The security of Internet of things (IoT) is improving; organization are getting smarter. Industrial devices are getting the improvements needed. However, despite all these efforts, there is still a lack of security being implemented.
If we ignore the general insecurity of IoT devices and just look at the sheer number of them, we start to see the wider problem. Each IoT device has an individual identity. And so with billions of these new IoT devices, comes billions of individual identities. Organizations are keenly aware of securing online human identities, monitoring these for fraud and malicious actions. But what about machine identities?
Securing machine identities is critical, because every device on a network is a potential threat because malicious attackers can abuse trusted identities.
Machine identities are not being secured in the same way as human identities online, resulting in a lack of encryption across networks, among other things. When two machines can talk without encryption, or are communicating between two networks unencrypted. The unencrypted activity leaves ample opportunity for an attacker to eavesdrop on the traffic and conduct a variety of attacks.
To counter this exposure to cyber crime, Public Key Infrastructure (PKI) should be the foundation of security for machine identities. This allows IoT devices to authenticate, ensuring secure and encrypted communications from the get go. For Industrial IoT, PKI enables trust, privacy for all the different components, safety for employees and integrity of the data.
As awareness of the importance of PKI increases, industrial IoT is becoming more secure. There is now a security framework for Industrial IoT machinery that is connected to the Internet: “Industrial Internet Security Framework” (IISF) report. This is a critical milestone for IoT, as there will be money and funding behind this initiative which aims to create a standard for the industry. Smaller IoT manufacturers that do not have the money to invest in building secure devices themselves can adopt the framework.
The framework breaks up security of Industrial IoT into a high-level security domain, such as the business, endpoints, isolation techniques, protecting communications, security monitoring and analysis.
The framework explains a process isolation model, which separates business, operations and security processes from each other. This addresses the concern that compromising any component of the processes within an operating system may form a foothold for further attacks. This leads us full circle back to securing identities. As each process can be seen as a unique identity, it is important to securely authenticate IoT devices at all levels.
To secure your own device at home, start by segregating it from the rest of the network. Most home routers can create a ‘guest’ network, which allows a ‘guest’ user to access the Internet without connecting to your other personal devices on the network. This would, in effect, create a sandbox for your device, so it can connect to the Internet, without compromising the network and your other devices.
If a device comes with a default password, this should alwaysbe changed. Ignore this and within seconds of connecting to the Internet, your new IoT device will be attacked. There are thousands of automated scripts that scan the Internet for such devices and will automatically start password attacks as soon as they find one. So, changing the password before connecting it to the Internet isn’t just a good idea, it’s compulsory.
Once you have your IoT device connected to the Internet, you should check if there are any updates available for your device. If there are, it’s likely some of them are security patches, so you should install these as a matter of course.
The Internet of Things has had a bad start where security is concerned. However, with the help of this framework, we should be seeing an improvement in security for embedded devices. The question though, as IoT devices proliferate within large organizations, will things get worse before they get better?