DZone Research: IoT Security

To understand the current and future state of IoT, we spoke to more than a dozen IT executives active in the space. Here's what they told us when we asked, "How are IoT devices and data being secured?":

Access and Authentication

• With an application network, every IoT asset is given a defined door through an API, where distinct security requirements can be set. Rather than regarding the IoT deployment (devices, hubs, controllers) and the various systems needed to connect to it (back-end enterprise systems, provisioning, and update mechanisms, command-and-control infrastructure) as a hard-wired, monolithic system, the logic and integration to other systems are distributed outside the asset behind several APIs. This enables experts to set automated controls and enforce best practices to manage who has access to IoT-enabled systems, what data they have access to and what authentication is required, among other options. By adding this segmentation for users, an enterprise can substantially limit the number of attack vectors and privileged escalations, and create a more secure IoT ecosystem, ensuring it has the trust of its customers, employees, and stakeholders.
• When building a platform, it cannot just be for on-prem. IoT and edge clusters native security is built in with tickets authorization, authentication, all user permissions. The second level of security allows end users to assign access privileges with whitelists and blacklists. Data and wire-level encryption when data on edge node or in IoT device. Security from a database table perspective.

Encryption

• 1) Devices must have no open inbound ports – in leaving inbound ports open, you’re susceptible to malware infections, modification or theft of data, and DoS attacks. As a result, devices connected to an IoT network should only make outbound connections. Protocols like MQTT, Websockets, and HTTP 2.0 can all power this communication with no open ports.
  2) End-to-end encryption – You need not only industry-standard TLS but also enterprise-grade AES. And it needs to be end-to-end. Messages in-transit should stay encrypted the entire journey, never being unpacked in the middle of transit.
  3) Token-based Access Control – fine grain control over who and what can transmit and receive data. With millions of devices possibly connected, you need to be able to quickly grant and revoke access tokens to devices, giving you centralized control over every IoT device connected to your network. This lets you serve as a ‘traffic cop’ and you can cut off any bad actors, etc.
  4) Device status monitoring – we need to actively be able to monitor the offline/online status of a device in the field. When a device such as a home security monitor, oil field sensor, or home appliance disappears or stops sending and receiving data, the owner or monitoring system needs to know about it. An offline device could mean local tampering is taking place, or a broader issue like a power or Internet outage has occurred.
  5) User-friendly setup and upgrades – be able to send firmware updates and allow users to easily provision their product up to date.
• HTTPS, AES, and encryption. Running on a 900 MHz secure mesh network within the building. Transmits via one gateway to the cloud.
• We include encryption of data in motion and at rest to ensure that any data stored in the system will be secured.
  
• IoT security is a multifaceted issue, and consequently, we focus on a number of different areas to heighten the security of the systems that our users build. Chief amongst those areas:
  1) Device security — this is improved by advising our customers about the basic configuration of their devices, so factory defaults can’t be used as an attack vector. Additionally, we advise people about the necessity, or lack thereof, of having their devices connected directly to the internet.
  2) Transport security — we support the use of TLS for communication between devices, which ensures that data in transit is encrypted.
  3) Data security — data at rest is encrypted via AES (a form of military-grade encryption) and not co-located with the decryption keys.
  4) Credential security — we provide a mechanism that enables customers to not have to store credentials for web services and other sensitive usernames/passwords on their embedded devices so that if a device is compromised, sensitive information is not accessible on the device.
  5) System intrusion security — our platform employs a capability security model that ensures no code paths exist between user accounts. This completely isolates user data so that it is only available to each individual user. Additionally, privileges within the system cannot be escalated, meaning that creating an account gives you no possibility of greater access to the system as a whole than not creating an account.

Best Practices

• Start thinking about security from the very beginning. If you don’t think about from the beginning, you run into problems. Identify what assets are important for our business, how will they be exposed, how do we protect them? Security is not a thing, it’s built in from the lifecycle – OS, data, authentication, physical assets, gateways, hardware. And it applies to all different lifecycles.
• If you do security well, no one notices. What’s working are people thinking through doing good security analysis and end-to-end planning. Take a holistic approach to thinking about security. Provide a well thought out, open implementation, and specifications are the best way to develop secure solutions. Adoption of standards and solid well-implemented open source will help. Need to ensure they work well for what you are doing. Need a security process in place. Secure the data and ensure you are transmitting it securely. Also security between devices that control things and get control. There can be challenges with interoperability and devices talking to each other. Ensure devices are produced by the people who claim to produce it. Ensure privacy, integrity, provenance of the device. Keep the idea of ownership and privileges with the data. Data is only on-boarded by the user and not seen by others.
• Security is arguably the biggest issue facing the IoT. When we have everything from energy grids to smart appliances connected, it creates the potential for major security loopholes. Today, there is no uniformity for how IoT devices are being secured, and that is part of the problem. Security should be the responsibility of the company that owns the data, and they should have robust security protocols in place to ensure their customers’ data is safe. To help do this, developers and decision makers can help prevent attacks by ensuring all aspects of the connected system are reviewed for possible vulnerabilities.

Other

• Communication between the device and the app via Bluetooth low energy and phone to cloud servers. Industry standard best practices and protocols. Much of the data collection and aggregation goes through the phone which is secure.
• Security is important given the rules and regulations around GDPR. Compliance is critical as the penalties are severe. Customer trust is important. With IoT, we're trying to create a smart home that’s healthy and comfortable. We need to keep the data within the home secure. Trust in home security is very important.
• Varies based on the networks operating in. Don’t start the device until you change the default password. Manufacturing and industrial processes are much more paranoid and but still varies by organizations.
• Devices are inter-connected and able to exchange data to formulate and/or carry out tasks. For example, a bunch of IoT vacuum bots shares and exchanges data with each other to successfully clean the floor. If a bot goes down or offline, the rest of the bots would pick up the slack and complete the failed bot area. So, the data/communication for these devices should be protected to avoid rogue hijacks.

Here’s who we spoke to:

• Mike Donovan, V.P. of Product, Aquicore
• Adam Fingerman, CEO, ArcTouch
• Dave Schuman, Mobility Leader, Cloudera
• OJ Ngo, CTO and Co-founder, DH2i
• Nikita Ivanov, Founder and CTO, GridGain Systems
• Suzy Visvanathan, Director of Product Management, MapR
• Uri Sarid, CTO, MuleSoft
• David McCall, President, and Clarke Stevens, Chair, Data Model Tools Task Group and Vice Chair, Data Modeling Work Group, Open Connectivity Foundation
• Zach Supalla, Founder and CEO, Particle
• Stephen Blum, CTO, PubNub
• David Bericat, Global Technical Lead, Industrial IoT and Edge Computing, Red Hat
• Vaughn Shinall, Head of Product Outreach, Temboo
• Ray Wu, CEO, Wynd