This week I read an article talking about encryption as security, but true security goes much deeper than just encrypting a web submission.
Encryption is fundamentally important, but if you look at some of the related hashing standards (e.g. hashing http://valerieaurora.org/hash.html) you see that many have a service life of less than ten years. If you factor in increased computing power and how that allows brute forcing of weaker protocols the situation is even worse. The only real defense is to update the software or replace it on a very frequent basis. This is the case both for the device but also for communications infrastructure, such as routers or web servers.
Digging further and only considering the device software: nearly every device is built using a generic operating system that will inevitably require ongoing patching until it reaches end of support. Without applying patches, devices could be compromised without even breaking the encryption in the protocols. This compromise would then render all encryption pointless as the source data is exposed. Worse still, it can be very difficult to prove that an infection has been completely removed, which may then require hardware replacement to rectify.
To protect your solution you should embrace the fact that systems are not static and that they should be updated regularly. This update should not be expensive (for example, by requiring an engineer to visit) as it will discourage updating. It should also be part of the normal management of the system, either by you or your suppliers.
Things to have in mind when setting your security policy
Important aspects to consider and questions to ask yourself when setting up your security:
• Does the device have enough capacity to handle future security upgrades over the predicted lifespan (processor and memory)?
• Do you have a process for updating devices and do you test and use it frequently?
• Do your suppliers provide long-term support for development and communication environments?
• How isolated from the electronic world are your devices – are they on untrusted public networks or private networks?
• Can you monitor devices for changes in behaviour without interrogating the device? Changes in traffic may indicate a compromise.
• If devices do not behave as expected can you diagnose and control them remotely, isolate or update them in a timely fashion?
• Is the whole solution managed and updated on a regular basis?
• How secure is the update channel?
• How resilient is the supporting infrastructure, could it be used to cause a DoS or outage?
Proposed standards to ensure consistent security for your entire IoT deployment
In many ways the solution is similar to meeting GDPR requirements: Devices should only do what they need to do and unnecessary features should not be added to the system until they are required. Devices should be designed and managed in a controlled fashion, and they should be able to be disabled. Devices should not have access to data or be exposed on a network unless it is required for their operation. The IT environment they exist in should be understood and documented. Independent monitoring should ensure that misconfigurations, exploitations or other unexpected behaviours are caught quickly to reduce the risk of exposure and minimize the scope of damage. Devices must be kept up to date both as to core libraries and software but also technologies and vulnerabilities. Audits must be conducted to ensure compliance. Issues should be quickly identified, managed, contained and if required communicated.
All of these concepts exist in current security standards. They are far more important than just stating ‘use AES-256’ which actually is not a statement on security but a protocol requirement. If that AES-256 is employed with an SSL 3.0 stack, it will be insecure.
Without realizing that security requires a full solution perspective, you still risk becoming stuck in the Internet of Compromised Things.
At Tele2 IoT security is at the core in development of products and solutions, as well as in our day-to-day agenda with our customers and partners. If you would like to learn more about how IoT can help your business, please get in touch.