Data Security Needs to be Maintained at Each Layer of IoT System


Suhas Desai, Vice President – Digital Security, Aujas Networks in conversation with Rahul Neel Mani, Editor, dynamicCIO.com, talks about the various aspects of the IoT ecosystem and the associated security risks. He also provides a perspective on framework standardization and the evolving cybersecurity landscape in the context of IoT.

 

Q. While IoT opens a whole new world of opportunities, it has also raised the business risks significantly. The IoT devices are more accessible to malicious threat actors and significantly expand the attack surface. What are some of the key trends you are witnessing?

Multiple surfaces are involved in the IoT ecosystem. It mainly involves the following – IoT device, Cloud, Mobile Application, Network Interfaces, API & IoT Platforms. Attackers are targeting these surface areas to gain unauthorized access to the devices and the sensitive data. This may also lead to many challenges – privacy issues, fraudulent transactions, abusive navigations and misuse of connected devices/IoT/API Platforms. Here are some key trends in the IoT ecosystem and the associated security risks to its surfaces:

- Insecure web interfaces for IoT Platforms

You might be aware of the recent incidents related to compromise of the IoT platforms’ web interface, leading to privacy issues. This was due to insecure implementation and configuration of the platform web interface. Attackers targeted these IoT platforms through SQL injection, XSS, CSRF and other web security attacks.

Insecure IoT devices and network interfaces

Security flaws in connected cars and smart home appliances have got huge media attention in recent times. The ‘Lock-pick ‘malware app eavesdropped on the postal code and sent it to the hacker through messaging. These types of attacks are increasing on the IoT devices and their network interfaces where attackers are eavesdropping on the data and stealing it.

Communication Channel Security

Insecure message transmissions over various communication channels lead to privacy issues and may also lead to fraudulent transactions. Various communication channels like Bluetooth, NFC, Wi-Fi, Tags, Zigbee, Ethernet and their secure connections need to ensure message integrity and use suitable encryptions.

Insecure Cloud ecosystem

Insecure cloud interfaces connecting to IoT devices and its platforms are the new targets to get sensitive customer data. The Cloud APIs, cloud platform and interface security configurations, and improper data security controls lead to non-compliance and privacy issues.

- Insecure mobile and IoT device applications

Insecure mobile and IoT device applications are another popular surface area where attackers are targeting to steal sensitive data and tamper/or manipulate messages to perform fraudulent transactions. Issues related to device theft/loss and insecure local data storage have been another big concern for the users.

Insecure API management

Insecure API management directly impacts the monetization mechanism of the API economy. Many API management platforms are having built-in security. However, security flaws during the integration with the IoT platform (or/and cloud systems) could expose sensitive data.

 

Q. Most of the popular companies in the IoT devices space are mostly start-ups, which probably cannot bear the cost of a large team of security experts and white hats to ensure secure deployments. What could be a way out to this problem?

Most of the IoT device makers are new entrants in the ecosystem, but they are really doing an excellent job in terms of innovation and quality of the devices. However, security of the devices is (and should) be a concern for everybody. Cost optimization on hardware and software components are great. However, recent security incidents involving consumers as well as the service provider systems should ring the alarm bells. It is high time we look at security as top priority.

With limited security budget, they can opt for offering models to assess the devices on sampling basis and perform security review on the end-to-end life cycle for at least one client use-case. This will give them an overview of the types of vulnerabilities and how to mitigate them. This will also reduce the attack vector while saving cost.

 

Q. Commodity pricing places an enormous strain on security engineering and maintenance of IoT devices. Many of these IoT devices are by-design inexpensive to manufacture, which means companies are less likely to spend more dollars on securing them. If this continues, what could be its likely impact on cybersecurity?

This is true. Today, very few companies are serious about securing their devices and making investments into security engineering. But, given the fact that this industry has caught the attention of cyber criminals, service providers would be forced to change.

Moreover, in digital transformation, IoT is playing a vital role and businesses are opting for this change in order to provide a better customer experience. However, lack of security is a huge risk on the business models and brand reputation, because at the end of the day it is your customer’s data and privacy. The same good customer experience can flip overnight to a horrible one if there is a security breach. There can also be regulatory penalties due to non-compliance, etc.

 

Q. ISO has a working group assessing how the ISO 27000 family of security standards might be adapted to address IoT security needs. Also, the IEEE Standards Association is working on an architectural framework that is expected to address IoT security, privacy and safety issues. What importance do you assign to the standards in addressing the security challenges facing the IoT industry?

ISO, IEEE standards Association, ITU, Internet of Things Consortium and few other working groups are working towards framework standardization. Currently there are no defined standards for the IoT components. It has application, device and network layers and needs to define standards for protocols, application layer, device layer and network layer components. Regulatory and compliance standards for the platform, device and application providers are the other important aspect that needs to be considered in standardizing the internet of things w.r.t security. Today, there is no uniformity in the application protocols and its usage at the consumer level. End user application provider and consumer usage also needs to be standardized.

 

Q. In the future, how do you see the cybersecurity landscape evolving, especially in the context of IoT?

IoT security landscape is growing rapidly and its adoption has significantly increased in recent years. Wide acceptance of the connected things is getting attention of hackers to gain unauthorized access to the devices and IoT systems. Each layer in the IoT system has a play and customer data security needs to be maintained at all these layers. There is a huge potential for cyber security teams to help secure this space. It is exciting times securing the ecosystem across the full spectrum of Device, API, IoT platform, Cloud and Mobile Applications.   

Categories: Internet of Things

About Author

Orange Themes

Rahul Neel Mani

Rahul Neel Mani is the Co-founder and Editor of Grey Head Media. Rahul has nearly 20 years of experience in ...

Read more

Write a Comment

Your e-mail address will not be published.
Required fields are marked*

*

Recent Comments