IOT Security Challenges & Proposed Solutions

Abstract
IOT security is the technology area concerned with safeguarding connected
devices and networks in the internet of things
IOT involves adding internet connectivity to a system of interrelated computing
devices, mechanical and digital machines, objects, animals and/or people. Each
"thing" is provided a unique identifier and the ability to automatically transfer data
over a network. Allowing devices to connect to the internet opens them up to a
number of serious vulnerabilities if they are not properly protected.
In this Paper we will discuss how to overcome 4 of the most important challenges to
IOT :
1. Lack Of Encryption
2. Outdated Legacy Security
3. Weak Default Passwords
4. Keeping IOT hardware updated

1. Lack Of Encryption
The problem with devices and networks does not always lie in not having
encryption but in the way encryption is applied. Following security guidelines is a
good step but like many security systems, the devil is in the details and being
overzealous is a good thing in this case. Let’s take a closer look:
Misconfigured IoT encryption. The added layers and the diversity of protocols in
IoT create additional failure points where encryption can be incorrectly implemented
(e.g. sensor to IoT device via SCADA > IoT device to IoT gateway via LPWAN >
IoT gateway to MQTT broker via TCP/IP). A single hole caused by a configuration
mistake on the platform, on the network, on the cloud or on the device may
compromise the entire tech stack. A slight mistake could have tremendous
consequences and land your company some unsavory headlines in the press.
Regulatory compliance alone does not protect devices. Never assume that
implementing a basic set of guidelines is enough. In fact, it is merely the beginning.
Regulatory compliance for the sake of abiding to a set of standard rules is not
security. What should be done is use those rules as a base and enhance them with
IoT specific security solutions that suit your deployment. This way, security and IoT
encryption are maximized on all layers and at all points.
Not keeping track of machine identity protection. Consider the scale of
managing a fleet of thousands of devices (millions are possible, but let’s not break
our minds). Managing SSL/TLS certificates at IoT scale is a daunting task,
particularly if you issue the certificates manually (which is why most fail to use it
altogether). Imagine the workload and the time wasted on a process which could
and should be automated. TLS protocols grant secure communication over a
network (assuming properly implemented). Security best practice dictates that
certificates should have a lifespan of a days or hours to mitigate the impact of a
leak. This is where automating TLS certificate and key-issuing comes handy. By
automating the certificate-issuing process, we reduce the burden that developers
would face and eliminate human error.
Poor Key Management. Encryption keys are like passwords. Storing your keys on
disk is not ideal. The only way to efficiently handle this situation is to have a Trusted
Platform Module (TPM). TPM is a cryptographic Module which enhances computer
security and boosts privacy. It is designed to ward off software compromising.
Unfortunately this is still relatively rare outside of high-compliance devices largely
due to the added complexity and added hardware components.
Using weak, vulnerable, unknown or untested cryptographic algorithms.
Encryption is performed based on ciphers, complex algorithms and best developed
by mathematical sophisticates. Some companies or developers choose to build and
use their own encryption algorithms. This is a risky practice, particularly if it is not
updated or reviewed for a prolonged period. Moreover, encryption protocols should
undergo rigorous peer review and audit as is done in open source security tools. It
is better and more secure to use the already-tested and secure algorithms which
are available out there. Some of the most popular encryption algorithms are: RSA,
Advanced Encryption Standard (AES) and ECDSA. These are updated and they
evolve so that they can help fend off cyber-attacks.
Relying solely on cloud providers for securing your data. Securing data on the
cloud and opting for a trustworthy provider is essential yet, this is only one piece of
the security puzzle. Admittedly, cloud providers are all doing a good job towards
securing the data we all store in the cloud. This, however, does not mean that a
data leak is not possible. The cloud only covers one area of your architecture and
even on the cloud, there are settings that must be configured correctly by the
customer. Do you really believe that a 3rd party service, even AWS is taking full
responsibility for your entire stack? Will it matter when -your- client data is leaked?
IoT encryption is not only about securing a certain layer or point in the architecture.
It needs to be holistic and cover database to customer data, to identity and access
management, and of course, down to the IoT device itself.
 2. Outdated Legacy Security
Enterprises are increasingly adopting business transformation strategies where
people, processes and technologies are aligned with the business vision to better
serve customers and increase revenue.

According to the recent IDG 2018 Digital Transformation whitepaper, traditional

enterprises are more hesitant to embrace business transformation when compared
to start-ups. Indeed, 55 percent of start-ups have already adopted a digital
business strategy, compared to just 38% of traditional enterprises. So, what is
holding them back, and what impact does security have on business
transformation?

a) Legacy IT infrastructure

Since traditional enterprises are more likely to rely on legacy infrastructure that can
be decades old and often beyond compliance regulations, which means it is either
too expensive or not technologically compatible to update or augment. In
comparison, start-ups may look to drive towards improved customer experiences
through agile mobile and cloud-based applications.

The very recent attacks we have seen to out of support router infrastructure is a
clear example of this. Organizations wish to sweat their assets beyond end of life
and therefore are exposed to security holes that are no longer being
corrected. Protecting legacy infrastructure against such attacks should be top of
mind for companies heading towards a business transformation.

b) The enterprise Internet of Things (IoT) threat

There is also the threat of enterprise IoT threats on devices such as printers,
cameras and smart lighting. According to IDG, 61% of enterprises believe IoT will
play an increasing role in their digital business strategy. Given that IoT devices
connected to standard PC platforms are often the foothold in most attacks – such
as the Stuxnet attack that compromised programmable logic controllers (PLC)
connected to a PC – more connected devices included as a result of the business
transformation will mean more opportunity for attacks against these devices.
Enterprise IoT devices should not be exposed to the internet or be enabled on
networks with end user PC platforms. Indeed, many IoT devices run the Busy-box
operating system, which is still maturing for open vulnerabilities and security
concerns.
 c) Securing legacy systems

To protect legacy systems, companies need to have complete visibility into their
environment and the facility to identify and analyze for open vulnerabilities. They
need to be able to isolate these vulnerabilities within the networks and kept away
from endpoints known to be the initiation point for most post-breach attacks. In
addition, companies need to apply strict access control with privileged access
entitlements, including no direct access to or from the internet. They should also
harden these systems to remove unused services and implement least privileges;
for example, disabling the SMB protocol. Next comes security monitoring, which
often involves the establishment of baselines for legacy systems to detect
suspicious events, abnormal authentication events, and unexpected configuration
changes.

For some organizations, the steps above may or may not be possible for various
reasons. However, knowing what attackers desire enables companies to take
proactive defense to lure, detect, and defend legacy systems. One can only
expect advanced attack methods developed by nation states to be adopted by
cybercrime in forthcoming attacks. Multi-staged attacks with automation are starting
to mirror penetration-testing efforts by embedding password-mining tools and
scanning for open exploitable vulnerabilities. We also know that endpoints are the
foothold for attacks while servers are the primary targets where most data can be
breached. For these reasons, adding a deception layer to legacy system networks
is very logical to provide attackers what they desire.

Deception defenses include decoys and breadcrumbs, plus services such as SMB,
SSH, FTP, RDP, TCP, UDP, and IMCP. A deception solution can automatically
discover and map a network of legacy systems to then automatically create decoys
and services for the environment.

Automated deployment of these decoys also includes breadcrumbs to make the

deception layer deterministic leading attackers to decoys and diverting them away
from legacy systems. Alerts from the deception layer come from using poisoned
credential data, accessing decoys and services, network traps, or traps from
enabled breadcrumbs.

Given some legacy systems cannot be updated, deception defenses fit well into
these environments as no agents are required. An added benefit of deception
defenses being agentless is they place no risk to legacy systems, data or
processing steps, and decoys can represent desktop or server systems. Deception
defenses are effectively the invisible trigger and therefore have actionable alerts
with very low false positives. The end result is providing what attackers desire to
lure, detect, and defend with very little alert noise and it can take less than one-
hour per day to monitor and maintain deception layers by a tier-1 security analyst.

d) Protecting against IoT attacks

Even away from the internet and end user systems, enterprise IoT devices – if
accessed – are very likely open to attack or compromise. For this reason, providing
attackers with what they desire is another opportunity for proactive defense to lure,
detect and defend. IoT devices are not open to agents for direct prevention and
detection defenses and communications should be encrypted. As such, deception
defenses with decoys and services for IoT devices is a logical choice.

Capture the flag exercises with a variety of deception defense decoys and
breadcrumbs also show that IoT devices are a low priority for post breach initial
attacks. Human attackers prefer files, email and unstructured data, while automated
malware prefers applications and web browser structured data. In both cases for
man or machine, they initially seek credentials for expanded access and lateral
movement, which may eventually lead to enterprise IoT devices.

3. Weak Default Passwords

It is important that you keep changing your passwords on your PC’s, individual
accounts and mobile devices. You must be knowing this. What you should also
remember is that it is equally important to change the passwords you use on your
internet of things devices. You should be diligent with these passwords and ensure
that each device has a unique password. You can use a password manager to
remember your passwords or even use the traditional method of pen and paper.
Remember that every password must be changed twice every year.

4. Keeping IoT hardware updated

Regardless of how a company uses the IoT or the cloud, data integrity is a
common challenge. With so much data coming in from multiple sources, it’s
tough to separate useful, actionable information from irrelevant chatter.

It’s critical to calibrate your IoT sensors on a regular basis, just as you would any
other kind of electrical sensor. Next-gen sensors are embedded in many different
devices, including panel meters, chart recorders, current clamps, power monitors
and more, and it’s difficult to synchronize the dataflow between all this hardware
without the help of a professional team.