When the technology you deploy can be hacked to kill, you’d better be sure it’s secure.
For several years, cyber security experts have been trying to highlight the growing level of threat presented by the proliferation of all manner of internet-connected devices.
Far from easing our lives, they warn, if we’re not careful, the internet of things (IoT) could end them.
Cesare Garlati, chief security strategist for the prpl Foundation, an open source consortium working on next-generation datacentre software and architectures, says: “Most of these IoT devices are connected to, or directly control, physical objects – an elevator or heating system, for example. Therefore a breach doesn’t just represent a traditional loss of data with resulting fines, but a physical attack that might involve human casualties or fatalities.”
Potential to wreak havoc
From smart thermostats to connected cameras, medical implants to industrial controllers, a succession of devices has been shown to be hackable, many with the potential to wreak economic, domestic and physical havoc (see box, IoT hacks that hit the headlines).
And there are plenty of miscreants eager to gain such power over our lives, businesses and economy – criminals hoping to hold us to ransom for financial gain, cyber terrorists bent on causing mayhem and state actors engaged in clandestine cyber warfare.
Derek McAuley, professor of digital economy at the University of Nottingham and director of the Horizon Research Institute, says the threats are not exaggerated. “The danger to life is significant, which is why the security services at home and abroad are putting so much focus on cyber defence at the moment,” he says. “As the technology is more widely deployed, cyber attacks could take out significant chunks of the economy. We used to think in terms of defending power plants, power lines and so on, but actually if hackers take control of all the smart meters within a 100-mile radius of Cambridge, for instance, it could cause as much damage as bombing a power station.“
Microsoft's IoT Security Essentials
IoT hardware manufacturers and integrators must:
- • Specify hardware to minimum requirements so a device is not capable of doing more than it needs.
- • Ensure all hardware is tamper-proof, with no internal or external USB ports, for instance.
- • Build equipment should be built around secure hardware such as Trusted Platform Module (TPM).
- • Ensure there is a secure path for firmware upgrades.
IoT solution developers must:
- • Follow secure software development methodology.
- • Ensure any open-source software you choose has an active community addressing any security issues that arise.
- • Integrate with care: check all interfaces of components for security flaws, paying particular attentions to superfluous functionality that may be available via an API layer.
IoT solution deployers must:
- • Ensure all deployed hardware is tamper-proof - particularly where left unsupervised or in public spaces.
- • Keep authentication keys safe after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device.
IoT solution operators must:
- • Keep the system up to date with the latest OSs and drivers.
- • Protect against malicious activity by securing device operating systems with the latest anti-malware capabilities.
- • Audit the IoT infrastructure often for security-related issues.
- • Physically protect the infrastructure from malicious access.
- • Protect cloud authentication credentials by changing passwords frequently, and not logging on from public machines.
Yet the researchers’ warnings have not stopped a growing number of organisations from ploughing on with the IoT without effectively mitigating the risks. With promises of dramatic cost and energy savings, industrial and domestic automation, smarter cities and better health and safety, the economic and social incentives for deployment often trump security considerations.
Deep security implications
John Walker, a cyber security researcher and consultant who has worked with a diverse range of commercial and public sector organisations, including national and international law enforcement agencies, says: “We’ve rushed ahead and embraced the technology without considering the longer-term, deep security implications. Security people are often the last to find out what’s going on, when they really need to be involved from the start so that security can be embedded by design.
“Yet from what I’ve seen to date, there’s been little or no proper technical risk assessment to ensure devices, code, data and infrastructure are all sufficiently protected. As a result, insecure systems and processes are now embedded in a number of large organisations.”
But Microsoft, which is committed to supporting the secure implementation of IoT among its customers and partners, remains sanguine. Stuart Aston, its national security officer, says: “It’s really important not to over-dramatise the potential security risks, or people will dismiss IoT security as too difficult to tackle. That’s not the case. The key is understanding the risks and putting in place appropriate mitigation.“
Microsoft has put together a checklist of IoT security best practices (see box, Microsoft’s IoT security essentials). This highlights the different areas of security that must be tackled by the various organisations involved throughout the lifecycle of an IoT system: manufacturing and integration, software development, deployment and operations.
No universal standard
The problem for customers is that it’s currently difficult to ascertain whether all the hardware, software and service partners you select are doing what’s required to maintain effective security. While bodies such as the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are doing a lot of work in this area, there is still no universal, certifiable standard for IoT security. “Standards are in progress but the short answer is that if you’re implementing this today, you need to do due diligence,” says Aston.
Mike Ahmadi, global director of critical systems security at Synopsys, says: “It is critically important for anyone deploying IoT devices in any environment to require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that touch on specific, measurable criteria. Simply asking for secure devices will not cut it.
IoT hacks that hit the headlines
- 2010: Stuxnet (believed to have been created by Israeli intelligence) vibrates centrifuges in Iran nuclear plant.
- 2011: Hacker takes wireless control of insulin pumps.
- 2014: Hackers commandeer hundreds of webcams and baby monitors.
- 2015: Researchers remotely take over and crash Cherokee jeep.
- 2015: Plane flight controls hacked via in-flight entertainment system.
- 2016: Smart thermostats hacked to host ransomware.
“Users need to specify the evidence of such, and also check it internally. Don’t take the word of product suppliers. Verify and validate anything they tell you and stick to your guns. Make them provide evidence and move on to the next supplier if they will not.”
While Microsoft’s IoT security best practice guidelines represent a high-level framework, cyber security experts say IT departments must pay close attention to the technical detail. Nottingham University’s McAuley says systems should be designed so devices process as much data locally as possible. “Stop sending out raw data and think about app-specific processing on devices,” he says.
McAuley says organisations should adopt more secure network authentication using ID management systems such as Shibboleth to guarantee that people and devices logging on are who or what they say they are, rather than relying on SSID and password.
Devices should also be effectively isolated on the network, with properly configured firewall rules and network segmentation. “My angle is that all devices can be hacked eventually, so even if they need to talk to the internet, they should only be able to talk to the one or two places they absolutely have to,” says McAuley.
He also says data should be encrypted when it is stored on servers where it is not actually being processed. “Many organisations only encrypt data in transit, which is not sufficient,” he says.
The prpl Foundation’s Garlati adds: “Don’t use devices that involve a cloud component unless it’s 100% necessary.”
You should also avoid devices that ignore basic cyber hygiene, which applies to huge swathes of those currently being sold into the domestic market. “These days I’d be looking for all devices to require multi-factor authentication to change their configuration, for example” says McAuley. “In addition, no device should ship with a default username and password – you should be forced to set up secure credentials the first time you switch it on.”
And remember that while attacks on the IoT present a greater level of threat than those on traditional systems, many of the practices required to bring down the risks to a manageable level are as old as the hills. As Microsoft’s Aston points out: “With each generation of smart things, we seem to have to relearn the lessons of the past.
“A lot of IoT security best practice is no different from the best practice we’ve learned through securing PCs and mobile devices over the years. We just need to ensure it’s rigorously applied.”