Securing IoT Devices: The ChallengesSecurity Practitioners Debate Ways to Secure Connected Devices
With rise in the number of connected devices, there's an increasing need to come up with standards for internet of things security. As a result, the government of India will soon come out with IoT regulations and security.
See Also: Why CASBs Matter to Cloud Security
"The government of India has said that any device which needs to be put into the network will have to go through certification testing. The government is working on security standards for IoT devices as well as testing requirements," says Rishi Bhatnagar, chairman of the Institution of Engineering and Technology's IoT panel India & President, Aeris India.
The Supreme Court of India last year recognized the right to privacy as a fundamental right under the constitution; that includes the right to information privacy. The Supreme Court has also set up a committee to draft a legislation on data protection. "As a result, any new law on privacy that gets enacted should recognize and accommodate the unique nature of IoT," Bhatnagar says.
The Department of Electronics and Information Technology, as well as Ministry of Communication and Information Technology, have created a national expert committee that will develop IoT standards. They also will appoint a nodal organization for driving and formalizing globally acceptable standards relating to technology, process, interoperability and services, including:
- IoT standardization;
- Spectrum energy communication protocols standards;
- Standards for communication within and outside the cloud;
- International quality/integrity standards for data creation and data traceability;
- Standards for energy consumption;
- Device security and safety standards;
- Data privacy, accuracy and integrity standards.
So far, IoT security hasn't been dealt with in an organized way mainly because of the fragmentation of the IoT market.
Basic Security Lacking
The main concern about IoT today is the lack of implementation of basic security.
"It is not that IoT devices require a portfolio of esoteric security apparatus; it's that they often aren't implementing basic security that we built into the rest of the internet two decades ago," says David Holmes, principal threat researcher at F5 Networks. "Use of the ancient telnet protocol had almost completely disappeared until IoT devices brought it back. Telnet is unsafe, as it shows passwords in the clear transiting networks."
A movement called the Named Data Networking project aims to fix many of the basic security problems for IoT devices, Holmes notes. "NDN is backed by high-profile universities and tech companies, but it is experimental," he says.
The Right Approach
To ensure a secure IoT platform, the government must issue strict regulations, some security experts contend.
"Historically, regulations have always played the catch-up game with the progress made in the industry. But we can learn from the banking industry. ... Some sort of a standardized approach and guideline will help," says Vinod Kumar, CEO at Subex, a telecom analytics solutions provider.
Some security practitioners suggest that key IoT security steps include:
- Make people aware that there is a threat to security;
- Design a technical solution to reduce security vulnerabilities;
- Align the legal and regulatory frameworks;
- Develop a workforce with the skills to handle IoT security.
Furthermore, IoT needs unique privacy options enabling user anonymity and data protection to be flexibly tailored to the specific demands of each use case, privacy experts say.
"Interoperable and affordable security solutions which ensure protection against unauthorized access to endpoints, gateways, networks and cloud-based resources can safeguard the integrity and privacy of both data and communications," Bhatnagar says. "Some of the desired features of such solutions include IoT authentication, data encryption at the design level, threat detection from external attacks, analytics for baselining the IoT devices and identifying the behavioral deviations to help enterprises in timely detection of threats."
Blockchain technology might play a role in addresssing the security gap that exists for IoT devices. (See: India to Initiate Blockchain Security Prototype)
"Trust in IoT data is established by enabling the five digital security primitives: availability, auditability, accountability, integrity and confidentiality," says Bhatnagar. "In blockchain, data is automatically stored in many locations and is always accessible to users. For auditability and accountability, a private, permission-based blockchain is used - where all users are authorized to access the network - and because all data stored on the blockchain is signed, each device is accountable for its actions. For integrity, blockchain is, at its core, a public ledger of data entries. Every deletion or correction of data is entered, and as the entries are confirmed by the network, a complete chain of events is created." (See: Using Blockchain for Securing IoT Devices)
But implementing blockchain for IoT is in its infancy.
"IBM is one big player in the IoT/blockchain space," Holmes says. "And of course, there are a handful of startups working on marrying these two technologies. However, to my knowledge, beyond a proof of concept, there are no working IoT blockchains in large scale production."