The Mirai botnet exposed very publicly how weaknesses in IoT devices can be used to create wide-scale Internet outages. Since then, other botnets based on Mirai have emerged, and now a new variant, Wicked, is being reported. Organizations are well-aware of the risks of insecure IoT devices. But analysis of IoT device patching trends reveals that even when vulnerabilities are known, steps are not being taken to proactively find and patch connected IoT devices.
In most cases, vulnerabilities are discovered after the device has been purchased and deployed in the network. For product developers, vulnerabilities uncovered after a product is released to market are costly to address and, depending on the type of device, can present a significant impact in terms of public safety and reputation. When paired with current threats such as ransomware, IoT devices present truly frightening, new opportunities for attackers.
Companies need to embed security in products from the very beginning of product development – before they are introduced to market and deployed in networks. However, because no system is 100 percent secure and threats continue to evolve, organizations must also continue to track and improve the security of these systems post-release.
Securing IoT devices can be challenging. Product developers necessarily have deep expertise in project management, engineering, quality assurance and many other aspects of bringing a product to market. But they don’t typically have expertise in cybersecurity, such as security threat intelligence, regulatory compliance, and data breach avoidance or response requirements. Not to mention the fact that IoT device security requires deep knowledge of emerging systems and their components, specialized hardware and software tools, as well as specific threats and countermeasures.
Given these limitations, outsourcing IoT security to dedicated security experts is increasingly common. Gartner forecasts in 2018 worldwide IoT security spending will reach $1.5 billion with 63 percent in professional services, rising to $1.9 billion and 66 percent by 2021. If your organization is among those considering outsourced security advice and consulting services to help strengthen your IoT device security, here are some of the key activities you should plan to involve these outside experts in, to complement your internal capabilities.
During development:
1. Include security experts on the design team. Optimal product development requires security experts that are integrated members of the development team, with active roles in product design and development.
2. Review initial high-level system design with security experts. Performing this activity during the design process will build understanding and enable you to develop architectures that mitigate security vulnerabilities before they are introduced.
3. Develop a threat model. Threat modeling aims to identify real world threats that apply to the system under development. The threat model documents key assets, data flows, system components, user roles, threats, and countermeasures. The countermeasures documented in the threat model must then be merged into technical product requirements, so they can be tracked during development.
4. Integrate static and dynamic analysis tools. These tools will help you identify security issues during the development lifecycle, which will in turn help limit the introduction of security vulnerabilities before your new IoT product is introduced to market.
Post-release:
1. Involve security experts in architecture assessments. Architecture reviews are performed by reviewing documentation and interviewing personnel to understand the architecture of the system and begin to identify potential risks and possible updates to the threat model.
2. Vulnerability assessments. Security experts can perform technical, hands-on assessments that aim to provide a broad picture of the vulnerabilities affecting one or more systems and determine the size and scale of known security problems for planning and prioritizing fixes.
3. Penetration testing. These are goal-oriented attack simulations in which you identify worst-case security nightmares affecting one or more targets. Using the threat model from a design review you can set goals to pursue during a penetration test. For example, ransomware targeting pacemakers or remotely unlocking car doors while the vehicle is in motion. You then run tests to understand how much progress an attacker with certain means and knowledge would make towards the stated goals in a limited amount of time, and how well your defenses are working.
Whether you work with in-house security resources or outside consultants, security experts are essential to help uncover vulnerabilities and offer recommendations to prioritize and mitigate risks. Consider the scenario of an automaker that has devised a way to unlock and start vehicles with a mobile phone. Security experts can lead design review sessions with different teams involved in product development and dig deep to uncover challenging security problems. Creating threat models, they can identify high risk threats like ways for attackers to take control of a vehicle if a mobile phone is lost or stolen, or deny access to legitimate users, or remotely drain the battery. From these exercises, product developers can gain the information they need to make technically informed decisions on their strategic roadmaps and build in security from the beginning.
In a post-release scenario, imagine an auto maker who may become concerned about security of their aging connected car and in-vehicle components. Security experts can conduct penetration testing to explore the types of vulnerabilities and level of sophistication required by attackers to use them to their advantage. They may discover ways for attackers to steal credentials that provide access to specialized hardware or even chain together vulnerabilities to extract enough intellectual property to construct a prototype system. Working with the auto manufacturer, they can craft remediation strategies to prevent issues while still being able to maintain the current solution offering.
While securing IoT devices is not a trivial exercise, product developers can tackle the challenges head-on. Collaborating with security experts throughout the product lifecycle, they can proactively reduce the risk of security breaches involving IoT devices.
Related: NIST Working on Global IoT Cybersecurity Standards
Related: Industrial Internet Consortium Develops New IoT Security Maturity Model