IoT: How to protect from security threats?

IoT security is becoming critical in smart city development as smart city services increasingly rely on a complex network of IoT devices. These IoT devices are diverse in nature with access to different kinds of data and systems and are typically characterized by low processing capability and low power consumption. Generally, low-cost IoT devices have less sophisticated built-in security protection features, such as the lack of capabilities to support a suite of data encryption technologies. To enable low power consumption, IoT deployments tend to use basic communication technologies that may not be able to support the desired security levels over communication paths. Combining all these factors, IoT networks will inevitably be the target of increasingly sophisticated cyber-attacks. In addition, privacy leakage is also a concern since the IoT network carries data and signals that contain personal private information such as identity, location, and private contents.

Therefore, the implementation of appropriate technical security measures and setting IoT security policies are important. Organizations should consider how devices mitigate known attacks (e.g. DDoS). Look at deploying scalable solutions that make devices more resilient to future attacks in addition to reviewing device governance and firmware upgradability. Due to IoT’s inevitable impact across all industries, a common framework to standardize cybersecurity requirements should emerge.

From a technical perspective, a typical IoT architecture consists of edge devices, a gateway to communicate with these devices, connectivity paths and a back-end server in the cloud. To minimize impact from an IoT attack, security issues for each section of the end-to-end IoT architecture should be addressed properly.

At the endpoint device level, there are different techniques to enable device protection. For example the use of device identity technique (such as Public Key Infrastructure) to ensure device integrity; the use of security penetration tests or even cyber threat simulation exercises to identify whether the endpoint devices can be hijacked and exploited; and the deployment of enterprise-wide patches/upgrades to software and firmware in response to identified security flaws or new cybersecurity regulations.

At the gateway and the back-end server sections, the protection mostly relies on data security protection. Data, whether in motion, in use or at rest, must be protected against unauthorized access and uncontrolled changes. This can be achieved with the use of IoT optimized encryption techniques to protect data integrity by taking into consideration the limited memory size in IoT devices. In addition to technical data security mechanisms, data collection principals are also relevant for each IoT device function; standard adherence to general data gathering principals may reduce the impact of IoT device compromise or data breach. For example, mitigating risk by discarding personally attributable data elements would reduce the risk of personal data being leaked through a data breach. In addition, the use of wireless intrusion protection systems to detect and defend networks from intrusion can detect any rogue devices on the network.

It is important to ensure that endpoint devices and the network are both adequately protected and secured. Large device and equipment developers have formed industry groups or consortium which focus on industrial use of IoT, associated security problems and are instrumental in defining the IoT security framework to address these problems.

To mitigate security issues, each key stakeholder has its own role to play. The government and market regulators should start taking IoT security seriously to define standards, policies, and guidelines for companies to follow. For example, the government can develop regulations by proposing that companies comply with a cybersecurity rating and approval process for using connected devices. The government can also recommend that device manufacturers follow security and cryptography best practices and consider establishing third-party verification programs to ensure IoT devices can fulfill certain minimum-security standards. Operators that provide the connectivity between end-devices and the network can monitor, filter or block potentially malicious traffic based on known patterns and leverage analytics to provide better security detection and protection. IoT customers must continue to implement best practice security controls and take the necessary actions (e.g. changing the default password) to securely operate all connected devices, routers, and servers.