Smart embedded systems and IoT technology can help you save time and money; personalize services; automate manual tasks; improve monitoring, tracking, and data collection; streamline communications, operations, and processes; and create new business opportunities and revenue streams. In order to enjoy these benefits, however, it is essential to secure your IoT networks and the embedded systems and devices they use.
In this two-part series, we first talk about challenges and vulnerabilities in embedded systems and IoT device security. Part II talks about how to safeguard your embedded systems and IoT devices.
Organizations use the Internet of Things (IoT) to gather data, understand their customers, improve response times, personalize products and services, improve efficiency, and automate systems to save time and money. However, these networks of devices are vulnerable to attack from many different angles. IT leaders and business decision-makers must understand the risks they face and how to overcome critical security vulnerabilities if they are to empower their organizations to enjoy the benefits of cutting-edge IoT deployments.
The Goals of Security (and the Cost of Failure)
The primary goals of IoT security include reducing business risk and ensuring that data confidentiality, integrity, and availability are maintained.
Maintaining confidentiality within an IoT solution means preventing any unauthorized access to devices, applications, and data. This requires that data sent, received, or stored on your network not be altered in any way. Finally, for availability, you must ensure that device communications are not disrupted and that your baseline service maintenance levels are met.
A failure to secure your networks and devices from unauthorized access, manipulation, or data loss can be costly and lead to:
- Costly disruptions and a loss of revenue from services going offline.
- The financial and regulatory implications of data theft.
- The costs of decommissioning breached devices and authorizing new ones after illicit or malicious activity are identified or caught.
- The loss of brand image after suffering an attack or failing to prevent data loss.
Now that we know what IoT and embedded device security is designed to do – and what can happen if we fail to secure our systems – we look at where attacks and vulnerabilities most commonly arise.
IoT and Embedded System Vulnerabilities
We can break IoT and embedded device security vulnerabilities into three broad categories. The first involves your network attack surface, which comprises every point between devices and your servers. The second involves your software attack surface, which includes all computer and device code running your network, inclusive of devices and servers. Finally, there is the physical attack surface, which includes any physical devices that hackers or malicious agents may attempt to physically compromise.
Consider the following list of IoT devices and applications, each of which has different characteristics and security considerations that must be kept in mind before deployment.
Web and mobile applications can run on open or closed platforms, and may be subject to a diverse range of policies that may or may not meet certain industry standards. These applications’ code could contain security weaknesses, which may be caused by a lack of penetration testing, or weak or inadequate user and/or third-party authentication.
Device communications can run on everything from 2G and 3G to 4G LTE, 5G LTE, DSL, fiber optic cables, LPWAN, WiFi, and Bluetooth. Your networks and devices should meet the industrial security standards and best practices that are recommended for your devices and the kinds of data they send and receive.
Cloud services can take the form of public, private, or hybrid deployments. Unsecured code, weak container orchestration, and inadequate policy management or enforcement can increase your attack surface.
Gateways and smart edge devices use a wide range of communications protocols and deal with time-sensitive data. Issues with policy management, poor hardware design, and update and patch management can lead to security breaches.
Data attacks on audio, video, financial, or location data can lead to serious data losses. User training, policy management, and getting data storage right are important considerations here.
Embedded IoT sensors have limited power and often have low bandwidth to increase battery lifetime. These constrained device capabilities, combined with possible design issues, can lead to software or firmware implementation issues as well as failure to install security updates or important vulnerability patches.
This list makes it clear that within the IoT and embedded device spaces, there is a great deal of diversity in terms of hardware, software, policy management, and data types – making it difficult to implement a one-size-fits-all solution for ensuring IoT and smart device security. Because every element of your IoT ecosystem will have its own security challenges, the best approach to security is to look at your system components individually and to tackle ecosystem security holistically. A simple approach is to take the three goals of security – confidentiality, integrity, and availability – and protecting your systems from attacks that can compromise any of those goals in any way. We outline actionable steps you can take towards greater device security in our next blog post.