Meet the Samurai who has got only one code which is to save the world by providing life-saving technology solutions so as to make the most out of your tech.
The Internet Superhero
The Internet of Things (IoT) put simply, is an interconnection of embedded systems that exchange data and interact with each other over the internet to achieve a certain goal/service. Today, there are many examples of usages of IoT, existing and futuristic with each usage requiring a certain level of IoT security to safeguard the transmitted data.
With the explosion of IoT, more devices that were traditionally not internet connected are now connected. Its application has become more diversified and people are growing increasingly dependent on this technology. This is due to its simplified capability of remotely accessing devices that could not get accessed before.
IoT is technically divided into consumer IoT and industrial IoT. Consumer IoT is commonly refered to as IoT for home usage. On the other hand, industrial IoT, as the name suggests,is for industry and factory floors, where the power of the internet can be leveraged in the automation of industrial processes.
The possibilities of IoT are endless. However, as the technology grows and evolves, stakeholders have one main concern, security. IoT security is a thorny subject that needs to be addressed while the technology is still under development.
The world of cyber security is a well-developed, heavily regulated field with many players.The introduction of IoT devices into modern networks presents a challenge that all technology stakeholders have an interest in solving. For one, the data that IoT devices handle, is for most cases, sensitive data.
For instance, consider an IoT healthcare device that monitors a patient’s vitals. This device will sends back this data to a monitoring system that is accessed by health insurance companies and health practitioners. This device for instance, not only handles the patient’s vitals but could possibly have the patient’s personal identifiable information (PII) that makes the data sensitive. The data is termed sensitive since any threat actor can use it to extort the patient. An example is a company executive who has a health condition that he/she does not want to be public knowledge. In such a situation, the systems that handle/interact with the consumer’s data must have access control and data encryption functionalities. This is to ensure the data is never breached and the user’s confidentiality is maintained at all costs.
There are principles that are generally used in network security that can be used in the development of IoT security. The CIA triad of network security, which consists of Confidentiality, Integrity and Availability, can be used in IoT security. As a result, designers and developers of IoT products should use this principle in the development of their products.
You can assume that existing infrastructure in a network such as firewalls can be used to provide IoT security. However, like any electronic device, there are always vulnerabilities that threat actors can use to access the network. Therefore, the IoT device can be used as a pivot to access the rest of the network or system.
Using the example of the healthcare IoT device that monitors a patient’s vital. Imagine that the device manufacturer did not use the CIA triad in developing his product and the device is currently being used by a large health insurance company to monitor their client’s health. Now, should a hacker, be able to identify a vulnerability that enables him/her to gain access to the client’s health monitor, he can use the trusted credentials of the client’s health monitor to gain access to the health insurance’s network. Afterwards, he can then retrieve confidential data such as client-bank account details. The next thing you know, money gets redirected to illegitimate accounts from the health insurance’s own accounts!
The implementation of IoT security both at the development and implementation stage is important for its overall success. The need for this is amplified by the number of IoT devices that are expected to be developed in the next few years.
The first factor in the development stage is the letter C in the CIA triad that stands for confidentiality. Confidentiality is defined as the state of keeping something secret. With regard to data, this means that only the people who are authorized to view the data should view it. Implementing confidentiality in an IoT device entails using access control mechanisms that give different users a certain level of access. For instance, the owner of a file, who can be a single user or a group of users, should be able to read and modify the data. On the other hand, everybody else only gets privileges to view the file or no privileges at all.
Another factor is integrity that is the letter I in the CIA triad. Integrity is defined in computing circles as the accuracy of data. Integrity is often used to safeguard data from unauthorized modification while in transit. Given that IoT devices produce data that need to be stored in a cloud architecture, or is often in transit to another system for further processing, ensuring that an IoT device maintains data integrity is crucial for designers.
The integrity of data is maintained through encryption of data. There are different encryption techniques that are used in ensuring data integrity. The main point is to use encryption techniques that are hard/almost impossible to crack. So even if a threat actor is able to obtain the encrypted data it will be very time-consuming for him to try to decrypt the data back to its original form.
The final factor is availability. Availability refers to the device being always on or reachable. A great selling point of IoT is being able to reach devices that are traditionally unreachable over the internet. For instance, a homeowner being able to see their home security cameras over the internet is an example of availability.
Denial of Service (DoS) is an attack mechanism used by threat actors to deny legitimate users access to resources. This, for example, can be done by overwhelming the device such that it is not able to respond to legitimate user responses. IoT device designers have to put in place mechanisms that shield the device against DoS attacks. This involves taking steps such as using a firewall within the network to filter traffic and ensure only legitimate requests are processed by the IoT device.
The field of IoT is an evolving field and the security mechanisms should likewise evolve with it. Given how insecure public infrastructure like the internet is, there is no option for stakeholders but to ensure that IoT security is factored into the technology’s development and the CIA triad should be the foundation to set it upon.
What do you think? Do you believe the networking security concept of the CIA triad can solve the issue of IoT security? Do share your thoughts here below.