Who is Responsible for Securing the Internet of Things?A checklist to help answer one of today's top security questions. By: Jon R. Ramsey
In the wake of the recent DDoS attack that originated from millions of compromised devices[i], securing the Internet of Things has become securing critical infrastructure.
Though the owners of the compromised devices may never even realize they were hacked, these commonplace items were used to target a single company that disrupted several high profile online services and impacted millions of people. The question many are now asking is who is responsible for making sure these devices are secure?
Securing IoT Technology Cannot Be an Afterthought (and Doesn't Rest Solely with the Vendor)
It is predicted that by 2020, there will be tens of billions of connected devices on the internet[ii] and while the potential is limitless, so is the potential for threat actors to exploit vulnerabilities associated with these rapidly advancing technologies. Poor security practices such as including weak default passwords in hardware – that can never be updated – create opportunities for cyber-criminals that will only be exacerbated with the proliferation of IoT. Securing devices while in development requires forethought, but bypassing this process has the potential to cost enterprises far more if they are breached, erode the trust of the vendors' customers, and ultimately impact the revenue of the manufacturer. To keep pace, IoT manufacturers should take responsibility for the security of their devices and organizations who put devices on their networks need to secure their environment.
Vendors should be responsible for securing their technology. The administrators of the environment the devices are deployed in should be responsible for the security of their environment. Device manufacturers should assume they are being deployed in a hostile environment and the administrators should assume that the devices themselves are hostile.
Checklist: Building Security into the Internet of Things
IoT manufacturers and enterprises introducing connected technologies into their environments should think about security from a holistic perspective, understanding what capabilities are needed before deployment, during an attack, and post-compromise.
Security Before Deployment
- Reduce the attack aperture by designing patterns that minimize trust boundaries
- Introduce strong security hygiene habits
- Isolate solutions when possible and become a trust zone in an untrusted environment
- Model the behavior of the system and understand deviations
- Allow your customer to enhance the security
- Understand the adversaries' focus and threat model
- Authenticate, Authorize, Audit – use multifactor authentication and introduce "least privilege," giving users access only to the information and resources they need
- Employ defensive programming – assume all inputs are malicious
Defense During an Engagement
- Use encryption at rest and in-flight – protect the keys
- Say *NO* to custom crypto – it's easy to do but not easy to do properly and can leave organizations with a false sense of security
- Record what took place for auditing purposes
- Be able to push updates to deployed devices in the field in a secure manner
Be Ready to Remediate Post-Compromise
- Be sure you have capabilities to get devices back to a known trusted state
- Have the means to determine the root cause of compromise and the ability to remediate
- Cultivate a method for fixing the issue in the development process before deployment
The number of connected devices at home and in the workplace is increasing exponentially, and hackers are gaining access to the physical world in ways they never have before. With the rise of ransomware, for example, it isn't only our personal computers and smartphones at risk. Thermostats, televisions, MRI machines, pacemakers – these devices and countless others are now connected to networks that have serious implications should they be compromised. As these risks continue to impact more and more people, the demand for strong security will grow. Now is the time for the industry to self-regulate by adopting strong security practices that will help businesses and individuals avoid costly and potentially dangerous compromises.
Last month at Nasdaq, I spoke with NCSA's Executive Director, Michael Kaiser, to discuss the security of connected devices. You can view the conversation here.