition, they invest in appliances, additional applications, and ethical hackers to harden security for the IoT ecosystem in their business.
In this article, I provide perspectives from architectural and design goals of IoT security based on my experience in the field.
The security aspect of the IoT solutions needs to be considered both at the macro and micro design phases. In the macro design phase, we develop high-level designs. The key work-product to develop in this phase is a comprehensive Security Model.
During the macro phase, it is difficult to identify the detailed issues, risks and dependencies. Therefore, it is critical to have consulting security subject matter experts at the macro level.
However, during the micro design phase, the subject matter experts need to be involved in more details. For example, a secure boot for a device can be part of the micro design. In addition, security in IoT Protocols is another important aspect to consider in the micro designs.
Security threats exist at all layers, including physical, datalink, network, transport, session, and application layers. Furthermore, each layer poses its own security challenges. Therefore, we need to check known security threats for each layer in a comprehensive way.
At the Data Link layer, some common IoT security threats can be MAC (Media Access Control) Flooding, Port Stealing, DHCP (Dynamic Host Configuration Protocol) attacks and ARP (Address Resolution Protocol) Flooding in the IoT ecosystem. Some known resolutions to the Data Link Layer attacks are the use of Intrusion Detection System, using Dynamic ARP Inspection and applying Root Guard.
Network layer security for IoT includes devices and appliances such as routers, firewalls, and switches in the IoT ecosystem. Spoofing and DoS (Denial of Service) attacks are some of the most common network layer security threats. From a network security perspective, there are also several known threats for wireless devices. Some popular attacks for wireless devices can be Eavesdropping, Masquerading, Denial of Service and Message Modification.
At the Transport layer, the IoT security focus is on communication privacy and data integrity. Transport Layer Security (TLS) is a protocol providing cryptography for end-to-end communications security over networks. This protocol is commonly used for Internet communications and online transactions. TLS is an IETF standard. TLS can prevent tampering, eavesdropping and message forgery. Another transport layer protocol to mention here is SSL (Secure Sockets Layer). SSL is another cryptographic protocol that is used to provide communications security over communication networks.
IoT Application layer security threats are widespread. Some popular ones for your considerations are session hijackers, data exfiltration, zero-day vulnerabilities, CSRF (Cross-site request forgery), SQL Injections (SQLi), and XSS (Cross-Site Scripting) attacks. One of the popular solutions is the use of a WAF (Web Application Firewall). WAF is used to prevent attacks that take advantage of web application security flaws such as cross-site scripting, SQL injections, and security misconfigurations.
The layer by layer security approach may also require engaging additional subject matter experts to help. For example, the network layer security threats can be better addressed by a network architect or a network specialist. In some organisations, the role of a network architect and specialist can be combined; hence one person can take the role of the security subject matter expert.
Likewise, the application-level security concerns can be addressed to the application architects or specialists for that specific application if it is a complex application spanning multiple layers in the ecosystem. Some business organisations keep consulting application architects to support security inquires.
Life cycle management for IoT security is vital.
One of the observed key issues in IoT is limited guidance for life cycle maintenance for the effective administration of IoT devices. When the IoT devices are not maintained well, and especially security patches are not updated on a regular basis or when alerts happen, we can face ongoing security risks and issues.
To address this concern, architects need to develop a comprehensive Operational Model for the solution and include the life cycle maintenance principles and guidelines in the document. Preparation, review, and approval of the Operational Model can surface many issues that can occur when the IoT solutions are implemented.
A proactive approach to maintain healthy IoT life cycle management can help address the risks, issues, assumptions, and dependencies at an earlier phase of the solution. This approach helps address security issues related to life cycle management and has a massive impact on the solution cost-effectiveness.
Thank you for reading my perspectives.