IoT Cybersecurity…. The World of Unknown for Organizations and Nations!
Do we want to wait until the rise of weaponization of IoT, cyber-attacks leading to loss of human lives and chaos in the social order?
Internet power to connect, communicate and remotely manage millions of networked devices is becoming pervasive. The market and nations are gung-ho about IoT phenomena globally and so does India. As per pundits, the IoT devices count would reach to 20 to 30 billion by 2020. McKinsey global institute research estimated the probable impact of the IoT on the global economy might reach $6.2 trillion by 2025. Along with it, the Indian market is poised to reach $15 Billion by 2020 as cited by a NASSCOM study “IoT in India - The Next Big Wave”. Consumers and organizations both are feeling the IoT gravitational pull in their respective ecosystems. Consumers are adopting the wearables and consuming services with the help of networked devices at public place or at home. Classic examples are smart watch, smart apparel, internet based glucometer etc. Industry has also experienced the transition from closed networks to enterprise networks to public internet to deliver its business leveraging industrial internet of devices (IIoT).
IIoT uses cases underlying IoT architectural components such as protocols, networks, sensors, associated IT systems and gateways warrant robust cyber security architecture to achieve the objective of end to end protection. One cannot imagine a non-secure future in which IoT devices surround us, optimizing time, furthering our wellbeing, improving our health and transforming workplace productivity. The trends in IoT security landscape by 2020 are, but not limited to, IoT security market is expected to reach nearly $29 billion by 2020, as per a report published by Markets and Markets, 50 percent of manufacturers would not be able to patch vulnerabilities in IoT devices, 2.5 % of attacks in an enterprise would be on IoT/IIoT, discovery, provisioning and authentication would eat significantly into IoT security budget and 50 % of large IoT implementation would require cloud security services.
IoT landscape is changing at a blink of an eye and also the cyber threat landscape associated with it. IoT devices are exposed to cyber-attacks such as denial of services, identity theft, jamming, tampering,
eavesdropping, side channel attacks, stolen keys of encryption and devices acting as bots etc. In case of a cyber-attack on IoT devices, life may come to a standstill or it may cause harm to humans which is different when compared with risk landscape of IT environment in which the consequence is limited to data leakage or services not being available etc. The countermeasures against cyber-attacks which need to be deployed by the organizations globally have an arduous task cut out to achieve objectives such as integrity and confidentiality of data, availability, safety and resiliency of IoT systems.
The burning question is, how we can find a silver bullet for thwarting the cyber-attacks on IoT? The answer is we don’t, because securing IoT ecosystem would evolve with time, learnings from failures, and with data availability for the analysis. Now is the opportune time to understand in detail the security challenges landscape of the IoT ecosystem. The indicative challenges are, but not limited to, guarding program logic controllers (PLCs) embedded in the devices, patching industrial control systems without impacting its functional safety, prevention of unauthorized usage of private information hosted on plethora of IoT devices, anomaly detection in the behaviour of IoT devices functioning and to counter remote hijacking of IoT devices etc.
The journey of secure implementation in IoT ecosystem is not a cake walk hence it warrants focused attention. Stages which need consideration from security and privacy aspect during implementation are design, implementation, deployment, operations and disposal. Each stage is to be given fair consideration so that there are no loose ends left while on the journey of end to end secure IoT implementation. The first stage is a `Design Phase’ which may involve building safety & security considerations such as threat modelling, conducting privacy and safety impact assessments, conceptualizing compliance engineering, writing processes & agreements for secure acquisitions & updation, managing SLAs and it is to be accompanied by robust technology selection for components such as hardware, software, third party libraries, authentication, authorization, edge & security monitoring etc. Second stage which is actual `Implementation’ consists of stitching elements such as security awareness training, system testing, secure system integration , system configurations and lastly to roll out IoT incident management procedures etc.
The third stage is when organizations actually take a leap of faith for `IoT Deployment’ which may consist of foundations such as red & blue teaming, asset management system, security provisioning , verification of security controls and monitoring & reporting etc. Fourth stage is when the organizations should wake up again and re- energise themselves to bear the fruits of all three stages completed till now. It is the stage of `Operating’ IoT ecosystem which is to manage eclectic mixture of systems that can continuously deliver compliance assessment, forensics, monitoring, device health management, incident management etc. Fifth stage is where organizations retire IoT systems as implemented; it is the `Disposal Stage’ consisting of elements such as secure device disposal, inventory removal, data purging, data archival and records management etc.
The architectural layer of IoT ecosystem which is of paramount importance is the protocols on which it operates and functions. The protocols such as MQTT, CoAP, ZigBee and Bluetooth etc warrant
distinctive cryptography techniques for its protection. The traditional cryptographic methods are a starting point but may not prove to be sufficient in the future. Another architectural layer which is one of the critical components of IoT ecosystem is its Identity Access & Management (IAM). Its sub- element are identity lifecycle, authentication and authorization. Organizations need to take into considerations that next generation IoT devices need to be secured with techniques which may involve evaluation of context of transactions, application of dynamic authorization policies, leveraging registration authorities, deploying token based authentication and developing non IP based device protection techniques etc.
The conundrum of IoT cyber security is not confined only to the organizational boundaries. The problem statement is also applicable for the nations working towards building smart cities & towns. The ambition to build smart nations brings new set of cyber security challenges. Some indicative challenges on national level are such as, but not limited to, building IoT/IIoT sectoral inventory, formulation of technical standards to integrate IoT & IT systems, absence of robust field firewalls, field controllers, light weight encryption capabilities, techniques for auto- discovery and device authentication, ineffective threat analysis & intelligence sharing and not able to deliver secure interoperability in use cases integration etc. A national charter for IoT cyber security has to take a deep dive in the ocean of problem statements.
Do we want to wait until the rise of weaponization of IoT, cyber-attacks leading to loss of human lives and chaos in the social order? The fictional part of our life had demonstrated the same in movies such as Die Hard 4.0, Swordfish and recently released Blackhat. It’s time to rise before it is too late for the organizations and nations to prepare for the omnipresent cyber threats. The grave security and privacy issues of IoT need to be addressed before we miss our train. Factors such as but not limited to end users & clients demanding more secure products, government intervention, regulations and hackers activities may drive this ecosystem preparation. One should take cognizance and remember IoT/IIoT devices will remain targets due to its underlying design and gaps which we might leave unpatched. To end, cyber security quote for this would be “Prepare well or Perish”.