How to Build a Security Framework for IoT
Smart devices have been found riddled with security vulnerabilities in the past couple of years by numerous security researchers, proving that usability does not necessarily go hand in hand with security. Even popular IoT devices – 70 percent of them - were found harboring more than one critical vulnerability, potentially allowing attackers to remotely control them and use them to pivot to other devices or networks.
SOC-powered Android devices were found even more vulnerable to cybercriminals, as some vulnerabilities found could allow for root access. This would mean that attackers could completely gain control over such devices, and even smartphones were prone to the same threats.
Why Such Poor Security for IoT?
Manufacturers building smart devices seldom follow basic system security engineering principles. As they focus on quick go-to-market deployments and high return on investment, building in security, or even thinking of adding security mechanisms, is often dismissed from product roadmaps.
While this drives the consumer market, it’s companies that take the blunt of repercussions as employees usually break the security chain by introducing IoT devices within the corporate network. Commercial products today inevitably make their way into such networks and could jeopardize the security of the entire organization. Enterprise managers are at a loss when trying to manage such devices, as they don’t follow any security design principles that allow for IT management.
Usability and low hardware costs fuel the proliferation of IoT devices, but at the same time destabilize the security chain by not adhering to best practices or even supporting any type of IT management. Known vulnerabilities, such as cleartext cloud or local APIs expose personal data, remote shell access, or even UART (Universal Asynchronous Receiver/Transmitter) interfaces that allow for physical interaction with the device, are common vulnerabilities in IoT.
Engineering a Security Framework
The missing component in the IoT development lifecycle is the security engineering discipline that allows for concepts and methods to test, implement and build security mechanisms right into smart devices. An integrated, system-level perspective on system security should be the first step toward defining a solid IoT security framework.
When tackling this challenge, we need to start by defining the security objectives, requirements, success measurements and lifecycle that will address the problems we’re trying to solve. Only then can we start defining and realizing the security aspects of the proposed solution, followed by analyzing the evidence produced by the solution.
This engineering approach will not only help develop assurance cases for acceptable security, but will also demonstrate that these cases are satisfied. To this end, CIOs and CSOs will have a complete system security analysis for any IoT device being launched into the market and is connected to the corporate network infrastructure.
This loop feedback will spawn new and more secure smart devices with each iteration, allowing for continuous improvement, and making highly flexible to market or security changes and variances. Designing the right security architecture for IoT is no small task and nailing down the right requirements, or even designing them, will prove a daunting task for years to come.
Long Term Benefits
The long-term benefit of having such a framework and adhering to it when pushing smart devices to the consumer and enterprise markets is that organizations will not only be encouraged to assess the value of their information assets, but they’ll also be able to protect them. More than that, it will help strengthen their infrastructure against cyberattacks – or at least minimize damages – and make their systems survivable.
If we start building and testing such a security framework for IoT devices, we’ll introduce the “trust” factor into the design, development and even operation of systems used both in commercial infrastructures and government infrastructures.
For home users, The Bitdefender Box can protect everything from your average laptop and smartphone to every smart thing that requires an active internet connection. Constantly monitoring, the Bitdefender Box warns whenever malicious or suspicions actions target your devices and allows you to take informed decisions on how to deal with them.