In a recent security conference, a white-hat hacker maliciously injected an 830V shock in a pacemaker, simply by using a laptop at a distance of up to 15.24m. Needless to say that the “real-world impact” of such an attack could be deadly. There are claims that hackers can easily scale such attacks to multiply the fatal impact on patients with pacemakers. The latest generation of pacemakers is essentially made up of network-connected implantable Internet of Things (IoT) devices. Regardless of the industry, security vulnerabilities in any IoT device pose serious concerns.
Network connectivity exposes IoT products to new attack vectors. The infamous Distributed Denial-of-Services (DDoS) attack on Dyn Domain Name System (DNS) servers in 2016 showed how attackers could weaponize unsecured IoT devices as IoT botnets. The cyber-physical characteristics of connected “things” further raise the threshold for securing them.
A Cyber-Physical System (CPS) refers to any network-connected product that interacts directly with the physical environment. Examples of cyber-physical systems include:
Cyber-connectivity to a private or public network expands their attack surface. An attacker can connect remotely and exploit a vulnerability in a CPS, and use it as a tool to inflict significant physical damages. In 2010, the infamous Stuxnet worm infected the industrial control systems and manipulated the relay of sensor feedback to the controllers, which ultimately damaged 984 uranium-enriching centrifuges in the Iranian nuclear plants. Thus, a security breach for CPS is not just about the loss of data or reputation; it also implies environmental damages, loss of lives, and as such involves moral, legal, and ethical consequences.
Designers can easily pinpoint the large differential in threat models between any traditional standalone systems versus an IoT product. An IoT product invariably operates as a part of a connected ecosystem, or even a “system-of-systems” as in the case of smart power generation utilities, which makes their security posture uniquely challenging.
In addition to inherent security vulnerabilities in native hardware and software in IoT endpoints, we must factor in the vulnerabilities induced by their operation environment, network connectivity, and interoperability with third-party platforms and systems.
Unlike traditional PCs, an IoT product converges computing with domain-specific operations. An industrial robot, for example, performs domain-specific functions in an industrial setting in addition to embedded computation and storage functions.
The environment where IoT products operate enforces certain unique security challenges:
Connectivity exposes otherwise “safe” products to the fallout of cyber intrusion. In 2014, Charlie Miller and Chris Valasek remotely brought a connected vehicle running at full speed on the highway to a complete halt by exploiting its software flaws. To read their full report, see their article titled Remote Exploitation of an Unaltered Passenger Vehicle.
Information security design has mostly relied on perimeter protection using firewalls and zoning. The increasing use of radio technology and wireless in IoT products renders them easy targets for remote attacks. Unencrypted data communications are also a leading cause of IoT compromises.
Any IoT solution involves multiple service providers of technologies, configurations, and protocols. This leads to more complexity, uneven security compliance, and increases in the attack surface. Subscription-based models increase the dependency on third-party providers for device provisioning, management, and operations, which exposes new attack vectors.
IoT security needs to go above and beyond traditional cybersecurity measures to overcome these challenges. A full-stack approach to IoT security encompassing edge-to-cloud workflows is essential. A 4-tier security model for an IoT system design can mitigate the unique risks.
Due to their direct interaction with the physical environment, a tamper-proof design is highly desirable. Suitable credentials such as non-default username/password or Public Key Infrastructure (PKI) certificates can limit unauthorized device access and operations. A few other security design measures to consider:
Selection of secured Real Time Operating System (RTOS) and fault isolation with containerization can secure the endpoint during runtime.
Due to the unique challenges of IoT operations, design thinking needs to envision and deeply analyze the use case scenarios regarding:
This directly leads to developing threat models for network connectivity and gives us a sense of how to:
Wireless and RF are predominant choices for IoT connectivity and are typically more vulnerable. However, you can mitigate the connectivity risks by:
Although compliance doesn’t equate to security, compliant design can minimize vulnerabilities. Unlike information security, IoT security involves safety, reliability and resilience, in addition to data integrity, privacy and availability. In other words, if a breach happens, the system must be designed to carefully transition to a stable failure state with minimal impact on its surroundings. In the case of an autonomous vehicle at full-speed, a failure should carefully bring it to a halt. That is why in addition to cybersecurity standards—Federal Information Processing Standards (FIPS), ISO 27001, National Institute of Standards and Technology (NIST) SP 800, etc.—system design needs to interweave compliance with industry-specific regulations—e.g., Health Insurance Portability and Accountability (HIPAA), Department of Transportation (DOT).
Cloud-based provisioning, device management, as well as data and application hosting are central to any IoT product deployment. Many IoT products run on Software as a Service (SaaS), where a third party hosts the software layer. Although system designers might or might not have direct control over the security implementation in cloud-based services, it is still essential to architect the deployment based on certain cloud security standards and best practices, which are clearly enumerated in the product documentation.
Connected products are the future of our industries. In an ever-evolving threat landscape, the cyber-physical characteristics of IoT add to the security challenges. Once you identify the challenges, the 4-tier approach discussed in this blog provides a methodical approach to mitigate the risks.
Sravani Bhattacharjee has been a Data Communications technologist for over 20 years. She is the author of “Practical Industrial IoT Security,” the first released book on Industrial IoT security. As a technology leader at Cisco till 2014, Sravani led the architectural planning and product roadmap of several Enterprise Cloud/Datacenter solutions. As the principal of Irecamedia.com, Sravani currently collaborates with Industrial IoT innovators to drive awareness and business decisions by producing a variety of editorial and technical marketing content. Sravani has a Master's degree in Electronics Engineering. She is a member of the IEEE IoT Chapter, a writer, and a speaker.