The Device Chronicle discusses IoT edge security for constrained devices with cybersecurity experts Marc Barcelo and Aintzane Mosteiro, and Ikerlan’s edge expert Jacobo Fanjul.
This is a second in a series of articles with Ikerlan. Ikerlan is a major research and technological transfer agency working at both the intersection of cloud and edge, and industry and the public sector. It encounters IoT security challenges and has a framework, the expertise and best practices in place to mitigate the risks.
The recent ransomware attack on the Colonial Pipeline in the United States highlights the need for a renewed and intense focus on the proper protection of enterprise networks and the IoT devices that are becoming an increasingly integral part of these networks.
The Ikerlan cybersecurity team works in two strands: in one capacity, they validate hardware and software for embedded devices, and they look at securing cloud platforms, IoT and edge computing devices, and even the human machine interface. There is great collaboration between the two teams and their expertise is of tremendous value to their public and private partners.
Threat vectors
Protecting against the threat vectors starts with safeguarding the physical security of the device. It goes without saying that the edge device is generally far more physically accessible than the server. The integrity of the device must be protected. DDOS Attacks can drain the battery of the devices which can be energy constrained, there can also be attacks on the software of the device. Proprietary software with vulnerabilities must be patched continuously.
There is also the wireless connectivity threat that must be addressed. The communication, in Marc’s opinion, must always be ciphered. A more recent threat vector are the social engineering attacks, these come from phishing emails, and other techniques that exploit social vulnerabilities. Jacobo adds that it is most important to think about the heterogeneity of hardware and software that will be found in a typical IoT-Edge-Cloud infrastructure. Jacobo says “It’s hard to keep track of the different hardware and OSs coexisting across a given system while providing continuous support and protection.”
In industry, Aintzane adds, there is an added problem. “While the communications channels may be secure, the information itself may be vulnerable and if the hackers get access to the database, they will be able to get access to all sensitive information such as control system flow or the data the company is using to train the machine learning models.” This is a serious and often overlooked threat to safeguard against.
Best advice for edge device protection
At the edge or IoT level, it is harder to run the same level of protection that you could perform on cloud applications and infrastructure. This is due to the constrained nature of the device. Marc offers the following advice for protecting devices.
- Do not use default configurations and credentials
- Do not make your devices publicly available if it is not strictly necessary, keep them behind a firewall with the rule the less information the harder it would be to attack
- Provide a mechanism to easily update the software over-the-air, there will be vulnerabilities in the devices
- The IoT project manager should also ensure that device manufacturers are providing patches in a timely manner. Marc says “The device manufacturer should at least keep the software updated within its lifetime. They should assure periodic updates – within a range of at least 5 times a year to once a month.”
Use vulnerability discovery mechanisms
Vulnerability discovery mechanisms can also be set up by the user to help detection and then contact the device manufacturer to provide a patch. The CVE is a good source for this. It is best to use software that will automate this based on rules that are suitable to the devices in the environment. Ikerlan uses Wazuh and OpenSCAP in combination to perform continuous checking and everything is reported with a single reporting pane. Using these checks save on manual checks on the software on the device.
Importance of OTA software updates in IoT security
OTA software updates and IoT security go hand in hand. The Ikerlan team agree that you need a very robust system for OTA as the device may have partial connectivity. You also need to be able provide incremental updates in limited connectivity. The use of a secure channel for updates, everything signed and encrypted is very key. Moreover in 5G, narrowband IoT will see the importance of incremental updates grow in machine to machine communications and focus on low throughput where devices are in sleep mode most of the time. There are dedicated specifications for constrained devices such as Narrowband IoT and LTE M, and this continues in 5G technology.
Don’t be complacent about your IoT security
The cybersecurity threats are real and organisations must resist becoming complacent about them. The famous ransomware attack on Telefónica in 2017 is a case in point. “They had a leading cybersecurity team. They were still attacked and breached. This demonstrates that all organisations are at risk regardless of size and level of security sophistication.
In the end, the message is: don’t be complacent, ensure that software is continuously updated and always have a backup plan. Think about how you will respond to an attack? How will you protect your organisation’s data? Check out the Triangle of Trust to gain more insights into IoT device security best practices.
We wish Marc, Aintzane and Jacobo, and their colleagues at Ikerlan well as they continue to work to protect edge devices from vulnerabilities and intrusive attacks.