Architectural Design Considerations for Security in IoT Solutions
A discussion of the various types of cyberattacks used against IoT devices and what development and security teams can do to mitigate any vulnerabilities.
Join the DZone community and get the full member experience.Join For Free
Internet of Things (IoT) solutions are constantly evolving and security vulnerabilities are inherent. Exploitation of IoT security vulnerabilities has resulted in major IoT cyberattacks, including the Mirai Botnet attack on Dyn and the Stuxnet attack on Iranian uranium enrichment plants. Cyberattacks on IoT solutions can result in major inconveniences, economic disaster, and even bodily harm. Security best practices and enhancements can reduce the risk of cyberattacks on IoT solutions.
IoT Solution Definition
IoT solutions provide both convenience and productivity for society. IoT solutions are comprised of a large number of interconnected hardware devices sharing data. These devices consist of sensors, smart devices, actuators, and appliances. Connectivity and data transfer occurs over both trusted Intranet and public Internet infrastructure.
Let's review the following IoT security threats and their associated mitigation strategies.
1. Ransomware and Malware Attack
Malware renders the operating environments unusable. A business continuity strategy that includes scheduled vulnerability scans, backups of environment filesystems, and updates to device firmware helps to mitigate risk of such attacks.
2. DoS (Denial of Service) Attack
DoS attacks are cyberattacks that overwhelm IoT devices with huge amounts of traffic in order to render them functionality useless. Firewalls and API security play crucial roles in safeguarding against this attack.
3. IP Spoofing
Manipulation of IP packets bound for IoT solutions can lead to system compromise. User identity management as well as payload and connection security help to reduce the risk of such an attack.
4. Data and Identity Theft
As an added bonus after a malware or IP spoofing attack, IoT and user data can be stolen from the system, resulting in economic losses. Among a few security measures, a key one is a modular approach to architectural design, which can help to shut down compromised modules in order to limit the progress of the attack.
5. Man-in-the-Middle Attack
Impersonation and eavesdropping by cyber-attackers on IoT message exchanges can lead to system compromise. Multiple security measures, including cloud services security, user authentication, and identity management, can prevent such an attack from occurring.
Security Best Practices and Enhancements
The following security best practices can be incorporated into an IoT solution design to address and mitigate the risk of cyberattacks.
1. “Security By Design” Architectural Approach
Adopt a “Security By Design” approach to solution design, by catering to security in the architecture.
Start by identifying critical zones, connection points, and routes that require immediate isolation when a cyberattack occurs.
This leads to the design of the DMZ (demilitarized or bastion zone), which can be separated by firewalls from a trusted zone(s). During a cyber-attack, device-to-gateway connections can be blocked to prevent the spread of malware infection and inhibit attacker progress.
A modular, layered approach to architectural design allows for the separation of concerns, catering for high availability during cyber-attacks. The following diagram shows an IoT solution architecture involving multiple layers.
2. Modular Architecture
Modularity is a design concept for assuring high availability at each part of the solution. Every module is security hardened and has a backup instance to replace it, should the primary instance be compromised.
3. Payload Security
Securing in-flight IoT data prevents the injection of malware into, and the ability to tamper with, IP information of data payloads. A VPN (Virtual Private Network) implementation encrypts such data while supporting its transfer over various IoT messaging protocols, like XMPP, DDS, CoAP, MQTT, and AMQP.
All client connections to message queues on the IoT gateway have to be secured by TLS and user authenticated. Endpoint security with the activation of TLS connectivity encrypts the payload.
Edge processing is the processing of data at the network boundary, and it can reduce the volume of sensitive IoT data that is sent over the network. With less sensitive data sent, the risk of exposure during cyberattacks is reduced.
4. Cloud Services Security
IoT solutions' backends are gradually becoming cloud-based. Examples of such services include analytics, management, and logging. Such services are computing-power intensive and are also susceptible to failure due to power, network, or server outages.
Therefore, they are suitable candidates for containerization, which means hosting these services in virtual machines known as containers. A popular container platform technology, called Kubernetes, can be adopted to form a Platform as a Service (PaaS) environment, which can host a large number of container-based services.
Containers enable the backend services to be secured, as the container interface serves as an additional proxy layer on top of these services. This abstraction of services helps to hide the technical vulnerabilities that could be compromised in an attack. In addition, the container platform provides the resources and security management capabilities that restarts backend services in a container format in the event of a process death, and also provides timely notifications to administrators on the temporary service outage. The container platform serves as a central management system for all IoT solution backend services.
5. Connection Security
An IoT device gateway manages and monitors data transfers, providing a layer of abstraction, aggregation, and security. The design of an architecture must include a DMZ where the IoT device gateways reside.
Communication to IoT devices through the Internet can only be made through a proxy, like device gateways. Direct communication is not allowed for security reasons, and the gateways serve to filter and authenticate the content bound for the devices in order to prevent harmful code or malware from reaching them.
All connections made end-to-end in IoT use cases should be encrypted using TLS. And all user initiated connections have to be authenticated using multi-factor authentication.
6. API Security
The functionality of the software components that form IoT solutions can be integrated using web services.
A good example of this is Eclipse Kura, which is an open source IoT gateway platform built on Java. It exposes business operation functionality through an open-standards API (Application Programming Interface). Devices then invoke a SOAP or REST protocol in order to call the web services. The APIs are publicly documented and secured access is optional.
Implementation of authentication and authorization policies help to secure APIs. A popular user authentication mechanism for web services (called OAuth) involve the use of security access tokens (SAML) that are obtained from a separate token-issuer as part of the user login process. With each web service request made to an API, the payload must contain such a token and have the token be passed as a parameter in the HTTP operation in order for the web service client to be able to successfully connect to the API.
To facilitate the high volume of API calls, an API Management platform and gateway should be adopted as part of the IoT solution. This platform provides traffic analysis, filtering, throttling, metering, as well as managing privileged user access to specific API operations. Routes between clients and web services that provide API access can be setup and monitored in real-time.
The API gateway component enforces security policies to recognize and stop DoS attacks targeting the IoT solution's API services.
7. Operating Environment Security
The choice of operating systems for IoT device gateways and backend services should be Linux, which is bundled with a security mechanism like SELinux. Administrators can use SELinux to set and enforce mandatory role-based access controls on system and application processes. These processes must be granted the appropriate access rights in order to manipulate objects in the operating system environment, for instance sockets, threads and files.
SELinux enforces policies that either allow or deny the execution of application services, preventing malware from running in the environment. The configuration files for the IoT solution can be secured through Linux filesystem encryption (using the dm-crypt tool), which prevents unauthorized access. Administrators must create policies that govern the download, import and export of code packages, and software patches, in order to prevent malicious code from entering the operating environment.
Regular backups of the operating environment filesystem and their contents as part of a business continuity plan will allow for the recovery of these assets after a cyberattack.
8. IoT Device Security
IoT devices can be secured using chip-based authentication, where user credentials are stored on a chip called a Trusted Platform Module (TPM). Having credentials stored locally on a TPM safeguards against theft of user identity, which could otherwise compromise the use of IoT devices.
9. Firewall Security
Firewalls have to be setup to separate the various zones defined in the architecture. All ports in the firewalls are closed, with the exception of a small group of ports used by devices, cloud-based backend services, and gateways. Ingress and egress filtering should be activated to filter the authorized traffic.
10. Password Security
All passwords used in the IoT solution must be hashed using an SHA256 algorithm, with a salt that is at least 32-bit long. In addition, the strength of the passwords has to be checked with an algorithm, which mandates each password contain a mixture of symbols, alphanumeric characters, and no keywords or names.
11. Vulnerability Scanners and Intrusion Detection Systems (IDS)
Software vulnerability scanners that perform rootkit malware detection of firmware in IoT devices should be used and regular scans should be scheduled. These scans detect any vulnerabilities due to malware infections, which can affect IoT device firmware. Custom developed software must be regularly scanned for vulnerabilities (like susceptibility to SQL injections and user session hijacking) using code assurance software.
Intrusion detection systems (IDS) should be installed to safeguard unauthorized access through the various access points to the IoT solution, including hardware devices, cloud-based backend services, and administrative consoles. Upon detection of a cyber-attack, the IDS will send notifications to system administrators for intervention.
12. Logging and Auditing
Real-time monitoring and management of IoT data flows help in flagging suspicious payloads. Audit and logging of IoT data traffic should be done in real-time on the IoT gateway, devices, and container platform. Trigger notifications of security incidents are delivered to system administrators for their intervention.
13. User Identity and Authentication
All user authentication processes should involve the use of a multi-factor authentication (MFA) tool or token, which adds an additional element of security to the login process. User access to administrative consoles and analytical dashboards that monitor the data logs of the IoT solution are best secured using MFA. SSL digital certificates should be used in the identification and authentication of users in order to mitigate the risk of Man-in-the-Middle attacks.
14. Patch Updates
Firmware vulnerabilities can exist in any IoT solution, especially when the remote device firmware update process is unsecured and open to tampering by cyber-attackers. Device firmware updates should be secured either when performed locally or remotely. The network traffic for remote updates should be encrypted using TLS and update initiation tasks have to be authenticated using MFA. Likewise, patch updates for IoT device gateways as well as backend services have to be secured.
15. Implementation Frameworks
Adoption of open source, community-supported frameworks for IoT, like Eclipse Kapua and Eclipse Kura, can help to provide the latest security support in an IoT solution. With bug-fixes, updates, and support provided through the open source community, any new security issue that emerges will be addressed swiftly by technology experts.
When developing custom software as part of an IoT solution, practice DevSecOps methodology and the techniques detailed in the Open Web Application Security Project (OWASP). Such a development process will reduce the number of security vulnerabilities.
Security should be a priority for IoT architectures. Adopting a multi-layered design in the solution addresses various types of threat factors, reducing the risk of cyberattack on the IoT device significantly.
Published at DZone with permission of Hong Hua. See the original article here.
Opinions expressed by DZone contributors are their own.