Bench Talk

In a recent security conference, a white-hat hacker maliciously injected an 830V shock in a pacemaker, simply by using a laptop at a distance of up to 15.24m. Needless to say that the “real-world impact” of such an attack could be deadly. There are claims that hackers can easily scale such attacks to multiply the fatal impact on patients with pacemakers. The latest generation of pacemakers is essentially made up of network-connected implantable Internet of Things (IoT) devices. Regardless of the industry, security vulnerabilities in any IoT device pose serious concerns.

Network connectivity exposes IoT products to new attack vectors. The infamous Distributed Denial-of-Services (DDoS) attack on Dyn Domain Name System (DNS) servers in 2016 showed how attackers could weaponize unsecured IoT devices as IoT botnets. The cyber-physical characteristics of connected “things” further raise the threshold for securing them.

A Cyber-Physical System (CPS) refers to any network-connected product that interacts directly with the physical environment. Examples of cyber-physical systems include:
 

• Connected wearables (e.g., fitness monitors)
• Implantable devices (e.g., pacemakers)
• Autonomous vehicles
• Industrial robots
• Gas turbines
   

Cyber-connectivity to a private or public network expands their attack surface. An attacker can connect remotely and exploit a vulnerability in a CPS, and use it as a tool to inflict significant physical damages. In 2010, the infamous Stuxnet worm infected the industrial control systems and manipulated the relay of sensor feedback to the controllers, which ultimately damaged 984 uranium-enriching centrifuges in the Iranian nuclear plants. Thus, a security breach for CPS is not just about the loss of data or reputation; it also implies environmental damages, loss of lives, and as such involves moral, legal, and ethical consequences.

Designers can easily pinpoint the large differential in threat models between any traditional standalone systems versus an IoT product. An IoT product invariably operates as a part of a connected ecosystem, or even a “system-of-systems” as in the case of smart power generation utilities, which makes their security posture uniquely challenging.

In addition to inherent security vulnerabilities in native hardware and software in IoT endpoints, we must factor in the vulnerabilities induced by their operation environment, network connectivity, and interoperability with third-party platforms and systems.

Operational Environment

Unlike traditional PCs, an IoT product converges computing with domain-specific operations. An industrial robot, for example, performs domain-specific functions in an industrial setting in addition to embedded computation and storage functions.

The environment where IoT products operate enforces certain unique security challenges:
 

• Divergent security priorities: IT security practices focus on data confidentiality, integrity, and system availability. In an operational environment; however, protection of the place, people, and processes takes precedence. Thus, standard IT security practices when applied to IoT must preserve if not enhance their safety and reliability requirements.

• Inadequate cybersecurity proficiency: In September 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) flagged multiple security gaps in the syringe infusion pumps used in US hospitals. The majority of those were related to the use of hard-coded or factory-default security credentials. Users and operations staff are not always cybersecurity experts, and hence are unable to detect and protect against these flaws.

• Timely patching: Software and firmware updates are provided to resolve security bugs. In industrial settings; however, regular patching is not the norm. Besides, in many instances, the firmware upgrade may require decommissioning the IoT product temporarily.

• System limitations: Many IoT products such as sensors and actuators have low memory and CPU footprint, which limits their embedded security capabilities.

Network Connectivity

Connectivity exposes otherwise “safe” products to the fallout of cyber intrusion. In 2014, Charlie Miller and Chris Valasek remotely brought a connected vehicle running at full speed on the highway to a complete halt by exploiting its software flaws. To read their full report, see their article titled Remote Exploitation of an Unaltered Passenger Vehicle.

Information security design has mostly relied on perimeter protection using firewalls and zoning. The increasing use of radio technology and wireless in IoT products renders them easy targets for remote attacks. Unencrypted data communications are also a leading cause of IoT compromises.

Third-party Interoperability

Any IoT solution involves multiple service providers of technologies, configurations, and protocols. This leads to more complexity, uneven security compliance, and increases in the attack surface. Subscription-based models increase the dependency on third-party providers for device provisioning, management, and operations, which exposes new attack vectors.

IoT security needs to go above and beyond traditional cybersecurity measures to overcome these challenges. A full-stack approach to IoT security encompassing edge-to-cloud workflows is essential. A 4-tier security model for an IoT system design can mitigate the unique risks. 

Reliable endpoint design

Due to their direct interaction with the physical environment, a tamper-proof design is highly desirable. Suitable credentials such as non-default username/password or Public Key Infrastructure (PKI) certificates can limit unauthorized device access and operations. A few other security design measures to consider:
 

• Trusted Platform Module (TPM) based root-of-trust
• Initialization and boot process integrity
• Provision for secure firmware and software updates
• Integrity of stored and in-transit data
   

Selection of secured Real Time Operating System (RTOS) and fault isolation with containerization can secure the endpoint during runtime. 

Secure network access

Due to the unique challenges of IoT operations, design thinking needs to envision and deeply analyze the use case scenarios regarding:
 

• Access methodologies
• Product usage
• Data communications
• Corner cases
   

This directly leads to developing threat models for network connectivity and gives us a sense of how to:
 

• Secure the access ports
• Encrypt data during storge and transport
• Use tunnels
• Secure the protocol
• Enforce deep-packet inspection in the network perimeters
   

Wireless and RF are predominant choices for IoT connectivity and are typically more vulnerable. However, you can mitigate the connectivity risks by:
 

• Enforcing network access credentials through access and identity control
• Enabling the built-in security capabilities of common IoT protocols such as:
  • Message Queue Telemetry Transport (MQTT)
  • Constrained Application Protocol (CoAP)
  • Zigbee®
  • Transmission Control Protocol/Internet Protocol (TCP/IP)
     

Compliance-based design

Although compliance doesn’t equate to security, compliant design can minimize vulnerabilities. Unlike information security, IoT security involves safety, reliability and resilience, in addition to data integrity, privacy and availability. In other words, if a breach happens, the system must be designed to carefully transition to a stable failure state with minimal impact on its surroundings. In the case of an autonomous vehicle at full-speed, a failure should carefully bring it to a halt. That is why in addition to cybersecurity standards—Federal Information Processing Standards (FIPS), ISO 27001, National Institute of Standards and Technology (NIST) SP 800, etc.—system design needs to interweave compliance with industry-specific regulations—e.g., Health Insurance Portability and Accountability (HIPAA), Department of Transportation (DOT).

Cloud and Applications Security

Cloud-based provisioning, device management, as well as data and application hosting are central to any IoT product deployment. Many IoT products run on Software as a Service (SaaS), where a third party hosts the software layer. Although system designers might or might not have direct control over the security implementation in cloud-based services, it is still essential to architect the deployment based on certain cloud security standards and best practices, which are clearly enumerated in the product documentation.

Connected products are the future of our industries. In an ever-evolving threat landscape, the cyber-physical characteristics of IoT add to the security challenges. Once you identify the challenges, the 4-tier approach discussed in this blog provides a methodical approach to mitigate the risks.

Key Points:

• IoT security is not just about the loss of data or reputation, it also implies environmental damages, loss of lives, and involves moral, legal, and ethical consequences.
• An IoT product operates as a part of a connected ecosystem, which makes their security posture uniquely challenging.
• A 4-tier security model for IoT system design to mitigate threats involves reliable endpoint design, secure network access, compliance-based design, and cloud and application security.