By 2025, it is predicted that there can be as many as 100 billion connected IoT devices or network of everyday objects as well as sensors that will be infused with intelligence and computing capability. These devices shall comprise of personal devices such as smart watches, digital glasses and fitness monitoring products, food items, home appliances, plant control systems, equipment monitoring and maintenance sensors and industrial robots.
The rapid growth in IOT devices, however will offer new opportunities for hacking, identity theft, disruption, and other malicious activities affecting the people, infrastructures and economy. Until very recently hackers had a limited number of vulnerable points of access – computers were protected by anti-virus software, and modems had complex inbuilt security measures. Huge Smart home devices offer more access points than ever before – wireless lights, thermostats, home security sensors, intelligent streetlights, smart meters, and many more. These millions of sensors and devices present a great opportunity for hackers, and a great vulnerability to us all.
Some incidents have already happened, an internet-connected fridge was used as a botnet to send spam to tens of thousands of Internet users,. Jeep Cherokee was sensationally remote-controlled by hackers in 2015. FDA issued an alert about a connected hospital medicine pump that could be compromised and have its dosage changed.
In Oct 2016, an attacker used malware to command Internet of Things, or IOT, devices to carry out DDoS attack- which in turn overwhelmed their target with unwanted requests. “On command, thousands of internet-connected devices began sending waves of data at Dyn, one of the domain name server, or DNS, resulting in downing of hundreds of websites, including Twitter, the New York Times, Reddit and Amazon, for hours,” reported DefenseOne. The malware exploited the widely known factory-default passwords or other vulnerabilities, making them easy recruits for bot armies.
“The volume of DDoS attacks has more than doubled over the last 18 months. It’s now approaching 650 gigabytes a second. That’s only possible because they’ve been recruiting IOT devices,” said one government official with direct knowledge of the attack. “We need to have a deliberative conversation about baking in security as much as possible into Internet of Things devices.”
Security equipment is also vulnerable to exploitation by politically and criminally motivated hackers. Security researchers Runa Sandvik and Michael Auger gained unauthorized access to the smart-rifle’s software via its WiFi connection and exploited various vulnerabilities in its proprietary software. The TP750 was tricked into missing the target and not firing the bullet.
Military is also planning to employ IoT. IoT can serve the warfighter better with more intelligence and more ways to coordinate actions amongst themselves. In 20 years the IoT will be ubiquitous, Yet for the Army and wider military to make the most of IoT, it will need to rely on heterogeneous and flexible networks that continue to operate in environments with spotty connectivity, and don’t place burdens on soldiers, said Pellegrino, deputy assistant secretary of the Army for strategic integration.
Military IoT networks will also need to deal with multiple threats from adversaries, said Army’s John Pellegrino deputy assistant secretary of the Army for strategic integration, including physical attacks on infrastructure, direct energy attacks, jamming of radiofrequency channels, attacks on power sources for IoT devices, electronic eavesdropping and malware.
IoT Security and safety Threat
Without ample security measures, experts fear that an expanding IoT could create massive vulnerabilities across nearly all technologically-integrated spectrums. With interconnected systems, even one small security gap could create massive ripple effects. The IoT inherently creates billions of insecure new endpoints, said Eric Chiu, president of cloud security vendor Hytrust.
Safety is inseparable from security in an IoT, a hacker can exploit the vulnerability of implantable medical devices like cardiac pacemakers, cochlear implants and diabetic pumps and cause death of victims. A study from security research company Synack found that commonly connected products opened up a host of safety issues. One of the firm’s analysts noted it took him only 20 minutes to break into a range of devices, according to GigaOm.
Growing fleets of autonomous cars could, Heiser warned, pose public-safety and economic risks if they were hacked and similarly controlled by malicious outsiders; such threats recently drove the UK to set new rules for driverless cars and inspired Intel to set up the Automotive Security Review Board to focus efforts around car security.
Nicholas D. Evans leads the Strategic Innovation Program for Unisys outlined a few of the possibilities — some of which have already materialized recently:
- Connected home hacked to open the front door to thieves, open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on.
- Connected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged.
- Connected hospital hacked to change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on.
- Connected manufacturer hacked to interrupt functions of warehouse “picking” robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on.
- SCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran’s nuclear centrifuges.
The endless variety of IoT applications poses an equally wide variety of security challenges. For example:
- In factory floor automation, deeply embedded programmable logic controllers (PLCs) that operate robotic systems are typically integrated with the enterprise IT infrastructure need to be shielded from human interference.
- Similarly, control systems for nuclear reactors are attached to infrastructure need to receive software updates or security patches in a timely manner without impairing safety.
- A smart meter—one which is able to send energy usage data to the utility operator for dynamic billing or real-time power grid optimization—must be able to protect that information from unauthorized usage or disclosure.
An alert from the FBI details the dangers of unsecured smart devices and how they can be abused by attackers. IoT devices including routers, IP cameras and even smart locks and connected doors are being targeted by cyber criminals who are looking to exploit them as a gateway for hacking and other cyberattacks, the FBI has warned. Cyber actors actively search for and compromise vulnerable Internet of Things (IoT) devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation.
IoT proxy servers are attractive to malicious cyber actors because they provide a layer of anonymity by transmitting all Internet requests through the victim device’s IP address. Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic.
Some of the malicious activities the FBI warns compromised IoT devices can be used for include spending spam emails, hiding network traffic, generating ad-revenue click fraud, and the ability to use credential-stuffing attacks to use the compromised device as an entry point onto a wider network.
In IoT era the devices will be collecting, storing and sharing ever-increasing amounts of information, across devices and platforms. This might be as basic as the IP addresses our IoT devices communicate with to the state of our health. Without proper security measures in place, every piece of data we generate, whether intentionally or passively, will be open for identity theft, financial gain, and potentially even damaging to our health. Implementing security will continue to be critical for controlling how data is used.
In 2015, HP reported that up to 70% of commonly used IoT devices are vulnerable to cyber attacks and breaches.
Security intelligence firm Cisco Talos have discovered 20 vulnerabilities in Samsung’s SmartThings Hub. These vulnerabilities could have allowed an attacker to execute OS commands or other arbitrary code on affected devices. Craig Young, principal security researcher at Tripwire: “For an attacker, smart home hubs are an ideal point of attack. A compromised hub can not only give a foothold into a home network and expose usernames and passwords, it can also allow an attacker to control devices and to generally spy on victims.” Depending on the types of gadgets linked to it, a smart home hub can reveal when people are home and what they are doing (or even saying) at home.” Cisco Talos has since worked with Samsung to ensure that these issues have been resolved and that a firmware update has been made available for affected customers.
Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities, or employ brute force attacks on devices with default usernames and passwords, says FBI. The absence of encryption, coupled with an inability to patch vulnerabilities as they occur, is a major shortcoming of many Internet of Things devices available in today’s market, according to Ian Lyte, security consultant at Protection Group International (PGI), who prepared the challenge. “If you have something that can’t be upgraded and a vulnerability is found, if you have an internet-connected device at home or in a car, that can’t be updated, once that vulnerability has been found, there is nothing you can do,” Lyte said.
The scenario, enacted as part of the Cyber Security Challenge 2017, saw six groups of aspiring cyber defenders break into a GPS tracking device to be installed into a fleet of cars owned by a fictional car leasing company. Through the device, they were able to breach the company’s internal computer network and book a ride in one of the firm’s luxury vehicles, bypassing all approval and registration procedures.“Once they reach the end of the game, they will have a presence on the internal network of the company. They can go and see finance, they can transfer money, they can try to target specific individuals,” Lyte explained. “They have complete control of what they can do in that network, they can go and sit there, they can visit other servers, and they have got passwords and other credentials. It’s exactly the same as somebody coming in and plugging a laptop in.”
“It’s a device that has hard-coded credentials that are available for anybody to read as long as they get hold of the firmware,” explained Lyte. “That allows you to execute commands from the device. It exploits the same principle as the one used by the Mirai botnet that has taken down some major websites last year. You can find the same sort of thing in many medical devices as well.”
“There have been instances of IoT devices constantly sending information back to their manufacturers—smart TVs recording what you are saying and surveillance cameras communicating with a large P2P network,” said Steve Bell, Security Expert for BullGuard. “There has even been a case of a digital video recorder (DVR) device that’s sold in tandem with Internet-enabled surveillance cameras sending data to a third party or an embedded P2P network.”
“You could imagine an IT manager having sleepless nights knowing that his or her company IoT devices are enabling P2P communications,” said Bell. “Added to this, IoT device default settings often ignore security and privacy concerns. This is assuming that IT departments have some awareness about the potential vulnerabilities. Many don’t. This is il- lustrated by the large number of IoT devices tagged by the Shodan search engine that have open ports. An open port is like an open door. It’s an invitation for the mischievous and those intent on carrying out some form or criminal endeavor.”
The cost of security breaches
Depending on the type of breach, companies may lose revenue, competitive advantage, the health and safety of employees, or all of the above. In severe cases, a breach could lead to the financial downfall of a company.Nortel Networks is a perfect example. Chinese hackers gained access to Nortel’s network and downloaded business plans, research and development reports, employee emails and other documents. Security experts within the telecommunications giant blame the security breach for its bankruptcy.
Security Challenges of IOT and Military IoT devices
The Internet of Things (IoT)/Internet of Everything (IoE) environments, Embedded and Mission‐Specific Devices (EMSDs), such as those found in home automation, Supervisory Control and Data Acquisition (SCADA)/Industrial Control Systems (ICS), requires the exploration and development of new cyber security capabilities that are conducive to these devices’ limitations.
These include low computational resources (e.g., storage and memory capacity, processor speed), physical constraints (power consumption, package size, and placement), intermittent connectivity, and lack of trustworthy visibility into system status and operation.
These limitations are further compounded by cost sensitivity, the limited interactivity of many EMSDs, the great difficulty/inability to modify/augment them once fielded, and the lack of standardized hardware and software platforms. The combined effect of these factors inhibits the effective use of cybersecurity mechanisms that have been developed for comparatively resource‐rich devices.
The IoT systems, whether it’s a security camera or an industrial robot, also need to be up and running for years at a time, with rare opportunities for downtime. And they are often “headless”—that is, there isn’t a human being operating them who can input authentication credentials or decide whether an application should be trusted; they must make their own judgments and decisions about whether to accept a command or execute a task
The art of deception can be employed against machines as well as people, noted Richard Hale, deputy chief information officer for cyber security at the Defense Department. “The Internet of Things, especially as we get more and more autonomous and more of this is real-time control system sort of stuff — it’s going to make really bad decisions if information isn’t right or if it’s not coming from a genuine, trustworthy” component, he said. “Non-spoofable … identity is going to be a fundamental characteristic” of the Pentagon’s future IoT systems.
Security concerns are the main issue holding back the military’s use of the Internet of Things, said officials, analysts and members of industry. Some potential adversaries have advanced cyber and electronic warfare capabilities, and everything connected to the Internet is potentially vulnerable to attack, they noted.
Dukes said “lightweight” cryptography would be needed to secure smartphones and other devices that don’t have the processing capability of traditional devices. That could entail creating cryptographic tools and protocols that require less energy or less software code to execute.
Securing the IoT will demand that businesses identify cyber and physical threats to their IoT infrastructure, determine the consequences of these threats, and carefully evaluate security strategies. Since there is inherent risk in connecting any device, make sure that adding it to your network brings sufficient value to justify the risk. “We need to appreciate that every connected device is a computer with an operating system and applications that potentially have vulnerabilities,” noted Darren Anstee, CTO of Arbor Networks.
This requires close collaboration among device manufacturers, resellers, deployers, solution developers, and cloud providers—a huge challenge given varying priorities of these stakeholders. Other roadblocks include a lack of standards for IoT security, disparate hardware and software capabilities, and a range of communications protocols and control systems.
The first step to mitigate these risks will be to identify the threats that are most relevant. In addition to DDoS attacks, these can include breach of personal data, communications interception, natural disasters, physical attack, and hijacking. This evaluation should factor in the entire lifecycle of an IoT infrastructure design, deployment, and operations. Microsoft recommends a critical threat-modeling analysis of infrastructure to discover the most likely threats and define actionable mitigation.
Encryption firm DigiCert Inc., digital security company Gemalto, and ISARA Corp , provider of quantum-safe security solutions, have partnered to develop advanced quantum-safe digital certificates and secure key management for connected devices commonly referred to as the Internet of Things (IoT). Currently, most of the IoT devices leverage RSA and ECC cryptography for protecting confidentiality, integrity and authenticity of electronic communication. However, the security community predicts that large-scale quantum computing will break RSA and ECC public key cryptography within next ten years. Together, these companies will develop advanced quantum-safe digital certificates and secure key management to secure the future of IoT.
The physical security market is being enhanced through technological innovations including integrated sensors, video, and access systems. Today physical and cyber security are entwined. Therefore solutions that use this concept to provide a complete protection service in one unified solution. For example, when abnormal behavior or an attempted intrusion is detected on the network, a monitored alarm system can automatically arm itself in expectation of a potential burglary. Or, if an attempt is made to access the home network onsite during a time that the IoT/alarm system does not expect someone to be at home then an alarm will be raised. The same monitoring center that monitors burglary alerts can learn to deal with cyber alerts.
Consulting firm Pricewaterhouse Coopers (PwC) recommends that companies determine what their most valuable information assets are, where they are located at any given time, and who has access to them. From there, the physical security industry should collaborate with IT security departments to find a balance between protecting these assets, while developing new, smart tech enhanced services.
Wind River, a world leader in embedded software for intelligent connected systems has proposed an evolutionary approach to Iot Security. It has recommended “The End-To-End Security Solution”, “Security at both the device and network levels is critical to the operation of IoT.”
“The same intelligence that enables devices to perform their tasks must also enable them to recognize and counteract threats. Fortunately, this does not require a revolutionary approach, but rather an evolution of measures that have proven successful in IT networks, adapted to the challenges of IoT and to the constraints of connected devices.” Security must be addressed throughout the device lifecycle, from the initial design to the operational environment:
FBI recommends following measures for Protection and Defense
- Reboot devices regularly, as most malware is stored in memory and removed upon a device reboot. It is important to do this regularly as many actors compete for the same pool of devices and use automated scripts to identify vulnerabilities and infect devices.
- Change default usernames and passwords.
- Use anti-virus regularly and ensure it is up to date.
- Ensure all IoT devices are up to date and security patches are incorporated.
- Configure network firewalls to block traffic from unauthorized IP addresses and disable port forwarding.
Isolate IoT devices from other network connections.
Building Security in from the Bottom Up
Knowing no one single control is going to adequately protect a device, how do we apply what we have learned over the past 25 years to implement security in a variety of scenarios? We do so through a multi-layered approach to security that starts at the beginning when power is applied, establishes a trusted computing
Secure booting: When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures.
Access control: Next, different forms of resource and access control are applied. Mandatory or role-based access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs.
Device authentication: When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data.
Firewalling and IPS: The device also needs a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device. The industry-specific protocol filtering and deep packet inspection capabilities are needed to identify malicious payloads hiding in non-IT protocols.
Updates and patches: Once the device is in operation, it will start receiving hot patches and software updates. Software updates and security patches must be delivered in a way that conserves the limited bandwidth and intermittent connectivity of an embedded device and absolutely eliminates the possibility of compromising functional safety
DHS’s Strategic principles for securing IOT
DHS has set forth principles designed to improve security of IoT across the full range of design, manufacturing, and deployment activities.
Incorporate Security at the Design Phase: Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed. DHS recommends enabling security by default through unique, hard to crack default user names and passwords, Build the device using the most recent operating system that is technically viable and economically feasible, Use hardware that incorporates security features to strengthen the protection and integrity of the device, and Design with system and operational disruption in mind.
Promote Security Updates and Vulnerability Management: Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been deployed. These
flaws can be mitigated through patching, security updates, and vulnerability management strategies.
Build on Recognized Security Practices: Many tested practices used in traditional IT and network security can be applied to IoT. These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices.
Prioritize Security Measures According to Potential Impact: Focusing on the potential consequences of disruption, breach, or malicious activity across the consumer spectrum is therefore critical in determining where particular security efforts should be directed, and who is best able to mitigate significant consequences.
Promote Transparency across IoT: Increased awareness could help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies. Depending on the risk profile of the product in question, developers, manufacturers, and service providers will be better equipped to appropriately mitigate threats and vulnerabilities as expeditiously as possible, whether through patching, product recall, or consumer advisory.
“Widespread adoption of these strategic principles and the associated suggested practices would dramatically improve the security posture of IoT.”
IoT Security Market
Cyber security refers to the protection of virtually or digitally stored data and information from external attacks in the form of hacking and phishing. With the exponential increase in use of connected devices, rising smartphone and internet penetration, and growing electronic transactions, there is a pressing need for cyber security solutions all over the world. This need has gotten accentuated with the fast-developing AI and IoT technologies. IoT, for instance, is increasingly being viewed as making critical information vulnerable to cyberattacks and can bring down vital infrastructure such as telecommunications and power. The 2016 Mirai Bot attack exposed the fragility of IoT technology as the malware has been specifically designed to breach the security walls of IoT connected devices. This will aid the expansion of the global cyber security market size in the forecast period.
According to the new market research report “IoT Security Market by Type…. Global Forecast to 2025”, published by MarketsandMarkets™, the global Internet of Things (IoT) Security Market size is expected to grow from USD 12.5 billion in 2020 to USD 36.6 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 23.9% during the forecast period. Major factors driving the growth of the market are the increasing number of ransomware attacks on IoT devices across the globe, growing IoT security regulations, and rising security concerns over critical infrastructures.
Smart home and consumer electronics consist of devices, such as wrist wear, eyewear, neckwear, and body wear, and smart home appliances. Consumer electronics and smart home appliances are vulnerable and susceptible to cyber-attacks. This vulnerability and susceptibility provide IoT security vendors a great opportunity to address the security needs of these consumer wearables. Increasing adoption of smart home devices such as smart glass and smart speakers are enhancing the vulnerability of smart homes. Rise in the number of attacks over smart homes is fueling the demand for integrated security solutions.
Major trends contributing to the market are the increasing security breaches in critical infrastructures and personal data. IoT security solutions include identity and access management, data encryption and tokenization, intrusion detection system/intrusion prevention system, device authentication and management, secure software and firmware update, secure communications, Public Key Infrastructure (PKI) lifecycle management, Distributed Denial of Service (DDoS) protection, security analytics, and others (virtual firewall and incidence response system). These solutions enable enterprises to meet their key requirements, which help in securing their IoT devices.
North America is the dominant region for IoT deployment and progressive in terms of technology adoption. The region comprises the US and Canada. The US is expected to hold a higher market share in the IoT security market. The US and Canada are the early adopters of trending technologies, such as IoT, big data, and mobility, and would provide significant growth opportunities for IoT security vendors.
The major vendors in the global IoT security market include Cisco (US), IBM (US), Infineon (Germany), Intel (US), Symantec (US), Allot (Israel), Mocana (US), SecuriThings (Israel), CENTRI (Germany), Armis (US), ForgeRock (US), and NewSky (US).
References and Resources also include: