CO-AUTHORED BY SARAN GOVINDARAJAN
Many of the topics we have addressed in our cybersecurity posts apply to a wide range of IT deployments. There are two main considerations that apply especially for Industrial IoT applications, from Smart Connected Products to Smart Cities. First, as the number of devices involved in a deployment scale and the volume of data grows exponentially, the requirements to maintain security in IoT grow as well. Second, especially when utilizing a Buy and Build approach, you are reliant on somebody else to provide the security capabilities, from the asset to the Device Management platform through to the analytics application. Given this dependence upon other organizations for end-to-end security, what can you do as an individual or an organization to help ensure you are getting the best possible security while at the same time being able to meet your business requirements?
- Be aware of the security capability of the devices you use. Over time you will end up with a mixture of old and new, so understanding if and how your devices can be updated is absolutely key. Ultimately your ability to manage the vulnerability of your devices and therefore the IoT solution is dependent on being able to update the device software and/or firmware remotely. The remote aspect of the update is where IoT really shines and can transform your ability to provide a secure and scalable solution.
- Another aspect of device security to check is whether the IoT platform needs your devices to have open ports. What do we mean by this? Clearly you need to have an open port to communicate with the IoT platform; however, a secure approach to this problem is for the device software communicating to the IoT platform to always initiate the communication over an ephemeral port. This removes the ability for a bad actor to discover the device which in turn would enable them to attack the device(s) and thus your IoT solution.
- What is the granularity of the security capabilities provided by your IoT platform? While it may seem an excellent idea to be able to have everything at the device level, this is not scalable in reality. At the other end of the spectrum, only being able to configure security at the platform level also limits you. It is therefore, like most things in software engineering, a compromise between granularity and being able to manage millions of devices sensibly. The key thing is to decide what works for you.
- Does your organisation have an Identity Access Manager (IAM)? Most large organisations do; indeed, they may well have a Public Key Infrastructure (PKI) as well. If you are not the person/organization responsible for these areas, you should reach out to the owning department to collaborate on how you can use both these areas to your advantage. This will not only save you a great deal of time figuring out how to manage your users and devices but also ensure that your IoT solution complies with your corporate standards. Of course, you need to check that your IoT platform provides integration with these areas.
- Standards – there are a number of high-level standards that govern how the IoT platform is run such as IOS27001, 17,18 and SOC2. Then there are market vertical specific standards such as HIPAA. It is highly unlikely you will find a platform that provides all the standards you need, so look for a platform that will allow you to gain the compliance you need.
- All IoT platforms will allow you to extend and enhance the user interface so you can provide your own value-add for your users. This is where your responsibilities come in. Irrespective of whether you use a web interface or are able to deploy your own microservices you need to ensure that the APIs are used appropriately and that you do not ‘get clever’ and try to bend the API to your specific needs. While this might give you short term benefits, it may have unintended results, such as privilege escalation. You can say it is the responsibility of the platform to stop you doing this, it is, in reality, your responsibility to not do something that is unsecure in the first place.
In conclusion, make sure your platform provides the ability to address these areas but do not lose sight of the fact that ensuring the security of your solution is your responsibility.