The much-touted Internet of Things (IoT) earned many monikers at the recently concluded IoTshow.in held in BIEC, Bangalore. From the Internet of Intelligent Things to the Internet of Threats, the IoT ecosystem a hub of connected devices presents several challenges in security infrastructure.
And that’s the reason why the talk Cybersecurity in IoT, headlined by leading minds who shined the spotlight on glaring threats and vulnerabilities in the current IoT landscape, grabbed the first spot in the roster of events. Setting up the stage for cybersecurity with Forensics in IoT was Dr Parag H Rughani, Assistant Professor, Digital Forensics & Information Security at the Gujarat Forensic Sciences University. IoTIndiamag gives you a roundup of some of the most interesting talks under Cybersecurity in IoT.
Rughani spoke about one of the most untouched topics in cybersecurity, forensics and its impact on businesses. “65% of enterprises actively deployed IoT technologies and by 2018, two-thirds of enterprises will experience an IoT security breach,” he said, adding though there are massive plans underway to establish smart homes, smart grid, smart cities and smart enterprises, is our technology smart enough not to get exploited.
Delving deep into cybersecurity, Rughani elaborated on the challenges that lie ahead in IoT ecosystem.
One of the first hurdles in IoT is acquisition of evidence from endpoints – sensors and “things” which are very small, not visible and not identifiable and can’t be located easily. In IoT, the endpoints that form the bottom layer are at threat and while endpoints can’t be fully secured, efforts should be made to minimize the extent of security breach
Secondly, after evidence identification and acquisition, comes maintaining the integrity of the evidence. In the digital world, one doesn’t work on the actual evidence. You take a dump of hard disks, extract an image and maintain the integrity of evidence. Usually, one relies on volatile data but in IoT the volatile data is less, which makes it difficult to reconstruct the IoT crime scene.
One of the last challenges is an acute lack of awareness of digital crimes and the severity of its consequences. India faces a shortage of skilled and trained resources and tools. Over the years, forensics will encompass cloud, network and even hardware. There is a high demand for forensics tools and researchers and some of the leading companies working in this field are Deloitte, PwC, E&Y.
Lastly, one of the most common refrains throughout the event was – a lack of IoT guidelines and standards underpinning the need for interoperability and collaboration between academia and industry.
How to ensure your IIoT Device is secure 5 years from now?
This 20 minutes’ insightful talk by Ashok Ravula, Core Platform Solutions Director at Infiswift had a great deal covered from common security issues that most industrial devices face to the best practices and solutions to address these issues.
Stressing on the fact that with an increase in the number of IoT devices, the number of attacks too have spun out in various forms. “DDOS attacks have become the most common of the sorts and has seen a significant rise in the last two years”, Ravula stated. DDoS or the Distributed Denial of Service is a kind of cyber attack where the hackers attempt to make the online services unavailable generally by sweeping in huge traffic from multiple sources. As “online” has become the inevitable part of any industry, it comes as a major threat to almost all kinds of industries who rely on some or the other form of online platforms.
Everything from banks and healthcare industries to news websites can be targets, as they are a huge repository of important resources in the form of data. And any sensitive data that can be accessed by hackers comes as a major challenge that needs immediate attention.
Not just this, there are several other critical challenges that the IoT industry is exposed to. Device theft, data theft, safety of IoT devices, the legal bindings being few of them. Ravula elaborated on these points as below:
- Device theft- The IoT devices being minuscule in nature and being installed in thousands of numbers, it gets difficult to keep a track of the devices. An IoT network needs not one but a great deal of sensors and devices (sometimes amounting to 50 billion devices), to be installed, making its traceability a huge concern.
- Data theft- IoT devices are synonymous to huge repositories of data- some useful and others very sensitive- making it a big challenge to secure the privacy of these data.
- Legal- Any kind of damage to data and devices could lead to reputation and liability issues for the company/organization in the picture. Hence its very crucial that the companies have legal obligations while accessing data in any form.
Given the fact that many IIoT devices can be deployed for many years together in remote environments, it is crucial that they stay secure even as they become obsolete. In short how to ensure that these devices are secure not just in the coming 5 years but for a longer time? Addressing the solution to these questions, Ashok Ravula who leads the product management building the core IoT platforms and offerings for specific industries at infiswift gave a few takeaways to its audience.
“Authorization and authentication at user and device level becomes the key point. Having an access control would do away with most of the unwanted breeches in the data accessibility”, noted Ravula. Application level security takes away the next brownie point. It is important that the interface between an application and the queue manager to which it is connected is secured properly. “Over the air updates need to be secured to maintain integrity of data”, he added. As the OTA programming distributes distributes new software, configuration settings to IoT devices, it becomes crucial that these are secured.
Can writing a secure code positively impact the security of IoT Infrastructure?
According to Virendra G, Senior Vice President, Huawei Technologies who heads a diverse product development portfolio, writing secure code and having a secure software requires a lot of investment from the company. In his talk, Challenges and Issues in IoT security, the senior executive highlighted how threat models can be addressed in the system architecture/design itself. “Small companies may not have the resources or the disciplined approach for writing a secure code. By developing threat models for different types of attacks in each category, developer can take care of that in system architecture,” he said.
IoT cloud – fraught with trust issues?
Can you put all your data in the cloud? Cloud service providers do not keep all their software up-to-date and that’s why your data could be at potential risk. “That’s why enterprises should follow a Data Minimization strategy – deciding what data should be stored in cloud,” he added.
Encryptions provide possible solutions in securing applications. “IoT cloud solutions offer homomorphic encryption where you can never figure out what the data was. Recently, use of chips such as Intel SGX in enclave mode, allow application code to be put in an enclave,” he shared. Virendra also elaborated on a recent paper authored by IBM researchers on Lightweight Implementation of SGX, that could pave the the way for hardware based safety in cloud computing.
He maintained that by integrating secure engineering in product development lifecycle, emulating the secure coding centre for C++ and following a Threat Model testing approach (simulating attacks, reviewing the code) can minimize breaches.
(with inputs from Srishti Deoras)