The Internet Superhero

IoT security: It is time to discuss the elephant in the room

Published 18/01/2018 in Internet Security - 12 Comments
Internet Security

The Internet of Things (IoT) put simply, is an interconnection of embedded systems that exchange data and interact with each other over the internet to achieve a certain goal/service. Today, there are many examples of usages of IoT, existing and futuristic with each usage requiring a certain level of IoT security to safeguard the transmitted data.

The internet is a vulnerable network. Therefore IoT security is crucial for the technology to flourish

An illustration of the Internet of Things

With the explosion of IoT, more devices that were traditionally not internet connected are now connected. Its application has become more diversified and people are growing increasingly dependent on this technology. This is due to its simplified capability of remotely accessing devices that could not get accessed before.

IoT is technically divided into consumer IoT and industrial IoT. Consumer IoT is commonly refered to as IoT for home usage. On the other hand, industrial IoT, as the name suggests,is for industry and factory floors, where the power of the internet can be leveraged in the automation of industrial processes.

IoT Security: What you need to know.

The possibilities of IoT are endless. However, as the technology grows and evolves, stakeholders have one main concern, security. IoT security is a thorny subject that needs to be addressed while the technology is still under development.

The world of cyber security is a well-developed, heavily regulated field with many players.The introduction of IoT devices into modern networks presents a challenge that all technology stakeholders have an interest in solving. For one, the data that IoT devices handle, is for most cases, sensitive data.

For instance, consider an IoT healthcare device that monitors a patient’s vitals. This device will sends back this data to a monitoring system that is accessed by health insurance companies and health practitioners. This device for instance, not only handles the patient’s vitals but could possibly have the patient’s personal identifiable information (PII) that makes the data sensitive. The data is termed sensitive since any threat actor can use it to extort the patient. An example is a company executive who has a health condition that he/she does not want to be public knowledge. In such a situation, the systems that handle/interact with the consumer’s data must have access control and data encryption functionalities. This is to ensure the data is never breached and the user’s confidentiality is maintained at all costs.

Guiding Principles of IoT Security.

Internet Security

Security Link

There are principles that are generally used in network security that can be used in the development of IoT security. The CIA triad of network security, which consists of Confidentiality, Integrity and Availability, can be used in IoT security. As a result, designers and developers of IoT products should use this principle in the development of their products.

You can assume that existing infrastructure in a network such as firewalls can be used to provide IoT security. However, like any electronic device, there are always vulnerabilities that threat actors can use to access the network. Therefore, the IoT device can be used as a pivot to access the rest of the network or system.

Using the example of the healthcare IoT device that monitors a patient’s vital. Imagine that the device manufacturer did not use the CIA triad in developing his product and the device is currently being used by a large health insurance company to monitor their client’s health. Now, should a hacker, be able to identify a vulnerability that enables him/her to gain access to the client’s health monitor, he can use the trusted credentials of the client’s health monitor to gain access to the health insurance’s network. Afterwards, he can then retrieve confidential data such as client-bank account details. The next thing you know, money gets redirected to illegitimate accounts from the health insurance’s own accounts!

Implementing IoT using the CIA triad.

The implementation of IoT security both at the development and implementation stage is important for its overall success. The need for this is amplified by the number of IoT devices that are expected to be developed in the next few years.

The first factor in the development stage is the letter C in the CIA triad that stands for confidentiality. Confidentiality is defined as the state of keeping something secret. With regard to data, this means that only the people who are authorized to view the data should view it. Implementing confidentiality in an IoT device entails using access control mechanisms that give different users a certain level of access. For instance, the owner of a file, who can be a single user or a group of users, should be able to read and modify the data. On the other hand, everybody else only gets privileges to view the file or no privileges at all.

Another factor is integrity that is the letter I in the CIA triad. Integrity is defined in computing circles as the accuracy of data. Integrity is often used to safeguard data from unauthorized modification while in transit. Given that IoT devices produce data that need to be stored in a cloud architecture, or is often in transit to another system for further processing, ensuring that an IoT device maintains data integrity is crucial for designers.

The integrity of data is maintained through encryption of data. There are different encryption techniques that are used in ensuring data integrity. The main point is to use encryption techniques that are hard/almost impossible to crack. So even if a threat actor is able to obtain the encrypted data it will be very time-consuming for him to try to decrypt the data back to its original form.

IoT should always be available.

Accessibility is a key factor to consider in IoT security

Isolated monitoring cameras on blue sky

The final factor is availability. Availability refers to the device being always on or reachable. A great selling point of IoT is being able to reach devices that are traditionally unreachable over the internet. For instance, a homeowner being able to see their home security cameras over the internet is an example of availability.

Denial of Service (DoS) is an attack mechanism used by threat actors to deny legitimate users access to resources. This, for example, can be done by overwhelming the device such that it is not able to respond to legitimate user responses. IoT device designers have to put in place mechanisms that shield the device against DoS attacks. This involves taking steps such as using a firewall within the network to filter traffic and ensure only legitimate requests are processed by the IoT device.

So can the CIA triad be the answer to IoT security?

The field of IoT is an evolving field and the security mechanisms should likewise evolve with it. Given how insecure public infrastructure like the internet is, there is no option for stakeholders but to ensure that IoT security is factored into the technology’s development and the CIA triad should be the foundation to set it upon.

What do you think? Do you believe the networking security concept of the CIA triad can solve the issue of IoT security? Do share your thoughts here below.

 

 

 

 

12 comments

Vince - 29/01/2018 Reply

Great post and you’ve opened up my mind to a lot of holes we can face with IoT.
I work in the audio visual industry and we are implementing heaps of IoT for control systems and there is a backlash from IT departments about it.
The CIA triad concept can work, but for how long?

    The Internet Samurai - 29/01/2018 Reply

    Thank you Vince.
    The CIA triad has been used as a guiding security principle by many network security specialists for a nearly two decades for private network infrastructure and it has worked just fine. I therefore believe it can also be applied in IoT security.
    You should probably advice your network administrator to look into it for more insight.

dean - 29/01/2018 Reply

Awesome content!! I learned a lot from this article..

    The Internet Samurai - 29/01/2018 Reply

    Thank you dean. That’s the essence of my blog, to be informative.

Jerry Huang | Smart Affiliate Success - 29/01/2018 Reply

This is a really informative and in-depth post. This is the first time I heard of IoT so you definitely opened up my eyes. This seems like a really powerful thing but security should be taken very seriously.

    The Internet Samurai - 29/01/2018 Reply

    Yes Huang. IoT has been referred to as the Web 3.0. It is where we are and its craze will go on over the next decade. I will prepare more blogs on IoT so that you may learn more about it.

John - 29/01/2018 Reply

For one who is always careful about security, you post has opened my eyes to the important part the CIA triad plays in internet security. Appreciate if you can answer a question regarding Internet cafes/coffee houses. How safe are they even if they have a password.

    The Internet Samurai - 29/01/2018 Reply

    Hello John. If you are into security then this is the place. I have prepared a lot of content on Internet security of which I will upload over the course of this week.
    Concerning the your question are you talking about the Wifi connection?

Dennis - 29/01/2018 Reply

Wow, very insightful information on IoT. I’ve never heard of it and so you’ve opened up my mind to a myriad of possibilities. Amazing!

    The Internet Samurai - 29/01/2018 Reply

    Thank you Dennis. Expect to be hearing more on it.

Damien - 29/01/2018 Reply

Hey. Very helpful Post.
Security is very important. Thank you for this article. It opened me my eyes on some things 🙂

    The Internet Samurai - 29/01/2018 Reply

    Thank you Damien.
    That’s exactly why I came up with this blog!

Leave a Reply: