November 18, 2016 at 13:52Security in IoT: Comprehensive Defense Strategy
- Transfer
- Tutorial
To provide the right level of security for the IoT infrastructure, a comprehensive protection strategy is needed. It provides data protection in the cloud, data integrity protection during transmission to the Internet, as well as the safe production of devices.
The article provides a classification of specialists throughout the IoT infrastructure security chain and recommendations for each of them.
1. Azure IoT Suite for those who start from scratch .
2. A comprehensive protection strategy .
3. Security system architecture .
4. Securing Azure IoT Deployment .
Various specialists in the field of production, development and deployment of IoT devices and infrastructure can be involved in the development and implementation of a comprehensive protection strategy.
Manufacturer / integrator of IoT equipment . Typically, IoT manufacturers of deployable equipment, integrators who assemble equipment from different manufacturers, or suppliers of equipment for deploying third-party IoT infrastructure are among such specialists.
IoT Solution Developer. An IoT solution is usually developed by the solution developer. This may be the company's own specialist or system integrator of the corresponding specialization. An IoT solution developer can develop various solution components from scratch, integrate standard or open source components into it, and implement preconfigured solutions with only minor changes.
IoT Deployment Specialist . When the IoT solution development phase is complete, you must deploy it in place. This process involves the deployment of equipment, connections between devices, as well as the deployment of solutions on the hardware platforms of the cloud environment.
IoT Solution Operator. After deployment, the IoT solution moves to the long-term operation phase, where the solution is also monitored, updated and maintained. These tasks can be performed by the company's own specialists, which include specialists from the IT, equipment operation and maintenance department, as well as specialized specialists who monitor the behavior of the IoT infrastructure as a whole.
Next, we’ll talk about recommendations for these professionals to develop, deploy, and operate a secure IoT infrastructure.
Recommendations for manufacturers and integrators of IoT equipment.
Compliance of equipment with minimum requirements . When designing equipment, only the minimum requirements for the components and functions that are necessary for the operation of the equipment should be taken into account. For example, USB ports should be provided only if they are needed to operate the equipment. Such additional components may expose the device to unwanted attacks that must be prevented.
Protecting equipment from unlawful modification. Embedding mechanisms for detecting illegal physical changes (for example, opening the device or removing part of the device). Signals of illegal changes can be transmitted along with the data stream to the cloud, they serve as an alert for the operators of these events.
Building infrastructure using secure equipment . If the price allows, you should provide security features (for example, secure and encrypted storage or the download function based on a trusted platform module). All of these features enhance device security and help protect the entire IoT infrastructure.
Protection during update. At one stage or another of the device’s life cycle, it’s necessary to update the firmware. Safe methods for installing updates and cryptographic confirmation functions for firmware versions, provided even at the stage of device assembly, protect the device during and after the update.
Recommendations for developers of the IoT solution.
Application of secure application development techniques . The development of secure applications requires an integrated approach to ensuring security at all stages - from the development of the project concept to the final stage of implementation, testing and deployment. The choice of platform, language and tools is determined in accordance with this technique. Microsoft Security Development Lifecycle ( SDL ) provides step-by-step guidance on creating secure software.
A smart approach to choosing open source software. Open source software enables you to quickly develop solutions. When choosing open source software, it is recommended to take into account the level of user activity in the respective community for each of the evaluated software components. If users in the community are active, it means that software support is at the proper level, problems are quickly detected and eliminated. Low activity in the community, on the contrary, may indicate that the software is not supported, problems are not detected in a timely manner.
Precautions in integrating with third-party libraries and APIs. Libraries and APIs may contain vulnerabilities that could affect the security of the software as a whole. To ensure the security of the entire solution, check all integrable interfaces and components for vulnerabilities.
Recommendations for IoT Deployment Specialists.
Secure hardware deployment . Deploying an IoT infrastructure may involve deploying equipment in insecure locations (e.g., public or uncontrolled). In such cases, you need to make sure that this equipment will be protected as much as possible from illegal changes. If the equipment has USB ports or any other ports, it is necessary to provide for their reliable physical protection. Attackers often use them as an entry point for attacks.
Securely Store Authentication Keys. During the deployment process, each device is assigned an identifier and associated authentication keys created by the cloud service. Such keys must be stored in a physically secure location even after deployment is complete. Malicious devices can use compromised keys to impersonate an existing legitimate device.
Recommendations for IoT solution operators.
Constant updating of the system . Make sure that the latest operating system and drivers are installed on the devices. In Windows 10, you can enable the automatic update installation function (IoT or other SKUs).
Protection against malicious actions . If the operating system supports this feature, it is recommended that you install the latest version of anti-virus and malware protection software for all device operating systems. This will significantly reduce the risk of external attacks. Proper security measures help protect most modern operating systems from various threats.
Regular audit.Auditing IoT infrastructure for security issues is critical to responding effectively to incidents. Most operating systems have built-in logging features. It is recommended that you regularly check the log to identify security holes in a timely manner. Audit data can be sent to the cloud service for analysis as a separate telemetry data stream.
Physical Protection of IoT Infrastructure. The most serious attacks of the IoT infrastructure are carried out through physical access to the device. To ensure security, it is important to reliably protect USB ports and other physical access elements from unauthorized use. One of the most effective ways to detect security holes is to log physical access (for example, using a USB port). Windows 10 (IoT and other SKUs) provides detailed logging of such events.
Cloud credential protection. The cloud authentication credentials that are used to configure and operate the IoT deployment are perhaps the most serious vulnerability that cybercriminals can easily exploit to gain access to and compromise the IoT system. To protect credentials, it is recommended that you change your password regularly and try not to use these credentials on public computers.
Functionality may vary on different IoT devices. Some devices have a standard desktop operating system, while others have a lightweight operating system. The security recommendations described above apply differently for different devices. You should also consider the additional recommendations from device manufacturers regarding deployment and security.
Some legacy devices or devices with limited features may not support the features that are required to use devices in an IoT deployment. They may not support data encryption, the ability to connect to the Internet, or advanced audit features. In this case, the aggregation of data received from outdated devices is carried out by a modern, securely protected field gateway, which also provides the required level of security when connecting such devices to the Internet. Field gateways perform secure authentication, negotiate encrypted sessions, receive commands from the cloud, and other security features.
1. Overview of predictive maintenance functions in preconfigured solutions .
2. Azure IoT Suite: frequently asked questions .
3. The author’s account on GitHub .
If you see an inaccuracy in the translation, please report this in private messages.
The article provides a classification of specialists throughout the IoT infrastructure security chain and recommendations for each of them.
Series of articles “Security in IoT”
1. Azure IoT Suite for those who start from scratch .
2. A comprehensive protection strategy .
3. Security system architecture .
4. Securing Azure IoT Deployment .
Securing IoT Infrastructure: Classification of Professionals
Various specialists in the field of production, development and deployment of IoT devices and infrastructure can be involved in the development and implementation of a comprehensive protection strategy.
Manufacturer / integrator of IoT equipment . Typically, IoT manufacturers of deployable equipment, integrators who assemble equipment from different manufacturers, or suppliers of equipment for deploying third-party IoT infrastructure are among such specialists.
IoT Solution Developer. An IoT solution is usually developed by the solution developer. This may be the company's own specialist or system integrator of the corresponding specialization. An IoT solution developer can develop various solution components from scratch, integrate standard or open source components into it, and implement preconfigured solutions with only minor changes.
IoT Deployment Specialist . When the IoT solution development phase is complete, you must deploy it in place. This process involves the deployment of equipment, connections between devices, as well as the deployment of solutions on the hardware platforms of the cloud environment.
IoT Solution Operator. After deployment, the IoT solution moves to the long-term operation phase, where the solution is also monitored, updated and maintained. These tasks can be performed by the company's own specialists, which include specialists from the IT, equipment operation and maintenance department, as well as specialized specialists who monitor the behavior of the IoT infrastructure as a whole.
Next, we’ll talk about recommendations for these professionals to develop, deploy, and operate a secure IoT infrastructure.
Manufacturer / Integrator of IoT Equipment
Recommendations for manufacturers and integrators of IoT equipment.
Compliance of equipment with minimum requirements . When designing equipment, only the minimum requirements for the components and functions that are necessary for the operation of the equipment should be taken into account. For example, USB ports should be provided only if they are needed to operate the equipment. Such additional components may expose the device to unwanted attacks that must be prevented.
Protecting equipment from unlawful modification. Embedding mechanisms for detecting illegal physical changes (for example, opening the device or removing part of the device). Signals of illegal changes can be transmitted along with the data stream to the cloud, they serve as an alert for the operators of these events.
Building infrastructure using secure equipment . If the price allows, you should provide security features (for example, secure and encrypted storage or the download function based on a trusted platform module). All of these features enhance device security and help protect the entire IoT infrastructure.
Protection during update. At one stage or another of the device’s life cycle, it’s necessary to update the firmware. Safe methods for installing updates and cryptographic confirmation functions for firmware versions, provided even at the stage of device assembly, protect the device during and after the update.
IoT Solution Developer
Recommendations for developers of the IoT solution.
Application of secure application development techniques . The development of secure applications requires an integrated approach to ensuring security at all stages - from the development of the project concept to the final stage of implementation, testing and deployment. The choice of platform, language and tools is determined in accordance with this technique. Microsoft Security Development Lifecycle ( SDL ) provides step-by-step guidance on creating secure software.
A smart approach to choosing open source software. Open source software enables you to quickly develop solutions. When choosing open source software, it is recommended to take into account the level of user activity in the respective community for each of the evaluated software components. If users in the community are active, it means that software support is at the proper level, problems are quickly detected and eliminated. Low activity in the community, on the contrary, may indicate that the software is not supported, problems are not detected in a timely manner.
Precautions in integrating with third-party libraries and APIs. Libraries and APIs may contain vulnerabilities that could affect the security of the software as a whole. To ensure the security of the entire solution, check all integrable interfaces and components for vulnerabilities.
IoT Deployment Specialist
Recommendations for IoT Deployment Specialists.
Secure hardware deployment . Deploying an IoT infrastructure may involve deploying equipment in insecure locations (e.g., public or uncontrolled). In such cases, you need to make sure that this equipment will be protected as much as possible from illegal changes. If the equipment has USB ports or any other ports, it is necessary to provide for their reliable physical protection. Attackers often use them as an entry point for attacks.
Securely Store Authentication Keys. During the deployment process, each device is assigned an identifier and associated authentication keys created by the cloud service. Such keys must be stored in a physically secure location even after deployment is complete. Malicious devices can use compromised keys to impersonate an existing legitimate device.
IoT Solution Operator
Recommendations for IoT solution operators.
Constant updating of the system . Make sure that the latest operating system and drivers are installed on the devices. In Windows 10, you can enable the automatic update installation function (IoT or other SKUs).
Protection against malicious actions . If the operating system supports this feature, it is recommended that you install the latest version of anti-virus and malware protection software for all device operating systems. This will significantly reduce the risk of external attacks. Proper security measures help protect most modern operating systems from various threats.
Regular audit.Auditing IoT infrastructure for security issues is critical to responding effectively to incidents. Most operating systems have built-in logging features. It is recommended that you regularly check the log to identify security holes in a timely manner. Audit data can be sent to the cloud service for analysis as a separate telemetry data stream.
Physical Protection of IoT Infrastructure. The most serious attacks of the IoT infrastructure are carried out through physical access to the device. To ensure security, it is important to reliably protect USB ports and other physical access elements from unauthorized use. One of the most effective ways to detect security holes is to log physical access (for example, using a USB port). Windows 10 (IoT and other SKUs) provides detailed logging of such events.
Cloud credential protection. The cloud authentication credentials that are used to configure and operate the IoT deployment are perhaps the most serious vulnerability that cybercriminals can easily exploit to gain access to and compromise the IoT system. To protect credentials, it is recommended that you change your password regularly and try not to use these credentials on public computers.
Functionality may vary on different IoT devices. Some devices have a standard desktop operating system, while others have a lightweight operating system. The security recommendations described above apply differently for different devices. You should also consider the additional recommendations from device manufacturers regarding deployment and security.
Some legacy devices or devices with limited features may not support the features that are required to use devices in an IoT deployment. They may not support data encryption, the ability to connect to the Internet, or advanced audit features. In this case, the aggregation of data received from outdated devices is carried out by a modern, securely protected field gateway, which also provides the required level of security when connecting such devices to the Internet. Field gateways perform secure authentication, negotiate encrypted sessions, receive commands from the cloud, and other security features.
Useful materials
1. Overview of predictive maintenance functions in preconfigured solutions .
2. Azure IoT Suite: frequently asked questions .
3. The author’s account on GitHub .
If you see an inaccuracy in the translation, please report this in private messages.