The challenges of security in the IoT
The popularity and usage of Internet of Things (IoT) devices are growing significantly. Gartner forecasts that by the end of 2020, 5.8 billion devices will be in use. Reasons for the growing popularity of IoT devices include technological improvements in the field of micro-controllers and sensors & actuators that make such elements more cost-effective and efficient.
A further decisive factor when it comes to the popularity of the Internet of Things is the value that can be generated by the IoT through the improvement of the manufacturing process. The retrofitting of machines or the integration of sensors into the next generation of machines can be used to maximize production operations. Smart products can enable the use of remote monitoring and remote control.
IoT: Connecting the digital and physical worlds
The opportunities for creating new business models or optimizing existing ones are boundless, since there are countless ways of building and integrating IoT devices.
However, this heterogeneity and the sheer number of IoT devices are also the reason for one of the greatest challenges in the IoT field – security. The more pieces of software and hardware that are used, the more possible points of attack. In particular, the desire to develop IoT systems as cheaply as possible has contributed to the poor reputation of IoT devices when it comes to security.
But there’s no need for your production to come to a standstill or your business processes to succumb due to insecure IoT devices! There are endless opportunities for developing IoT devices and communicating with them.
Some of the biggest challenges in the manufacturing of secure devices are:
- The choice of one communication protocol from many
- Secure management and configuration of devices
- The development of secure hardware
- Providing software and firmware updates
These points must be taken into account during the development process without significantly increasing the costs or energy consumption of the product. Below, we will take a closer look at these challenges and potential dangers and examine some practical examples.
One risk is using insecure communication protocols. Some protocols come from a time before the widespread usage of the Internet and were not designed for the secure transmission of data. Protocols developed with security features are now more widespread, but implementation errors cannot be avoided.
One of the best known security gaps in recent years was the Heartbleed bug. It allowed the secure connections between clients and servers to be bypassed. In this case, there was an error in the code of the underlying cryptography library. This gap related to the TLS/DTLS protocol, and consequently impacted upon the security of HTTPS, MQTT, CoAP, and other communication protocols.
In addition to the security gaps in the protocols and in the implementation process, problems can occur during the configuration process and generally when working with IoT devices. The use of standard passwords, weak random passwords, and obsolete software has contributed to the spread of botnets.
One of the best known botnets in recent years, the Mirai botnet, was estimated to encompass more than 600,000 IoT devices. Many of these became vulnerable to attack due to trivial security lapses and contributed to what was then the largest distributed-denial-of-service (DDoS) attack ever. In the case of a DDoS attack, a large number of different devices overload a target server and attempt to make it unreachable. The resulting losses and costs of fending off the attack were around 120,000 euros for small and medium-sized businesses and up to 2.3 million euros for major companies.
The named security problems do not apply only to IoT devices but also to traditional software applications and services. Heartbleed was particularly prominent because this security incident concerned a large number of HTTPS connections between users and servers, and the problems were not restricted to IoT connections.
Everyday devices such as routers, switches, and PCs can also fall victim to infections that can be misused for botnets. The big difference in the case of IoT products is that attackers can often obtain physical access to the IoT devices. This is made easier by the fact that the IoT devices are often not located in the corporate network.
Due to the fact that the devices are used in the field, as well as protecting the software from malicious attacks, the hardware needs to be protected from physical attacks. The hardware must be resistant to attacks such as side channel attacks, whereby cryptographic keys or other confidential information can be read as a result of physical side effects. These side effects might be temperature or current consumption changes during the calculation of a cryptographic algorithm, for example.
The hardware of IoT devices differs from that of traditional Internet-enabled devices (PC, routers etc.) in computing power and energy consumption. Lots of IoT devices are operated using batteries and limited computing power to minimize power consumption and maximize the service life. To deactivate IoT networks temporarily, the limited runtime can be attacked in a targeted manner by increasing the power consumption from outside.
The size of the IoT networks additionally increases the complexity of a secure solution. If a single sensor is compromised, it can be used as the point of entry for attacks on the entire network or server. Because new vulnerabilities are published on a regular basis, software and firmware updates are a must. Over-the-air (OTA) updates are often the only possible solution for update provision due to the on-premise deployment and size of the IoT networks. However, OTA updates are popular targets of attack due to configuration errors or insecure code signing processes.
The development and use of an IoT device are associated with the critical handling of all components such as device identity, hardware, software, and storage devices. Without the right tools, you can quickly lose track of the various risks. The resulting data theft, data forgery, and downtimes can result in really high costs, whether these are due to production standstill, penalties due to betrayal of trust, or the loss of confidence in the manufacturer.
How you benefit from security in the IoT
In a survey by Ernst & Young, in 2019, 40% of 450 Germany companies who responded reported specific signs of cyber attacks or data theft in the last three years. In addition, one in four companies had proof of multiple cyber attacks or incidents of data theft. This survey shows that data theft has been a major issue since 2017.
Dealing with digital risks in the modern world
Cyber criminality is an ever-present risk, requiring resources and planning in order to defend yourself adequately. This is why cyber security must already be taken into account during the design of the IoT system. A well designed architecture – supported by modern industry standards for strict authentication, appropriate data security, and provable controls – offers the protection required to reduce possible downtimes. This applies regardless of whether we’re talking about specific machines in the production hall, a smart power grid, the automation of the supply chain, or the tracking of assets. Continuous operation is decisive for lots of IoT applications, and particularly for Industry 4.0.
In addition, experience shows that companies that use IoT on a large scale and become victims of cyber attacks do not significantly reduce their IoT activities. Companies tend to see security problems as a controllable risk.
Controls can be implemented through:
- The identification of threats
- The evaluation of potential threats
- An assessment of the damage that can be caused by threats
- Implementing protection and defense measures
This approach to cyber security suggests that security, despite being a big problem, does not need to be an obstacle to the introduction of the IoT. Instead, in most cases, cyber security should be seen as a strategic requirement that demands the development of specific protection measures.
Consequently, an IoT system for which security was already taken into account in the original concept not only safeguards operations but can also effectively protect data, increase productivity, and avoid accidents.
What are the prerequisites for successfully handling IoT security challenges? How can we build an ecosystem that can be appropriately secured?
How security works in the IoT
Before we start discussing the details of different models and the avoidance of vulnerabilities, we should first define the terms:
- Threat: The potential exploitation
- Vulnerability: The weakness that can be exploited
- Attack: When a vulnerability is actually exploited
- Compromise: The effects of a successful attack
A threat-based analysis for a secure IoT
To give an example from the real world: A burglar wants to steal a chainsaw from a garage. The burglar is the protagonist, who plans the execution of an attack. In this case, the threat is the possibility of a break-in. The vulnerability might be an unlocked garage door. The attack is when the protagonist breaks into the unlocked garage. The result of the garage being compromised would be the loss of the chainsaw.
As you might imagine, lots of different vulnerabilities can help an attacker to perform a successful attack. A model called an attack tree can be used to check all of the possible vulnerabilities, their potential for exploitation, and the effort that a malicious user would have to make in order to attack the system.
Attack tree model
Attack trees are not only a visual modeling method to depict possible attacks; they are also used to perform a qualitative and quantitative assessment. The structure and benefits are easiest to explain on the basis of an example. We recommend the open source program ADTool (Attack-Defense Tree Tool) as a cost-free point of entry. The main functions of this tool are the easy creation, processing and automated bottom-up analysis of security-relevant measures. Click here for more information about the use of ADTool for a security analysis.
For demonstration purposes, we have modeled the following graphic with the help of the tool.
The root of the tree is at the top. It represents the objective of the attack. Normally, an attack does not result from the exploitation of one major vulnerability but from using several less critical vulnerabilities together in order to achieve an objective. The level below the root lists possible attack scenarios, each of which could achieve the higher-level objective.
The tree elements are also called nodes. Each node can consist of further elements that specify the attack in more detail. A connection between edges (the lines between the nodes) represents a logical AND operation. In our example, this would be the connection – beneath “Physical attack” – of “Physical access” and “Knowledge of design”. This means that the physical attack scenario requires physical access to the device and expert knowledge of the device structure (“knowledge of design”). Such a tree can be extended until each possible interlinkage of targeted attacks has been specified.
Full attack trees quickly become extremely complex, but this structured approach allows a team to concentrate on different levels of detail and, as a result, develop a clean model that can be reused. It is recommended to add the code of the attack tree to a preferred versioning system in order to enable the tracking of changes and, later, access to each version. The tree changes over time, since product updates can change the possible vulnerability sources.
The addition of metrics to the attack tree enables a quantitative assessment of the various vulnerabilities. Metrics might include the estimated probability of an attack, the possible damages caused by a successful attack, and the required resources to rectify the resulting situation. Modern attack tree software can use these values to create ranking lists of critical vulnerabilities.
To summarize, the attack tree model helps to visually model and evaluate different attack scenarios that exploit vulnerabilities. The model should be maintained and updated just like the product throughout the entire development process. As well as enabling an assessment of known security gaps, doing so enables the visualization of the interlinkage of multiple potential vulnerabilities.
During the development of a solution with multiple different components – as is often the case for the integration of IoT products – the entire collectivity of all possible threats must be taken into account. A further model, the threat model, can be used for this.
Threat modeling deals with the process of assessing possible threats that might arise as a result of new software, libraries, products, or changes to the current system.
Adam Shostack created the following threat model:
- Identification of components
- Creation of architecture overview
- Data flow analysis
- Identification of threats
- Documentation of threats
- Assessment of threats
Let’s take a look at the individual steps in this model in detail:
Identification of components
The components don’t necessarily need to be physical objects; they might also be intangible goods. The first step involves answering the question of which components must be protected. Here, the difference between threat modeling and attack tree modeling can be demonstrated: An attack tree model places a hypothetical attacker and the specific exploitation of vulnerabilities in the foreground. In the case of a threat model, the focus is on the evaluation of possible threats and the protection of sensitive components. Certain video data might not have much economic value for the company itself, but it still needs to be protected in order to ensure that privacy is respected.
Creation of architecture overview
The creation of an architecture overview allows the function of the system and the interaction between the individual components to be analyzed. As mentioned at the beginning, the communication protocols of IoT devices have a special status and should not be disregarded. In this step, the hardware is also documented in detail, including the used micro-controllers and processor model, for example.
Data flow analysis
The data flow analysis investigates the origin of the data and the involved components in detail. The objective is to examine and catalog the possible points of attack and the intersection between the components. The focus here is on interactions between complex processes, external entities, and data stores that go beyond trusted boundaries. This is regardless of whether they are distributed via an on-premise infrastructure or a cloud infrastructure or whether they are located on a server or within a single application.
Identification of threats
The previous steps can be combined here and enable the identification of the threats. To guarantee a structured procedure and ensure that all possible levels are taken into account, further models are used here. Popular models and frameworks include the STRIDE model and the MITRE ATT&CK framework.
In the above example, STRIDE is used. The acronym stands for “Spoofing – Tampering – Repudiation – Information Disclosure – Denial of Service – Escalation of Privilege”. This threat classification model helps to answer the question “Which threats could this application potentially encounter in our production environment?” During brainstorming, potential threats are found by creating misuse scenarios that fall under the six STRIDE threat classifications.
Documentation of threats
This step is self-explanatory but absolutely vital in order to clearly communicate threats and make other employees aware of them.
Assessment of threats
Lastly, the threats must be assessed in order to enable work on solutions to be prioritized. Here, various other models can be used such as Microsoft’s DREAD model. This involves assessing threats based on the following points:
- Damage – how bad would an attack be?
- Reproducibility – how easy is it to reproduce the attack?
- Exploitability – how much work is it to launch the attack?
- Affected users – how many people will be impacted?
- Discoverability – how easy is it to discover the threat?
IoT security is not a trivial issue. But models and approaches are available to improve security during or after the development of an IoT solution. What’s important is making a decision and integrating this model fully into everyday business life. Another way to strengthen defenses is to seek out external companies to help with critical security aspects: New perspectives and alternative viewpoints can uncover security gaps that were previously unnoticed.
Our IoT security services
The opportunities for revolutionizing a product, business model, or production facility with the IoT are boundless. However, the security risks, lack of certainty about best practices, and the associated costs stop many companies from introducing this technology.
Right from the start, we build security into your IoT ecosystem so that you can protect your application scenarios and products. In addition, we can investigate an existing IoT solution and the used infrastructure in order to ensure the effectiveness of security controls and guarantee compliance with sector-specific standards.
Your partner for IoT security
Regardless of whether you’re starting from scratch or continuing something you’ve already begun, we can offer the following services:
- Check of IoT architecture
- Device security analysis
- Security analysis of connected interfaces
- IoT platform security analysis
- Security analysis of IoT mobile and cloud applications
- Implementations and tests in all areas
With us, find out how to optimally integrate threat modeling into the software development process of your agile project.
Once your digitalization project is in safe hands, you can get creative – for examples, see Augmented & virtual reality and Smart products. And you’ve surely already given some thought to data analysis.
In any case, why not get us involved to ensure the best possible use of your data?!