As the IoT deployments are increasingly on the rise, the IoT Device Landscape is also getting large and heterogenous. Given the enormity of scale of these devices, they are very much vulnerable to cyber-attacks.
Industries which have IoT deployments such as – Insurance companies, Audit agencies, digital factories, Financial institutions etc., have sensitive device generated data. Therefore, it’s expected to protect data integrity and transport layer security between devices and cloud backend system to avoid Man-in-Middle attacks, unauthorized API access.
Most of these connected IoT devices are “set and forget it” state, which are running with default set of username/password credentials. In addition, the communication between the IoT devices and Cloud Backend System are unencrypted. Often the low powered devices are not even capable of this encrypting the messages. These are weak spots which leads to hackers to attack and gain the access of devices and the Cloud Backend System as well. The impact of these IoT attacks are very costly. In 2016 Mirai botnet compromised more than 100,000 IoT devices and became the source of DDOS attack on many live production websites and DNS providers.
Digging into the security aspects of a Typical IoT deployments, in our experience the following 6 areas are where secure mechanisms should be instrumented to prevent cyber-attacks of any kinds –
- End-Point: Having the capability of secure-boot by verifying file-system integrity, ensuring the device configuration is unchanged, and if an unauthorized change happened, reset automatically to the last known-good-configuration and notifying the administrator are key aspects of End-point Security. IoT edge gateway enables low-powered devices to connect to the IoT Cloud platform securely.
- Flow Layer: The sensor data collected by IoT devices need to be processed and stored securely. The database needs to be stored on an encrypted storage.
- Network Layer: The sensor data and management data flow should be protected using MQTT over TLS and HTTPS. SSL and IPSec tunneling play a very important role here.
- Identity Access: Device authentication based on x509 Certificates and User authentication & authorization based on role-based access controls (RBAC), OpenID based external authentication for enterprise users are some of the key functionalities needed to control who can access what.
- API-Messaging: API’s are extensively used for sharing & exporting data to external entities such as analytics platform or user’s mobile app etc. Authentication, Authorization using username/passwords and Web Tokens such as JWT are critical here. Tokens coupled with API rate-limiting can make the IoT service resilient.
- Audit Logs: The system should provide traceability by logging important events as they occur along with useful metadata such as when, what, who and where a particular incident occurred.
In addition to these security mechanisms, having an over-the-air (OTA) functionality that will enable frequent software and patch updates to end-devices is another critical requirement in completing the end-to-end security for IoT deployments.
As we are heading into 2019, government regulations are also tightening up on IoT security with California becoming the first state to pass a new cybersecurity law SB-327, that mandates tighter and unique passwords for IoT devices as a starting point. These laws are being designed to protect the critical infrastructure of the nation (smart cities, power plants etc) which are being digitized using IoT.
At Vitalpointz, our IoT Microservices Platform along with the Developer tools, comprehensively address these above-mentioned security vulnerabilities. For more information visit https://vitalpointz.io. Msg me to request for a free trial.