Curated by Vinay Prabhakar Minj
IoT solutions providers should always start to implement IoT threat modelling from the architecture phase. Based on that, one can change architectures and designs and then move on with the technology.
There are two aspects of security in the IoT industry, one is cybersecurity and the other is IoT security which is only specific to the IoT solutions. However, without leveraging the technology from the cybersecurity, IoT security cannot be fully implemented.
A lot of people are developing IoT solutions, but they are only considering security as part of their threat or vulnerability, which happens after the product is deployed in the field. This should be avoided. From the get-go, everybody should start thinking about security and based on that mitigation parts should be measured, and then do the architecture and designing part.
IoT and cyber security
IoT is pretty simple to understand. There is a sensor and a service zone/user. This service zone is divided into the device zone (nodes), field gateway zone (also called communication hub, it is a concentrator which collects data from the sensor and provides it to the Cloud) and the Cloud gateway zone (servers).
So, the sensors send data to the node and the Cloud gateway zones which the user monitors. Based on that, the user will send some control or commands to which the sensor responds.
When we talk about the above process with respect to security, there are a few challenges in the IoT and the cyber world:-
- Lack of skills: A lot of organisations don’t have the capability for vulnerability identification, especially in the mid-scale industries.
- Lack of budget: Non-availability of a threat intelligence program. People usually think of security after the attack has taken place.
- Lack of agility: Non-presence of a security operations centre (SOC) from where decisions can be made based on the threats received and act upon to resolve them.
- Multiplication of cyber threats: No information security strategy. Inability to add a defence mechanism to counter hackers in a proper way.
- Secure communication: Since a lot of devices are interconnected with each other, security should be implemented on an end-to-end basis. Security should not just be at the Cloud level.
- Ensure high availability: With more and more devices being connected, the availability of data has become even more demanding.
- Data privacy and integrity: A lot of information such as credentials, certificates, sensor log data is stored in a device. This calls for a high level of security to prevent any tampering or disclosure threat.
- Growing attacking power of cyber criminals: Inability to detect a sophisticated attack.
- Disappearing perimeter: Having no real-time insight into cyber risks. This means you get notification/information after the attack has happened. There are very less tools which analyse the pattern from the attackers and alerts you of possible attacks.
A lot of things that can be done to mitigate risks in IoT devices. For example, by modifying the architectures of the old technology at the design time, we can have the vulnerability detected at the early stage.
IoT Vulnerability Research
While a lot of implementations have been done for cybersecurity, how to leverage them step-by-step into the IoT security is going to be the next challenge for IoT programmers.
As per the HPN research: –
- 22 percent of the devices collect at least one piece of personal information whether it is a mobile app or a physical device.
- 19 percent of the solutions failed to require a sufficiently complex certificate model.
- 17 percent of devices used unencrypted network services. Simply connecting to TCP does not ensure security and IoT should not work that way.
- 14 percent of solutions can be misused by attackers to exploit account enumeration vulnerability. This means hackers can steal your password and other credentials from your user account.
- 14 percent of devices with vulnerable accounts do not have secure memory storage and strong credentials.
- Each device consists of 13 percent of security vulnerabilities.
Despite these rising number of vulnerabilities, many companies are not concerned about IoT security and have this belief that there is nothing of value to an attacker.
A “scattering” or different thinking in terms of providing end-to-end security is creating huge chaos in its implementation. Meanwhile, 63 percent of enterprise executives expect that they will be forced to adopt IoT security.
New Way of Looking at IoT Security
We need to look at security from the both cyber and IoT security perspectives.
The general IoT security strategy will include:
- IT security: A set of cybersecurity strategies that prevents unauthorised access to organisational assets.
- OT security: Focussing on securing industrial control and automation systems by direct monitoring and/or control of physical devices, processes and events in the enterprise.
- Physical security of IoT device: Protecting important data and confidential information.
- International cooperation: Third party companies or alliances to help and evaluate the need for IoT security with respect to overall security.
IT security and OT security are very similar to cyber security, where you can control, monitor and secure your entire infrastructure. But when it comes to the physical security of the IoT device, you need to have some methodologies or standards.
These security standards can be implemented and maintained by the international corporations where experts can come together and define certain things that are acceptable both to the IoT security challenges as well as to the cybersecurity challenges.
A few companies and manufacturers are working in this direction to create complete end-to-end security solutions, where users would only need to worry about the application development and not about securing their data.
High level threat modelling
IoT solution is not generic, it is complicated. The IoT solution that works for smart home automation cannot be applicable to the retail sector.
Moreover, IoT security is defined and viewed by major IT security providers as an inflection of IT.
As per the Gartner report, “IT security products and services play a major role in the IoT security. But the use of IoT devices in engineering and physical environments like manufacturing, transportation and utilities provide another context of providing IoT security which is accurate but incomplete.”
Given these scenarios, threat modelling is going to be more valuable than ever. So, in a nutshell, a combination of IoT device threat analysis and cyber security will play a major role and help achieve good results.
Microsoft came up with threat modelling a couple of years ago for their different products. Now, they have made it public so that IoT solutions providers can also use this technique.
Threat modelling answers some of the challenging questions such as: –
- What are the most vulnerable attributes/assets of your IoT solutions?
- What are the threats to your device as per end applications?
- How severe are the threats?
- What are your countermeasures?
- What are your security requirements?
The threat modelling process involves:
- Enumeration threats: Based on each zone (device zone, gateway zone and the Cloud zone), you inebriate the threats and list them.
- Mitigate threats: After the above process, define how you are going to mitigate those threats.
- Validate the mitigations
- Model the application
The process is simple, one just need to follow these steps:
- Create diagram out of the architecture design.
- Understand the overall system and entry point of the threat.
- List out the mitigation point.
- Repeat the above steps for all modules of the system or components of the system where any exchange in data, key, storage is happening.
One may also make slight changes in this process as per the need.
To do the threat analysis, there are five major core elements:
- Process: Which includes web services and complex entities like sensors and gateways.
- Data stores: Any place where data is stored, such as configuration file or database inside Cloud, gateways or sensors.
- Data flow between other elements in the application.
- BYOD malware: A steep rise in malicious apps will threaten all mobile device users and their data as the entry barriers to app development will come down.
- External entities: Anything that interacts with the system but is not under control of the application.
However, this threat modelling does not give you the guarantee of not having any vulnerability while deploying the product, but it can help you prevent 80 percent of vulnerabilities from the get-go. When any vulnerability arises, you can apply the security patch at the high level and prevent it from the gateway or cloud, without needing to touch the device.
STRIDE Threat Model
This model consists of:
- Spoofing identity: Refers to illegal access and use of another user’s authentication information.
- Tampering with data: Malicious modifications and unauthorised changes.
- Repudiation: Refers to denying performing any malicious action.
- Information disclosure: Exposure of information to individuals not supposed to access.
- Denial of service: Refers to denying services to a valid user thus causing a threat to the system’s availability and reliability.
- Elevation of privilege: Unprivileged user gains privileged access to compromise the system and effectively penetrate to become a part of the system.
There are many ways to counter these threats. These include:
- Do nothing
- Turn off or remove the feature (if it is of no use)
- Counter the threat with technology (change the architecture and implementation)
- Also, counter the threat with other methods (Trust zone, Blockchain, Encryption, Cryptography and so on)
While adopting these countermeasures, the technology part should come last. At the very beginning you need to counter the threat by changing the architecture and implementation. And before all these, you need to apply threat modelling on your IoT security.
So, IoT solutions providers should always start to implement IoT threat modelling from the architecture phase. Based on that, they can change architectures and designs and then move on with the technology.
Also, if you change the network key after every 24 hours with respect to the encryption key inside your device, you can recover within 24 hours in case anyone hacks your device.
About the Author
The article is an extract from a speech presented by Tejas Vaghela, General Manager/ Director, System Level Solutions Pvt Ltd, at IEW/IOTSHOW.IN 2019.