Latin America. Today, the Internet of Things, IoT, can be defined as a cyber-physical ecosystem of interconnected sensors and actors, enabling intelligent decision-making. The IoT provides that "smart" element to all the tools or practical objects of people's lives, from cars and wearable devices to smart grids and infrastructure.
However, threats and risks related to IoT devices, systems and services are growing, and cases of attacks or vulnerabilities occur more frequently day by day.
We've all heard the idea that deploying IoT will be key to developing smart cities, airports, improving health, as well as other key aspects in people's lives.
And it is a reality that this phenomenon grows everywhere and will continue to have a positive impact on our lives. But it is important to note that the deployment of security recommendations in ecosystems where the IoT will be essential for the proper functioning of these devices, is necessary to prevent cyberattacks in the future.
An extremely complex landscape
With a huge impact on citizens' security and privacy, the threat landscape for IoT devices and systems is misleading. Therefore, it is important to understand what exactly needs to be protected and implement specific security measures to protect us from cyber threats. This is particularly important in the context of IT systems, which are essential infrastructures for the operation of critical infrastructures and business.
IoT permeates many ecosystems, so you need to have a holistic and robust approach to:
Promote harmonization of IoT security initiatives and regulations
Raise awareness among people or users about the importance of cybersecurity, define secure guidelines for the software and hardware development lifecycle
Achieving consensus on interoperability across ecosystems
Establish secure lifecycle management of the products/services being offered.
According to a recent study, we are currently facing a scenario where it is important to examine the various attack and threat surfaces, propose best practices and security recommendations to protect ioT devices, data and systems. It is important to highlight some key points to better understand the picture.
Adding devices to IoT platforms and applications
We can consider different approaches to incorporating devices into IoT platforms and applications. Unlike onboarding users, device enrollment or registration involves a series of automated steps driven by an application programming interface (API), which do not require human intervention. Typically, a trusted anchor is required on the device, either provisioned by the manufacturer or added as an agent by distributors, solution providers, or customers. The trust anchor-based approach enables secure registration, provisioning, and updating of devices through active policy-based security controls that are designed to protect IoT applications and services. IoT platforms must support appropriate policy and whitelist capabilities to automate without human intervention.
Set owner-controlled security
The owner-controlled security posture is very important in the face of the IoT. Manufacturers are promoting certain trust anchors; certificates provisioned on devices during manufacturing itself for robust security from the start. These might work well on closed platforms and applications, but open platforms need owner-controlled and application-specific security. In addition, compliance and regulations require the change from the manufacturer's safety model to owner-controlled safety.
IoT Authentication
In the context of user identity, authentication models based on multi-factor approaches are applied. These models are simply not suitable for IoT-enabled devices. This requires devices to authenticate to other devices and to the security management plane according to the requirements of the application. These methods can use a combination of:
Application-specific credentials
Trusted anchors (hardware or software), powered by APIs
Another big problem is making sure that the credentials or certificates on the devices are not altered or copied to another device. This requires secure storage on the device and strong credential linking as part of the authentication process.
Privacy and data integrity
The IoT is not just about "things",but also about data. Securing the large number of devices is a complicated task, but the ever-increasing volume of data generated by IoT presents a whole new challenge. To protect sensitive device information, data should be encrypted as close to the source as possible. Typical transport-level security (TLS) models do not provide end-to-end security or data privacy. Taking a data-centric cryptographic approach would grant you end-to-end security and data privacy, allowing you to design a system independent of any network architecture. Another scenario to consider is the protection of sensitive data at the field level since machine-to-machine (M2M) protocols can deliver content to multiple subscribers.
Secure firmware updates
An IoT security strategy should include software and firmware updates for remote devices, while ensuring that only trusted software is installed. Secure device authentication, data privacy, and integrity on such computers form a prerequisite for this to be successful. The security management plane must be able to control access to devices for updates, verify the source, and validate the integrity of updates.
We must remember that the Internet of Things or IoT is a growing paradigm with a significant technical, social and economic impact. The IoT poses very important security and protection challenges that need to be addressed in order for it to reach its full potential. Many security considerations regarding this topic are not necessarily new; they are inherited from the use of network technologies. However, the features of some IoT deployments present new challenges, threats, and security risks that are multiple and rapidly evolving. Addressing these challenges and ensuring safety in products and services is a top priority for the immediate future.
By Manuel Zamudio, National Accounts Manager, Axis Communications.
