What’s the Right Way to Secure loT Devices?

//What’s the Right Way to Secure loT Devices?

It’s a constant, whirlwind of activity when it comes to addressing security and privacy of connected devices. Deliberate hacks and compromises surface daily, with open connections, WiFi and router maladies attracting new malicious activity. Expect that velocity of system compromise to only increase when billions of integrated products communicate as the Internet of Things (loT) takes hold and proliferates the infrastructure, Smart Cities and everyday life.

Because of the high-profile of many recent attacks, cybersecurity has become a nascent ground for regulations, standards, rules and laws—with a host of different entities vying to find the best solution to protect consumers and businesses, including the government and critical infrastructure, using IoT Devices.

Lawmakers Stepping In to Address Cyber Attacks

But what are the proper ‘fixes’ for this uncharted territory that’s evolving by the minute? What’s the right (most successful) way for lawmakers to understand and handle this? And what are the risks of those regulations that go too far—or not far enough?

As we delve more deeply into the loT and scenarios where network connectivity and computing capability extends to objects and sensors and everyday items now mini-computers, the fact of the matter is that “poorly secured IoT devices and services can serve as entry points for cyber-attacks, compromising sensitive data and threatening the safety of individual users,” according to the Internet Society.

This fact has not been lost among government and watchdog groups as they each strategize what they feel is the most comprehensive remedy.

Here’s a sampling of some of the current activity aimed at addressing security and privacy for loT devices:

Proposed legislation in the Illinois House (HB 4747) is directed at helping consumers have more repair options for electronic products. But in reality, this legislation actually threatens to undermine the benefits of IoT by unknowingly providing hackers with backdoors or direct access into nearly every type of internet-connected product. Eighteen states across the country have introduced similar bills and those legislatures that have researched the topic adequately have now abandoned their efforts because of security, privacy and other concerns. The reason is that HB 4747 would force technology manufacturers to provide sensitive technical information and detailed repair diagnostics about products so that virtually anyone could repair them. It affects thousands of products ranging from smart home devices, computers, video game platforms and smartphones, among others.
At the 2017 RSA Conference a panel of experts agreed governments have an obligation to quickly improve the cyber safety of the millions of industrial and consumer IoT devices being sold, although they differed on how to do it.
In the absence of regulations, the Online Trust Alliance, now part of the Internet Society, has published an IoT Trust Framework for manufacturers to voluntarily follow.
The British Standards Institution (BSI) launched a new kitemark for IoT devices designed to help consumers make more informed decisions about trustworthy devices and services. The launch came shortly after the government proposed the introduction of a wide-ranging review of IoT security conducted by the National Cyber Security Centre (NCSC). In its Security by Design report, the government laid out plans to make the industry embed security in the design process, rather than including it as an afterthought and to establish a code of practice to improve the security of consumer IoT devices and services. Prior to being awarded the kitemark, device manufacturers will be assessed against the ISO 9001 standard, with products required to pass an assessment of both functionality and interoperability, alongside penetration testing to scan for vulnerabilities.
The U.S. Consumer Product Safety Commission (CPSC) issued a Public Notice and hearing in May 2018 designed to receive information from interested parties about potential safety issues and hazards associated with Internet-connected consumer products.
A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against IoT Botnets, states that products should be secured during all stages of the lifecycle, and suggests that enterprises migrate to network architectures that facilitate detection, disruption, and mitigation of automated, distributed threats
Assessing the Current Landscape

The current trend we’re seeing at SecuriThings (confirmed by some of the ongoing legislative action) is greater security at the device level, such as in manufacturing and repair. However, this is not sufficient as even the best devices can be hacked into if not properly installed or configured. It’s also not feasible. A secured device will be costly to develop and slow the adoption of IoT services and processes. The trend to greater security at the device level also drives responsibility away from the only entity that can do something about it: the IoT service providers.

So just what should those providers do? Here’s what SecuriThings recommends:

Proper assessment: The Information Commissioner’s Office (ICO) recommends that organizations carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times.

Adopt cloud-based solutions: The migration of video management and storage systems to the cloud facilitates compliance and contributes to the overall security posture.

Deploy appropriate IT security solutions: Establish database encryption, access control, cloud access control, network traffic analysis and other targeted strategies to safeguard IT data, prevent unauthorized access and quickly identify breaches.

Deploy IoT security solutions: Ascertain encryption, authentication and real-time monitoring of the devices and users to ensure data is accessible only to those who need it, devices themselves have been hardened to hacking and establish safeguard so cyber-attacks can be detected and mitigated in real time.

Summary

Our solution—seamlessly deploying software agent post-manufacturing and monitoring the deployment in real time—is much more cost-effective and scalable. Our guiding philosophy is to provide cybersecurity to connected devices initially and ongoing—addressing new threats before they evolve and become a serious malady to your customer’s network. Securithings’ real-time behavioral analytics identify and mitigate threats for loT Devices, surveillance and every network-connected solution. Contact us today to find out more.

It’s a constant, whirlwind of activity when it comes to addressing security and privacy of connected devices. Deliberate hacks and compromises surface daily, with open connections, WiFi and router maladies attracting new malicious activity. Expect that velocity of system compromise to only increase when billions of integrated products communicate as the Internet of Things (loT) takes hold and proliferates the infrastructure, Smart Cities and everyday life.

Because of the high-profile of many recent attacks, cybersecurity has become a nascent ground for regulations, standards, rules and laws—with a host of different entities vying to find the best solution to protect consumers and businesses, including the government and critical infrastructure, using IoT Devices.

Lawmakers Stepping In to Address Cyber Attacks

But what are the proper ‘fixes’ for this uncharted territory that’s evolving by the minute? What’s the right (most successful) way for lawmakers to understand and handle this? And what are the risks of those regulations that go too far—or not far enough?

As we delve more deeply into the loT and scenarios where network connectivity and computing capability extends to objects and sensors and everyday items now mini-computers, the fact of the matter is that “poorly secured IoT devices and services can serve as entry points for cyber-attacks, compromising sensitive data and threatening the safety of individual users,” according to the Internet Society.

This fact has not been lost among government and watchdog groups as they each strategize what they feel is the most comprehensive remedy.

Here’s a sampling of some of the current activity aimed at addressing security and privacy for loT devices:

  • Proposed legislation in the Illinois House (HB 4747) is directed at helping consumers have more repair options for electronic products. But in reality, this legislation actually threatens to undermine the benefits of IoT by unknowingly providing hackers with backdoors or direct access into nearly every type of internet-connected product. Eighteen states across the country have introduced similar bills and those legislatures that have researched the topic adequately have now abandoned their efforts because of security, privacy and other concerns. The reason is that HB 4747 would force technology manufacturers to provide sensitive technical information and detailed repair diagnostics about products so that virtually anyone could repair them. It affects thousands of products ranging from smart home devices, computers, video game platforms and smartphones, among others.
  • At the 2017 RSA Conference a panel of experts agreed governments have an obligation to quickly improve the cyber safety of the millions of industrial and consumer IoT devices being sold, although they differed on how to do it.
  • In the absence of regulations, the Online Trust Alliance, now part of the Internet Society, has published an IoT Trust Framework for manufacturers to voluntarily follow.
  • The British Standards Institution (BSI) launched a new kitemark for IoT devices designed to help consumers make more informed decisions about trustworthy devices and services. The launch came shortly after the government proposed the introduction of a wide-ranging review of IoT security conducted by the National Cyber Security Centre (NCSC). In its Security by Design report, the government laid out plans to make the industry embed security in the design process, rather than including it as an afterthought and to establish a code of practice to improve the security of consumer IoT devices and services. Prior to being awarded the kitemark, device manufacturers will be assessed against the ISO 9001 standard, with products required to pass an assessment of both functionality and interoperability, alongside penetration testing to scan for vulnerabilities.
  • The U.S. Consumer Product Safety Commission (CPSC) issued a Public Notice and hearing in May 2018 designed to receive information from interested parties about potential safety issues and hazards associated with Internet-connected consumer products.
  • Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against IoT Botnets, states that products should be secured during all stages of the lifecycle, and suggests that enterprises migrate to network architectures that facilitate detection, disruption, and mitigation of automated, distributed threats

Assessing the Current Landscape

The current trend we’re seeing at SecuriThings (confirmed by some of the ongoing legislative action) is greater security at the device level, such as in manufacturing and repair. However, this is not sufficient as even the best devices can be hacked into if not properly installed or configured. It’s also not feasible. A secured device will be costly to develop and slow the adoption of IoT services and processes. The trend to greater security at the device level also drives responsibility away from the only entity that can do something about it: the IoT service providers.

So just what should those providers do? Here’s what SecuriThings recommends:

Proper assessment: The Information Commissioner’s Office (ICO) recommends that organizations carry out a data protection impact assessment (DPIA) to assess the extent to which monitoring is required, where it is required and at what times.

Adopt cloud-based solutions: The migration of video management and storage systems to the cloud facilitates compliance and contributes to the overall security posture.

Deploy appropriate IT security solutions: Establish database encryption, access control, cloud access control, network traffic analysis and other targeted strategies to safeguard IT data, prevent unauthorized access and quickly identify breaches.

Deploy IoT security solutions: Ascertain encryption, authentication and real-time monitoring of the devices and users to ensure data is accessible only to those who need it, devices themselves have been hardened to hacking and establish safeguard so cyber-attacks can be detected and mitigated in real time.

Summary

Our solution—seamlessly deploying software agent post-manufacturing and monitoring the deployment in real time—is much more cost-effective and scalable. Our guiding philosophy is to provide cybersecurity to connected devices initially and ongoing—addressing new threats before they evolve and become a serious malady to your customer’s network. Securithings’ real-time behavioral analytics identify and mitigate threats for loT Devices, surveillance and every network-connected solution. Contact us today to find out more.

2018-10-23T09:31:42+00:00 June 7th, 2018|


* By submitting your request, you agree to the terms of our Privacy Policy