Security is the biggest non-functional concern that you’ll encounter when building an internet-connected physical system.
It’s easy to get excited about building an IoT system that functions but if you expose your organization’s information to hackers in the process, you’ll have a big problem.
In fact, Gartner projects that IoT security spending will reach $3.1 billion in 2021. But why is security so crucial to the Internet of Things?
The Importance of IoT Security
Security affects more aspects of an IoT system than many people realize.
It impacts the design of every component and also raises privacy concerns, which should be considered separately from security concerns.
For example, you can have a secure system that can’t be hacked into, but through standard usage of the system, users may be exposing private information about themselves.
Think about your smartphone. It’s constantly tracking your location and making that information available to developers of both the phone itself and the many apps that use your location. It makes sense that you’d want to guard that data.
Common IoT Security Problems
There are many IoT security issues that you’ll want to avoid when you are setting up your system. Below are some of the most common but this list is not exhaustive.
Here’s what to look out for:
- Insecure web interfaces: Some connected hardware products come pre-installed with web-based applications that give access to data and sometimes control of devices. You’ll want to make sure that you have a strong password policy for these types of systems so that attackers won’t be able to get their hands on your private data, or worse, take control of the physical equipment.
- Lack of transport encryption: Transport encryption is just what it sounds like: encryption of your data as it makes its way from your hardware to the cloud. This is crucial to make sure that attackers cannot eavesdrop on your data during that transportation process. This is a major way connected systems are often breached.
- Privacy concerns: A common form of attack is ‘social engineering’, when an attacker convinces someone to give them their credentials. Make sure that you update your passwords regularly and control who has access to the system. Platforms that offer role-based access control are particularly useful in this context because you can give permissions to certain users and add and remove users easily.
- Insecure mobile interfaces: When accessing a system from a mobile device, it’s important that there is an automatic log-out feature. Otherwise, you can end up in a situation where a third-party has access to the system.
- Security configurability: The servers that provide internet-based systems run on top of operating systems, like those that power personal computers. These operating systems are continually being patched and upgraded for security purposes. Failure to apply these updates in a timely fashion can leave your system exposed to increased potential of attacks.
- Poor physical security: Finally, poor physical security can provide a very easy way for attackers to gain access to a physical computing system. This type of access can range from simply destroying devices, to using unnecessarily exposed ports, for example, a USB port, to connect to the device and steal data or programming it to do something else.
Examples of IoT Security Breaches
Failure to properly address security in connected systems has already had serious real-world consequences, and the number of case studies that we could list is on the rise.
- Stuxnet is a famous computer worm that targets SCADA systems. It’s believed to have ruined almost one fifth of Iran’s nuclear centrifuges in 2010. It infected over 200,000 computers and caused 1,000 machines to physically degrade.
- Systems at a German steel mill were compromised by attackers who made it impossible to shut off the blast furnace, causing significant heat damage to equipment.
- Attackers gained access to an oil rig at sea and tilted it significantly, putting it out of commission. The owners incurred significant downtime costs for repairs.
- In one of the more prominent recent security breaches, the Nissan Leaf car was compromised, enabling remote operatives to control the car’s heating system. This resulted in unexpected battery rundown, potentially leaving drivers stranded.
- One of the biggest security breaches involving connected hardware devices was the Mirai botnet attack. It infected unsecured IoT devices (mostly IP cameras and wireless routers) with a nefarious program that commanded them to take part in a coordinated attack against a core part of internet infrastructure. This brought down high-traffic websites including Twitter, GitHub, Reddit, and many others for significant periods of time.
5 Essential Focus Areas for IoT Security
Many of these attacks could have been prevented if the IoT systems in question had secured all of the following 5 focus areas.
Below are the most important areas in which security should be a key consideration when designing and building your IoT systems.
1. Device/Hardware Security
There are many attacks that can be carried out if physical access to a device or piece of hardware is acquired.
For example, systems can be taken offline, devices can be destroyed, reprogrammed, or enlisted in a botnet, and sensitive data can be stolen. This last type of attack leaves no trace but exposes you to further attacks based on the sensitivity of the data stolen.
2. Data Security
Data security is concerned with making sure that data is not transmitted from a device to the internet in its plain form but is instead encrypted. This means that even if your data is acquired by an attacker, it will be useless to them.
Additionally, multi-factor authentication should be used as an extra layer of protection for sensitive data transactions.
3. Network Security
A popular form of attack that can occur in this space is known as a ‘man in the middle’ attack. In this situation, the attacker doesn’t make their presence known. Instead, they intercept communications between two users of a system and alter those communications for their own gain. In the meantime, the original two parties think they are communicating directly.
4. Operating System Security
The remote servers that connected devices communicate with are likely running a popular operating system like Linux or Microsoft software. Due to their popularity, both of these operating systems are often targeted by attackers looking for vulnerabilities.
Patches to these operating systems are released frequently and must be applied in order for a system to remain as secure as possible at any given time. That’s why it’s extremely important to choose an IoT platform with over-the-air update capabilities so that you don’t need to remove all of your hardware from the field/
5. Server Software Security
Finally, servers run other software apart from their operating system. For example, they could be running a Linux operating system and a web server from a completely different software provider.
The same advice that applies to operating systems applies to any other piece of software running on a server. It’s crucial to apply patches regularly to minimize the risk of security exposure. Again, over-the-air update capabilities make this much easier.
How to Ensure Your IoT System is Secure
The attack surface in any software system is large, and it only gets larger when you bring physical components into the picture.
In our experience, we’ve seen that security can often be too large an area for any one organization to completely master themselves.
The good news is that you can effectively outsource certain aspects of security to the equipment manufacturers and cloud service providers that you choose. This means that you should include security as a feature that you look for when evaluating any product or service that is going to play a role in the connected system that you are building.
Because security is such a complex topic, and it’s almost impossible to guarantee that no vulnerabilities will ever emerge, it’s best to design your system so that if it does become compromised, it’s possible for you to recover without having to completely redeploy all of your physical devices.
For example, should you need to change the password on an internet-based service that a device or set of devices is connecting to, it’s best not to store that password on the devices themselves. Software platforms like Kosmos help manage credentials for situations like this and also provide over-the-air update capabilities for remotely updating the code on a fleet of devices so that you don’t have to physically touch the devices during the process of altering their behavior.
Finally, when buying MCUs that have significant market share and are used in many connected systems, make sure to change the default username and password that comes with them. It was a widespread failure to do so that led to the Mirai botnet attack mentioned earlier.
How Kosmos Keeps Your Data Secure
Our Kosmos IoT System has many of these security features built in, so that you don’t need to worry about implementing them yourself.
For example, Kosmos offers over-the-air update capabilities which makes updating your devices as easy as clicking a button. This is useful for any type of firmware updates and for password changes as well.
Additionally, Kosmos’ device-to-gateway-to-cloud architecture means that none of your equipment is ever actually connected to the internet. Even if an attacker managed to get control of one aspect of the system, there’s a gateway device in the middle that prevents them from gaining full access to the other side.
Another security feature of Kosmos, is data transport encryption. Kosmos automatically encrypts all of your data in transit from the connected sensor or device to the gateway and from the gateway to the Kosmos cloud. If an attacker targets your data at any point in the transportation process, it will be fully encrypted, preventing it from being usable for anyone who retrieves it.
Finally, Komos offers the ability for organizations to choose who can access the platform and what level of control they have over the system. Admins can add or revoke access to their Komos account and control what level of access that each user has.