blogs

How secure is your Internet of Things Implementation?

21Jul,2017

With real IoT implementation taking place across different industry verticals now, “how secure is your IoT implementation?” is one of the major questions asked by majority of CXOs. The three key threats for IoT implementations are:

Addressing Security Concerns

Security must be maintained throughout IoT lifecycle from end device to gateway, to cloud application, and to mobile applications. Security must be addressed at:

Device Level Security

The main device level security considerations include:
Physical Security:  Physical security weaknesses are present when an attacker can disassemble a device to easily access the storage medium and any data stored on that medium. Weaknesses are also present when external ports can be used to access the device. These issues can be mitigated by ensuring:

Transport / Network Level Security

The main Transport / Network level security considerations include:

Cloud / Application Level Security

The main security vulnerabilities pointed out by the OWASP (Open Web Application Security Project) for any Web / Mobile Application products include;

A Checklist to ensure the security of your IoT Devices:

Security Considerations

Device

Transport

Cloud

Physical Security

  • Make sure that the device cannot be easily disassembled
  • Make sure that only minimal external ports are needed for the product to function.
  • Make sure that the Console access is secured

NA

NA

Secure Booting

  • Make sure that only the Software that has been authorized to run on the device is loaded

NA

NA

Authentication

Make sure that whenever a device is plugged into the network, it should authenticate itself prior to receiving or transmitting data

NA

 

  • Ensure that the Web or Mobile App is authenticated using a multi-factor authentication mechanism before use.
  • Ensure that the default usernames/passwords are changed during initial setup
  • Ensure that the web interfaces are not susceptible to XSS (Cross-site scripting), SQLi (SQL Injection) or CSRF (Cross-Site Request Forgery)
  • Ensure that the credentials are not exposed to network traffic
  • Ensure that a check for weak passwords is in place.
  • Ensure that an account lockout mechanism is in place
  • Ensure that the password recovery mechanisms are secure
  • Ensure that the credentials are properly protected

Access control

  • Make sure that a role-based access control is built into the operating system to limit the privileges of device components and applications, so that they access only the resources they need to do their jobs.

NA

  • Ensure that the application has the ability to separate normal users from administrative users
  • Ensure that only authorized individuals have access to the collected personal information.

Privacy Concerns

  • Ensure that the data stored in the device is protected and stored with encryption.

NA

  • Ensure that any data collected is properly protected and stored with encryption

Security Monitoring or IDS

  • Make sure that the Embedded devices can detect/limit and report invalid login attempts and other potentially malicious activities.

NA

  • Ensure that the application has the ability to enable logging of security events
  • Ensure that the application has the ability to notify end users of security events
  • Ensure that only data critical to the functionality of the device is collected

Firewalling or IPS

  • Make sure that a host based firewall is implemented at the edge devices (gateways) to control the data traffic.

NA

  • Ensure that only necessary secure ports are exposed
  •  Ensure that the services are not vulnerable to buffer overflow and fuzzing attacks
  • Ensure that the services are not vulnerable to DoS (Denial of Service).

Updates and patches

  • Make sure that the operators roll out patches/updates regularly.
  • Make sure that the devices authenticate these updates, in a way that does not consume bandwidth or impair the functional safety of the device.

NA

  • Ensure that a regular update of Mobile/Web Applications is rolled out.

Device Tampering Detection

  • Make sure that a tampering detection mechanism is in place that enables the detection of any unauthorized attempt to access the system at the hardware or software level

NA

NA

Secured Communication

NA

  • Ensure that the data is encrypted when in transit, to protect your data communication against eavesdropping and message falsification.

NA

Distributed Intelligence

  • In Industrial IoT solutions, it will be always better to have a decentralized architecture such as Fog computing to avoid any single point of failures as well as better utilization of resources.

NA

NA

 
Gadgeon Systems, Inc. is not just a Design House that specializes in IoT Design.  We are IoT Consultants, helping our customers navigate though the myriad decisions facing the typical customer implementing their own IoT product.  As we engage with customers in an End-to-End IoT design implementation, our unique approach ensures an optimum result; combining the ideal architecture, cloud, mobile app, and connectivity choices, resulting in optimal user-experience.   

How secure is your IoT Implementation? See the IoT Implementation best practices.

What to Read Next

Testimonials

Get in touch

 Quick enquiry