This is how you secure the Internet of Things
For an IoT system, there are a lot of technologies involved across the line connecting EDGE with CORE computing. There is hardware to develop, tiny computer to program in order to read measures and react to, transmit data from different continents, collect, analyze, and redistribute the data with confidence, integrity and availability. So, where should you start?
Start reducing the system into smaller components, identifying the key assets.
As example, the IoT solution can be reduced to:
|CORE||The CORE provides the virtual infrastructure (ex. AWS), to run containerized (ex. Docker) applications (ex. Java/Spring) and data storage (ex. Oracle, Hadoop). Applications are primarily responsible for the storage, analysis, and presentation to the users of the measures received from EDGE.|
|Communication||Communication between EDGE and CORE use asynchronous protocols (MQTT). Communication must assure confidentiality, integrity, and availability of the data.|
|EDGE||The EDGE is an ad-hoc designed and engineered component, filling the gap between the hardware (sensors and actuators) with the upper layer protocols. Must assure Availability and Integrity of the processed data, be resistant and easy to install and maintain.|
Once the system key components have been sketched, you can start applying a security framework to the system.
Choose a good framework that fits in your environment. We have many years of experience with the NIST Cyber Security Framework (NIST-CSF) and, if you do not have any external constraint, we strongly encourage you to adopt this framework.
The NIST-CSF has 5 main functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER); just follow the framework and go through all questions. It measures the quality of each function’s implementation with the Tiers: Partial, Risk Informed, Repeatable, and Adaptive. You can start using the framework and reiterate the process to correct or perfect some items. Refer to how to use the framework on the NIST CSF page, in this article I just present some starting point we used during our projects.
The main goals of the Identify function is to understand the business context, the resources that support critical functions, and the related cyber-security risks. This enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
A possible approach consist to identify the data, make a CIA classification, and list the assets involved in the data management:
|Login Info||H||M||L||Logon||Logon component||Logon Container, User DB||Apache Pool, DB Pool||DB||…|
Recursively apply the classification to the different solution’s parts, until you have a big picture of the parts and their interconnections.
Start designing a minimal risk assessment, specifying some detailed use cases, probability, and impact. This will help you to better understand your organization, the business, and prioritize the tasks.
The Protect function supports the ability to limit or contain the impact_ of a potential cyber-security event.
The protection measures may vary based on the risk assessment, but we can divide them in two main categories:
|Baseline||Baseline protection measures are all modern standard security measures, like OS hardening, use of encryption in communications, secure storing procedures for passwords, defensive programming, etc. CIS, OWASP have a good set of ready to use policies. Use them since testing phase.|
|Ad-hoc||Ad-hoc protection measures are stronger or additional (multi-layers) procedures for specific solution parts, like FIPS, WAF, journaling, etc. Carefully check your design and requirements, remember that each layer adds an intrinsic threat: The complexity! the solution becomes bigger/complex/harder to understand and maintain. So, be careful.|
Apply different measures to the different components:
Start implementing hardening in the testing phase. It does not make a big difference if you invest a couple of hours engineering a robust template for your Docker files at the beginning. The big difference is if you must retrofit security in base assets like a container.
The Detect function enables timely discovery of cyber-security events.
Every time I mention Detect, the answer is: “At the moment we are focused onto develop and build the system, detect is planned in version two.” Wrong!
If you don’t add Detect since the start, you will miss all positive feedback in the development, like definition of useful log information necessary to efficiently monitor the application behavior. Having someone defining a set of information expected by the detection function will force developers and systems engineers to create the logging framework necessary for any components, check if the data (
messages) are normalized, and if they are useful for the final use cases. It is easier to implement changes during the development process (as example tuning an auditd policy) than add them after the first version is complete.
The Respond function supports the ability to contain the impact of a potential cyber-security incident. The Recover function supports timely recovery to normal operations to reduce the impact from a cyber-security incident.
The last two functions are mainly focused on procedures, so you can really start developing them in a second phase. But you must still have at least defined and tested a recovery strategy, to check if will basically integrates in the final system.
Below is a list of useful documents to read.
ENISA and NIST have very good documents for specific aspects, like firmware updates, refer to Cloud Security Alliance (CSA).
I would also recommend the ENISA Looking into the crystal ball – A report on emerging technologies and security challenges
If you have a complex system to secure, do not wait to implement the measures. Split the system and start applying security to the different parts as soon as possible, even if they will cause problems. Developer and systems engineer will start considering the security a necessary measure. In the long run the problems will be reduced and the security will be drastically increased.
We use NIST-CSF for different customers (banks, insurances, hotels, industry, small business) and different systems with good results (increase of the customer’s security and awareness). Take a look at them, go through all questions and try to give and answer. It is a good starting point.
Remember: Nothing is written on a stone! You can start writing something and, as long the structure is good, iterative correct or add pieces.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here