Why & How to Secure IoT Systems from Cyber Crime

What is IoT

The Internet of Things (IoT) is a system of IP based devices with ability to transfer data over a network. Smart phone is one of the widely used IoT device.

Why IoT

Today, organisations are attempting to integrate enterprise applications such as ERP, CRM, SCMS, PLM, MES etc with manufacturing processes to gain greater downstream visibility and a fuller vision of the organisation’s performance.

A growing number of connected IoT devices has enabled organisations to collect, process and analyse vast amounts of data in real time to gather insights into everything right from understanding consumer behaviour and improving business efficiencies to reducing operational costs and enhancing overall workplace safety. Advancement in technologies including 5G, Cloud, Big Data Analytics, Machine Learning, Computer Vision, NLP and Artificial Intelligence has made it possible to gather and process huge amount of data in real time.

By using right data at right time, Data driven organisations such as Google, Amazon, Southwest Airlines have competitive advantage over traditional organisations. The more sources of data you can mine, and the more data stream you can blend, the greater is the value. Therefore, we see many IoT use cases in key industries such as Healthcare, Smart cities, Manufacturing, Defence, and Aviation.

Why IoT Security

A single vulnerability in IoT devices can lead to harmful consequences, ranging from loss of privacy, physical damage, financial losses, and the possibility of endangering human’s lives.

I would like to highlight few IoT attacks that make you feel insecure and vulnerable.

Stuxnet (Year 2010)

In 2010, Iran’s Natanz Uranium enrichment facility faced failing of centrifuges at an unprecedented rate. Later, it was found out that a Stuxnet worm infected SCADA and PLC systems used in the facility. It was discovered as world’s first digital weapon that almost started World War 3. Struxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.

This computer worm used multiple zero day vulnerabilities and was introduced to the target environment via an infected USB flash drive. Zero day vulnerability is nothing but system flaw that are known to manufacturer but not yet patched.

Struxnet travelled on USB sticks and spread through Microsoft windows computers. The virus searched each infected PC for sign of Siemens Step 7 software, a software used for PLC programming. After finding a PLC computer, the malware updates its code over the internet and began sending damage inducing instruction to the PLC controlled equipment. It did two things. First thing, it sent false feedback signals to the health monitoring system of equipment. Operator get a feeling that everything is under control but actually it is not. Second thing, it can manipulate the speed of rotor within the centrifuge. It can actually able to crack the rotor and eventually even have the centrifuge explode.

The ability of such cyber-attacks to tamper the health monitoring and safety control system of nuclear plant, power plant or any critical equipment is most dangerous threat to humankind. Imagine, a big steam turbine on power plant gets too over speed that you must open relief valves within a millisecond. This cannot be done by human operator, we have to have a controller based real time system for that.

It is believed that the target of this attack was Iran’s Natanz Uranium enrichment facility. However, today such viruses are available online as open source weapons. Anybody with knowledge of your zero day vulnerabilities, can modify it, spread it as worm over internet and use it as a cyber-weapon for mass destruction.

Mirai (Year 2016)

Mirai virus targeted online consumer devices such as IP cameras and home routers that were using default credentials. It turned these devices into remotely controlled bots and used as part of a botnet for large-scale network attacks ( DDoS). There are hundreds of thousands of IoT devices which use default credentials and become easy target for attackers.

Samsung's smart fridge

UK-based infosec firm Pen Test Parters reported a vulnerability in samsung’s smart fridge while participating in an IoT hacking challenge. Samsung’s implementation of SSL encryption doesn’t check the validity of the certificates. This presents a serious security problem, since anyone on the network would be able to launch a “Man in The Middle” attack, and intercept the user’s login credentials in transit.

IoT Security Challenges

1.    Limited Device capability –

IoT devices are primary target of cyber attackers. Traditionally, these devices were part of physical control system with limited computing and networking capability to keep it simple and efficient. Converting such devices to IoT devices requires complete redesigning with security in mind at all levels and all interfaces. However, to reduce time to market, most manufacturers compromise on development time.

2.    Vulnerable Environments –

Traditionally, all IP enabled devices were typically located in secure data centres, with armed Guards, segregated physical access, bio-metrics, and a range of other physical security measures. By virtue of nature of application, IoT devices are tend to be placed in unprotected environment. Such environments are easier for attackers to access.

3.    Obsolesce Management -

IoT devices are generally low cost and it is not economically viable to maintain the software/firmware of these devices even after obsolesce.

4.    Weak monitoring and system management-

Although, a secured IoT system is designed at beginning, constant monitoring and maintenance is required to maintain the security standard. IoT devices get upgraded over time in response to inclusion of new features or to address software bugs etc. It is important to upgrade the entire IoT system and keep it up to date. Inadequate effort in system management and maintenance will certainly result in negative consequences, such as degradation or even complete failure of the system, exposure of sensitive customer information, or even loss of system control to a bad actor with the aim of using the system for nefarious purposes.

5.    Scale and Volume –

The scale of IoT deployment makes it tempting target for cyber criminals. Like in case of Mirai, discovering and exploiting a single vulnerability can quickly create a massive army of attackers with which further large scale attacks (DDoS) can be planned.

6.    Access to physical device –

An attacker can gain physical access, tamper with, and possibly reverse engineer an edge device with the aim of gaining access to the entire system. Also, the zero-day vulnerabilities are available online for sale making attackers life easy.

7.    Poorly designed software, firmware and hardware

8.    IoT devices are proliferating everywhere and each device has different vulnerabilities which makes network porous and vulnerable to cyber attacks

9.    Lack of standardisation

How to secure IoT system

1.    Get visibility into exact number and types of IoT devices connected to the network. Ensure that all devices are identified and keep log of details such as serial no, model no, make, hardware, software and firmware versions, operating system details and configuration.

2.    Never use Devices with no provision to update passwords, software and firmware as part of IoT system

3.    Always change default username and password.

4.    Use unique and strong passwords to all IoT devices

5.    Use Two factor Authentication

6.    Design your device/system with security in mind right from the beginning and address security at all levels and all interfaces in a system

7.    Take extra step to secure devices at hardware level

8.    Secure IP addresses against hacking

9.    Use data encryption

10. Address security of each and every peripheral devices or networks

11. Use virtual local area network (VLAN) configurations and next generation firewall policies to implement network segmentation that segregates different types of IoT devices.

12. Regularly patch, upgrade devices with latest updates

13. Actively monitor IoT devices at all time

Remember! World is full of very clever, dedicated and well-funded people, who can break into your system and exploit it.

Ref –Article IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey, Article IoT Network Security: Threats, Risks, and a Data-Driven Defense Framework, Paper on A Comprehensive IoT Attacks Survey based on a Building-blocked Reference Model