A new report from the Cloud Security Alliance offers advice on how to secure IoT devices from inception
More than a year ago, an eye-opening RAND study on cybersecurity comprehensively explored just how vulnerable the Internet of Things (IoT) is and was going to be.
Afterthought-style patch-on-patch security, as well as significant vulnerability risks involved with slapping internet connectivity on previously non-connected objects, were among the startling findings and predictions in that report.
Since then, questions have arisen as to just how one should approach the security needs of the soon-to-be billions of networked, smart, cheap sensors expanding around the globe like popcorn.
There is a “need for IoT security,” affirms the Cloud Security Alliance (CSA) in its 80-page guidance released today.
Reasons: IoT can be used to initiate DDoS attacks, critical national infrastructure can become dependent on IoT, and cars are becoming connected. In addition, drones are “approaching mainstream status and being used as a platform for reconnaissance,” and IoT products in general can “compromise privacy.”
The CSA is cloud security certification provider involved in promoting best security practices within the cloud. Members include major cloud providers.
Build security into development
Starting with a secure development methodology is the key, the CSA suggests in its new IoT advice. That means developers must approach the security requirements and processes of the networked devices from the get-go.
And developers should care, the CSA says. Distributing IoT in physically exposed and insecure environments, as it often is, means security has to be implemented at more than just the communications level. Be aware that devices can be physically stolen, for example, and shared keys lifted.
Similar to what RAND found in 2015, the CSA says security is a completely new concept to many of the small manufacturers producing the devices. That may be one reason why cryptography has been poorly implemented in IoT.
“Security is not a business driver,” the cloud alliance says. A lack of standards and a problem finding IoT specialists who know about security exacerbate the problem.
The low price point for IoT devices, too, is problematic, the CSA says. It means it’s easy for hackers to acquire the products to study. Plus “resource constraints in embedded systems limit security options”—they don’t have enough processing power, for example.
Other than the aforementioned secure development methodology, new software guidance from the CSA suggests that one should evaluate programming languages and seek guidance for the security of those particular languages. And remember to check the app running on the smartphone.
Frameworks and platform security features should also be evaluated first.
In addition, privacy protections must be established, the CSA says. That includes collecting the minimum amount of data necessary. The CSA emphasizes that the hardware must have hardware-based security controls, too. That means stopping hackers from extracting data, say, from internal hardware components. They can be identified, even if unmarked.
And that leads to the choice of network communication protocols, which have security implications. The data has to be protected. The CSA’s report includes a comprehensive rundown on the differing kinds of communication networks and how they play in the scheme of the IoT device’s security.
Add to the list that APIs must be protected from DDoS attack and that devices must be updated securely to thwart modification of firmware. That authorization has to optimize for credential theft avoidance, and keys must be managed securely.
Take into account that logging mechanisms are important to see who is accessing devices. And finally, it suggests running security reviews. The Open Web Application Security Project (OWASP) provides feedback and optimization tools for that, the CSA says.