802
edits
Changes
Jump to navigation
Jump to search
Created page with "<div class="center"><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549..."
<div class="center"><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">[[File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-security-architecture-gc-esa]]<br />[[File:ESAcontactus.png|link=mailto:ZZTBSCYBERS@tbs-sct.gc.ca]]</div>
[[File:GOC ESA.jpg|center|link=http://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program]]
<div class="center">
{| style="border: 2px solid #000000; border-image: none;" width="1000px"
|-
! style="background: #e1caf7; color: black" width="175px" scope="col" " | [[Government of Canada Enterprise Security Architecture (ESA) Program|ESA Program Overview]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Backgrounder (Strategy)|ESA Foundation]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Requirements|ESA Artifacts]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Initiatives|ESA Initiatives]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ ESA Tools and Templates]]
! style="background: #C495F0; color: black" width="125px" scope="col" " | [[GC ESA Artifact Repository|ESA Reference Materials]]
! style="background: #e1caf7; color: black" width="100px" scope="col" " | [[ESA Glossary| Glossary]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #c2c2fa; color: black" width="18%" scope="col" | [[GC ESA Artifact Repository|ESA Artifact Repository]]
! style="background: #c2c2fa; color: black" width="16%" scope="col" | [[GC Threat Assessments - Repository| GC TA Repository]]
! style="background: #c2c2fa; color: black" width="12%" scope="col" | [[SPIN 2015-01]]
! style="background: #9a9af8; color: black" width="18%" scope="col" | [[Emerging Technologies]]
! style="background: #c2c2fa; color: black" width="16%" scope="col" | [[Other Resources]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #d7d7d7; color: black" width="35%" scope="col" | [[Blockchain Technology]]
! style="background: #969696; color: black" width="35%" scope="col" | [[Internet of Things]]
! style="background: #d7d7d7; color: black" width="30%" scope="col" | [[Quantum Computing]]
|}</div></div>
<br>
{{TOCright}}
<br>
== Security Considerations Paper for Internet of Things within the Government of Canada ==
=== Executive Summary ===
With the ongoing explosion of Internet of
Things technologies, organizations are beginning to explore a large number of
use cases for the technology to assist in the delivery of their respective
mandates. The combination of low cost
sensors and the ability to retrieve and analyze the data from these devices
offers benefits to organizations. In
order to ensure that these systems do not introduce undue levels of risk, there
are a number of security considerations that should be taken into account as
part of the deployment and lifecycle planning for these devices.
While many of the challenges for
implementing an IoT system are common with any other technology deployment, the
method for addressing this challenges will differ as there are fewer enterprise
grade options for addressing common operational and security concerns for the
fleet of IoT devices due to the characteristics of the devices themselves. While traditional IT systems and components
have had decades to become enterprise ready in terms of the ability to
configure, monitor and manage a large number of devices from a centralized
position, the nature of an IoT system leads to limited functionality at the
endpoints in terms of the ability to configure and manage the device.
This paper introduces a few core concepts
and explores a few of the key critical security considerations organizations
need to factor in to their deployment plans for IoT systems.
=== What is IoT ===
The Internet of things (IoT) is the
extension of Internet connectivity into physical devices and everyday objects.
Embedded with electronics, Internet connectivity, and other forms of hardware
(such as sensors), these devices can communicate and interact with others over
the Internet, and they can be remotely monitored and controlled. [1]
IoT components or primitives defined within
NIST 800-183 include Sensors, Aggregators, Communication Channel, eUtility and
a Decision Trigger.
Sensors are physical objects designed to
capture information about the physical environment and will usually relay this
information through a communication channel for external processing. Sensors are devices that operate at the edge
of an IoT system and are usually lightweight devices with limited processing
and storage capabilities.
Aggregators are intermediaries that receive
and forward information from sensors. In
some implementations this function will be performed by processing chips inside
other sensors and in other situations this might be performed inside a cloud
environment.
Communication Channels are the medium
through which information is relayed between IoT components and may be physical
such as a Universal Serial Bus (USB) or may be over wireless channels such as
WiFi or RFID channels.
Electronic Utilities (eUtilities) are
software or hardware implementations that process information collected within
an IoT system. These utilities require sufficient
computing power and storage to process the information collected within an IoT
system.
Decision Triggers are the output of an IoT
system and are built based upon the results of the eUtility’s processing of the
IoT inputs. These decisions could include
taking a specific action in response to a trigger (such as detecting an excessive
temperature) or could also include sending an alert to an external party to
notify them that it is time to take corrective action.
To illustrate a typical IoT configuration,
consider the following example taken from the IoT forum reference architecture:
''Ted is a truck''
driver transporting highly sensitive orchids to a retail store. After loading
the orchids on his truck, he attaches an array of sensors to the load carriers
in order to measure the temperature. While he is driving, Ted gets hungry and
decides to stop and have lunch. He parks the truck at a resting spot, turns off
the engine and goes into a nearby restaurant. Unfortunately, Ted forgot that by
turning of the engine, air condition for the transported goods highly sensitive
orchids - shuts off, too, and since it is a very hot day, the temperature
inside the truck starts rising. When the temperature reaches a predefined
critical level inside one of the load carriers, one of its sensors notices this
and its node sends an emergency signal to Ted's IoT-Phone, which due to its
delicate nature cannot be received by the phones of other drivers.
''On the IoT-Phone's''
display, Ted can now see that the orchids in load carrier number 6 are in
danger due to high temperature so he rushes back to the vehicle and turns the
air condition back on. The IoT-Phone also keeps track of any alert messages it
receives from the load carriers and saves this message history for future
inspection in a way that cannot be altered. When the truck reaches the retail
store for delivery, the sensor history is transferred to the store‘s enterprise
system and the sensors authenticate themselves as being untampered.‖'''[2]'''
=== Security and Operational Considerations ===
There is an extensive list of
considerations for IoT systems and while most are not unique, the impact and
method of dealing with IoT systems will differ from traditional IT systems.
==== Lifecycle management ====
Like all other IT Systems it is important
to plan for the lifecycle of IoT systems and give consideration to how all the
components of the specific IoT system will be managed throughout their
lifecycle. The lifecycle plans for IoT
components should take into account to the devices will be configured
initially, how the devices will be updated on an ongoing basis to ensure that
they remain secure and operational for their lifespan and should also consider
how long the system will be maintained as most vendors will only support system
components for a fixed period of time.
Each of these lifecycle phases have their
own list of considerations. For new
deployments, the initial configuration will need to ensure that when there are
options to consider that the security requirements to protect the devices and
the information they process are taken into account. Are there specific options that need to be
enabled to protect the communication channels between the sensors and the
eUtility? Are there options regarding
the level of encryption? Are there
password complexity settings to ensure no weak passwords are used? How are these devices configured and tailored
for your organization? Are all default
account passwords known and updated before they are rolled out? What network is used to interconnect these
devices? How will the organization update devices to ensure discovered
vulnerabilities are addressed? Do these
devices verify updates are from a valid source? Are the updates done over the communication
channel or do they require manual interaction? How long are the end points
supported and do you have a plan to replace the fleet on an ongoing basis?
==== Logging and Monitoring ====
To effectively use any IT system there is
always a requirement to know the status of the system components. With an IoT system that may be relatively self-contained,
how will the organization know what the general health of the fleet of all IoT
assets is at any given time? Do these
devices report back to a central console on premises or in the cloud? What is the sensitivity of the data that is
collected and reported back to the central console? Who will review the logs that the system is
generating on a regular basis and what actions should they take upon finding
events that are outside normal operating parameters? Does the organization have any capability or
support to properly investigate potential security events involving an IoT
system? Often, special tools and
capabilities will be required to conduct forensic analysis of these devices if
any capability event exists and due to the nature of the devices the amount of
information that would even be available on board the IoT endpoints may be
quite limited.
==== Physical Security ====
Due to the nature of the IoT devices and
the sensors specifically, there will often be times when the sensor components
would need to exist in a less physically secure environment than other
traditional IT components. For example a
security camera will often need to be placed outside of a secure area in order
to monitor for movement or attempts to breach a security perimeter. The results is that these sensors will often
be more susceptible to physical tampering than the back end components. It is important to factor these considerations
into the overall IoT design to ensure that the endpoints do not become an entry
point into the more secure portions of an enterprise network.
==== Data Sensitivity ====
As with any other system, it is important
to consider the type of data that is being collected and processed by the
overall system. In addition to these
regular considerations, there is the increased consideration that should be
given to the data that is being aggregated through the use of IoT. While the information from one individual
sensor may or may not be considered sensitive alone, are there any new concerns
that would arise from having the data from all sensors collected in a single
location?
==== Privacy considerations ====
As IoT systems have the potential to
collect a large volume of data including data from public locations, it is
important to give consideration to what types of data are being collected,
where it is being sent, processed and stored (third party site? On premises?
Commercial cloud?). As part of the
system design it is therefore important to include privacy experts from your
organization in the discussion to ensure that any potential privacy
considerations are taken into account.
=== Risks ===
==== Insecure Default settings ====
IoT devices have historically been focused
on ease of use and targeting consumers rather than enterprise customers and as
a result these devices are often shipped with weak configuration settings and
default passwords that are rarely changed by end users.
==== Vulnerable Network services ====
For a variety of reasons, IoT devices are
configured with insecure network services.
At times this is because the developer leveraged already out of date
libraries and components during the build time or else due to other factors such
as the developer not releasing periodic updates or end users not applying regular
updates, devices will be left running vulnerable services that leave them exposed
to potential compromise.
==== Insecure Administrative Options ====
Due to the historic lack of a secure
development process within the IoT vendor community, there have been several
examples of IoT devices being left with insecure administrative interfaces and
APIs that have left customers with vulnerable IoT devices. This leaves the components susceptible to
compromise and leaves the information on the devices exposed to high levels of
risk.
==== Lack of Secure Update ====
Due to limitations of the platforms running
IoT services and the general lack of enterprise grade services in the IoT
space, the update process for IoT devices is generally far behind the existing
processes that support traditional workstations and servers within the
enterprise. As a result when vendors do
support update processes there are sometimes weaknesses in the process such as
a failure to download the updates over a secure connection or failure to
validate that the update is digitally signed to ensure that no malicious
updates are applied.
==== Lack of endpoint security features ====
IoT end points have historically had
limited ability to process and handle data which has meant that these devices
are not equipped with the same level of endpoint protection as other more
robust platforms within the organization.
Without modern protections that are now found on traditional endpoints,
the degree of sophistication required to exploit these devices is significantly
lower.
IoT devices are often connected to high
speed internet connections, have significantly lower security protections and
as a result have become an attractive targets for attackers looking to build
botnets of machines to conduct DDoS attacks.
=== Recommendations ===
To address these risks and gain the benefit
of IoT systems, there are a series of normal secure development practices that
can be employed to minimize the associated risk of deploying IoT systems within
the enterprise. A series of
recommendations can be found in the Cloud Security Alliance Security Guidance
for Early Adopters of the Internet of Things in Section 5[3]
<nowiki>https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf</nowiki>
==== Analyze privacy impacts to stakeholders ====
Given the complexity and scale of IoT
systems, it is vital that privacy considerations be given sufficient thought
and planning throughout the development and implementation phase to ensure that
there are adequate safeguards in place to protect potentially private
information from accidental or deliberate disclosure. Failure to address these concerns early in
the process could result in the organization running afoul of privacy
legislation and put personal information at risk.
==== Apply a Secure Systems Engineering approach ====
As with any system, the deployment of an IoT solution can be best
secured if the solution is well thought out from the start and takes into
consideration and security requirements in the beginning. The specific information that is to be
collected and processed should be evaluated to ensure that it is protected in
transit and at rest where necessary and the unique characteristics of the IoT
system such as the potential use of any third party or cloud based resources to
store and process the sensor information will need to be taken into account
throughout all phases of the deployment.
==== Implement layered security protections to defend IoT assets ====
Once the security requirements have been analyzed
and defined during the planning phase, sufficient security controls will need
to be planned for and deployed at various points in the IoT architecture to
ensure that information is adequately protected while it is being collected,
transferred and processed.
==== Implement data protection best-practices to protect sensitive information ====
Where possible and practical technologies
such as encryption should be implemented to protect sensitive information and
at all points in the system, the authentication and authorization solution much
be sufficiently robust to ensure that weak and default passwords are not in
use.
==== Define lifecycle controls for IoT devices ====
As with any IT component, a full lifecycle
from purchasing to the decommissioning of IoT devices will need to be
defined. Too often solutions are rapidly
developed and deployed with no clear plan for how the solution will be maintained
while under operation nor how long it will be operated before being replaced
with a newer technology or decommissioned and taken out of service.
==== Define and implement an authentication/authorization framework ====
Given the nature of IoT devices, it is not
always possible to integrate an IoT solution into an enterprise authentication
and authorization solution however even when this is not possible, it is vital
to ensure that there is a plan in place to manage who within the organization
should and should not have access to the IoT components during the course of
their normal duties. This is another
area where the lifecycle of user access must be planned for to ensure that as
people come into or exit the organization their access is added and removed in
a timely manner.
==== Define and implement a logging/audit framework ====
This is another area of overlap with other
IT systems within the organization but also one where there are unique
challenges as the end points and sensors in the IoT deployment have varying
degrees of capabilities when it comes to logging and auditing. In some cases, there will be limited ability
to generate and or forward log and audit events on the sensors due to power,
computational power and storage constraints.
These constraints and any limitations should be factored into the design
discussions and documented to ensure that there is a clear understanding of
what is and is not possible within the solution.
=== Additional Resources ===
In addition to the general guidance for
Internet of Things technologies and in response to some of the unique
challenges that exist with this technology, there have been several new
publications on specific topics of interest for IoT.
To address the potential for IoT devices to
be used as part of a DDoS botnet organizations have been working on the
implementation of a Manufacture Usage Descriptions which intends to facilitate
efforts to restrict data flows to and from IoT devices to only those flows
required to operate the devices and thereby limit their usefulness in DDoS
attacks. Draft guidance from NIST
SP1800-15 outlines how to go about configuring an enterprise network to
implement such a solution. <nowiki>https://www.nccoe.nist.gov/sites/default/files/library/sp1800/iot-ddos-nist-sp1800-15-preliminary-draft.pdf</nowiki>
To address limitations of IoT devices in
terms of their processing power and energy consumption restrictions that
prevent the implementation of robust cryptography solutions, the National Institute of Standards and
Technology (NIST) has issued a call for a lightweight cryptography solution
that would allow for secured communications without the usual overhead of a
standard solution. Information on this
can be found at: <nowiki>https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics</nowiki>
[1] Wikipedia page
retrieved 30 April 2019 <nowiki>https://en.wikipedia.org/wiki/Internet_of_things</nowiki>
[2] Pages 49-50 ''<nowiki>https://iotforum.org/wp-content/uploads/2014/09/D1.5-20130715-VERYFINAL.pdf</nowiki>''
[3] CSA Security Guidance for IoT https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
[[File:IOT - Get Cyber Safe.jpg|thumbnail]]
== The Internet of Things ([https://www.getcybersafe.gc.ca/cnt/rsks/ntrnt-thngs/index-en.aspx Public Safety - Get Cyber Safe])==
<br>
'''What is the Internet of Things?'''
<br>
The Internet of Things (IoT) refers to physical devices (also called “smart” or “connected” devices) that connect to each other via the internet. They collect and exchange information with one another and with us. Smart devices can be remotely controlled and monitored, or work automatically, through a variety of software, cameras and sensors.
<br>
<br>
'''Types of IoT technology'''
<br>
There are many types of smart devices, and more emerging every day.
<br>
<br>
'''IoT in the Home'''
<br>
* Entertainment systems including a television, gaming system, speakers and headphones
* Heating and cooling systems such as the a thermostat, ceiling fan, carbon monoxide detector and smoke alarm, and lights
* Home security systems including alarms, smart locks, garage door openers, baby monitors, cameras, and home assistants
* Smart home appliances like a refrigerator, coffee maker, oven, and vacuum
'''IoT on the Go'''
<br>
* Connected smart cars, buses, trains, and airplanes
* Wearables like a fitness tracker, watch Healthcare devices like heart and blood pressure monitors are converting to smart devices as well. Even your pet can be connected with a tracking collar.
'''How IoT technology works?'''
<br>
Web-enabled smart devices transmit information gathered from their surroundings using embedded sensors, software and processors. Smart devices communicate with one another (machine to machine) or with us through our smartphones. After initial setup, most smart devices work automatically, collecting and sending information.
<br>
<br>
'''Why IoT is popular?'''
<br>
Because of the automatic nature of the IoT, smart devices have many advantages. Coffee starts brewing when your alarm goes off in the morning. Your child forgets their keys, but you can unlock the door from work. You can remotely monitor your home and your family to keep them and your belongings safe. You can streamline your home's functions to make things run more efficiently. The IoT can change how you organize and schedule, and adding convenience and connection.
<br>
<br>
'''What are the risks?'''
<br>
With the automatic flow of information and connection between IoT devices comes a new set of cyber security risks. If you can access all your data remotely, a cybercriminal might be able to as well. The very nature of the IoT is connectivity, but with so many devices on one network, hackers could have multiple access points to your information. That's why security settings can be important. For example, a thermostat connected to your home network that is not properly secured could be a gateway to your identity, money, your address and other devices.
<br>
Not only is a breach of information a risk, but also someone taking control of a device and its functions. For example, someone hacking your smart lock system may not steal information, but they may be able to unlock the doors and steal your belongings.
[[File:IOT - CSE Cyber Journal.jpg|thumbnail]]
== Internet of Things - The Future is Now ([https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 CSE Cyber Journal June 2017])==
The Internet of Things (IoT) is a popular term used to describe everyday electronic products that are able to communicate with other connected devices and networks, such as the Internet. IoT devices include anything from fitness trackers, TVs, lightbulbs, or even your coffee maker. While IoT devices can be economical and convenient, using them can have a significant impact on security and privacy.
<br>
'''How will IoT Impact your Network's Security?'''
There is currently no standard for communication between IoT devices, which increases the complexity of managing network security. Most IoT devices use proprietary software with weak encryption schemes and limited endpoint security to protect your information.
<br>
'''How do Threat Actors Target IoT Vulnerabilities?'''
In many cases, IoT devices lack the technical ability to apply security patches when vulnerabilities are discovered. As a result, vulnerable IoT devices can be used to carry out malicious activities such as launching Distributed Denial of Service (DDOS) attacks, manipulating smart building controls or even turning off automobile safety features.
<br>
'''How can you Minimize IoT Security and Privacy Concerns?'''
As an emerging technology, mitigations are not always available. Organizations must learn how to manage these new end-points within their networks by introducing appropriate governance, policies and security controls into their departmental security plans. Data generated by IoT devices can reveal private information about your daily activities. Conventional methods of protecting private information continue to evolve as federal authorities work to anticipate the possible privacy impacts of IoT.
<br>
While IoT may provide many benefits, departments will have to effectively manage the additional IT security and privacy risks by following the principles in CSE’s [https://www.cse-cst.gc.ca/en/node/265/html/22814 ITSG-33] and [https://www.cse-cst.gc.ca/en/node/1297/html/25231 Top 10 IT Security Actions].
== Links to GC Information ==
[https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 Internet of Things: The Future is Now - Cyber Journal, June 2017 - Communications Security Establishment]
<br>
[https://cyber.gc.ca/en/guidance/internet-things-security-small-and-medium-organizations-itsap00012 Internet of Things Security for Small and Medium Organizations - Cyber Centre]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170127-en.aspx Protect your privacy while using the Internet of Things - Get Cyber Safe]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20141014-en.aspx Just What is the "Internet of Things?" - Get Cyber Safe]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170901-en.aspx How to #ConnectSmarter on the Internet of Things - Get Cyber Safe]
<br>
[https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/02_05_d_72_iot/ Privacy and the Internet of Things - Office of the Privacy Commissioner of Canada]
== Links to Relevant Articles ==
[https://www.us-cert.gov/ncas/tips/ST17-001 US-CERT - Securing the Internet of Things: Security Tip (ST17-001)]
<br>
[https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf DHS - Strategic Principles for Securing the Internet of Things]
<br>
[https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program NIST - Cybersecurity for IoT Program]
<br>
[https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf U.K Department for Digital, Culture, Media and Sport (DMCS) code of practice for IoT]
[[File:GOC ESA.jpg|center|link=http://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program]]
<div class="center">
{| style="border: 2px solid #000000; border-image: none;" width="1000px"
|-
! style="background: #e1caf7; color: black" width="175px" scope="col" " | [[Government of Canada Enterprise Security Architecture (ESA) Program|ESA Program Overview]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Backgrounder (Strategy)|ESA Foundation]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Requirements|ESA Artifacts]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ESA Initiatives|ESA Initiatives]]
! style="background: #e1caf7; color: black" width="125px" scope="col" " | [[ ESA Tools and Templates]]
! style="background: #C495F0; color: black" width="125px" scope="col" " | [[GC ESA Artifact Repository|ESA Reference Materials]]
! style="background: #e1caf7; color: black" width="100px" scope="col" " | [[ESA Glossary| Glossary]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #c2c2fa; color: black" width="18%" scope="col" | [[GC ESA Artifact Repository|ESA Artifact Repository]]
! style="background: #c2c2fa; color: black" width="16%" scope="col" | [[GC Threat Assessments - Repository| GC TA Repository]]
! style="background: #c2c2fa; color: black" width="12%" scope="col" | [[SPIN 2015-01]]
! style="background: #9a9af8; color: black" width="18%" scope="col" | [[Emerging Technologies]]
! style="background: #c2c2fa; color: black" width="16%" scope="col" | [[Other Resources]]
|}
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px"
|-
! style="background: #d7d7d7; color: black" width="35%" scope="col" | [[Blockchain Technology]]
! style="background: #969696; color: black" width="35%" scope="col" | [[Internet of Things]]
! style="background: #d7d7d7; color: black" width="30%" scope="col" | [[Quantum Computing]]
|}</div></div>
<br>
{{TOCright}}
<br>
== Security Considerations Paper for Internet of Things within the Government of Canada ==
=== Executive Summary ===
With the ongoing explosion of Internet of
Things technologies, organizations are beginning to explore a large number of
use cases for the technology to assist in the delivery of their respective
mandates. The combination of low cost
sensors and the ability to retrieve and analyze the data from these devices
offers benefits to organizations. In
order to ensure that these systems do not introduce undue levels of risk, there
are a number of security considerations that should be taken into account as
part of the deployment and lifecycle planning for these devices.
While many of the challenges for
implementing an IoT system are common with any other technology deployment, the
method for addressing this challenges will differ as there are fewer enterprise
grade options for addressing common operational and security concerns for the
fleet of IoT devices due to the characteristics of the devices themselves. While traditional IT systems and components
have had decades to become enterprise ready in terms of the ability to
configure, monitor and manage a large number of devices from a centralized
position, the nature of an IoT system leads to limited functionality at the
endpoints in terms of the ability to configure and manage the device.
This paper introduces a few core concepts
and explores a few of the key critical security considerations organizations
need to factor in to their deployment plans for IoT systems.
=== What is IoT ===
The Internet of things (IoT) is the
extension of Internet connectivity into physical devices and everyday objects.
Embedded with electronics, Internet connectivity, and other forms of hardware
(such as sensors), these devices can communicate and interact with others over
the Internet, and they can be remotely monitored and controlled. [1]
IoT components or primitives defined within
NIST 800-183 include Sensors, Aggregators, Communication Channel, eUtility and
a Decision Trigger.
Sensors are physical objects designed to
capture information about the physical environment and will usually relay this
information through a communication channel for external processing. Sensors are devices that operate at the edge
of an IoT system and are usually lightweight devices with limited processing
and storage capabilities.
Aggregators are intermediaries that receive
and forward information from sensors. In
some implementations this function will be performed by processing chips inside
other sensors and in other situations this might be performed inside a cloud
environment.
Communication Channels are the medium
through which information is relayed between IoT components and may be physical
such as a Universal Serial Bus (USB) or may be over wireless channels such as
WiFi or RFID channels.
Electronic Utilities (eUtilities) are
software or hardware implementations that process information collected within
an IoT system. These utilities require sufficient
computing power and storage to process the information collected within an IoT
system.
Decision Triggers are the output of an IoT
system and are built based upon the results of the eUtility’s processing of the
IoT inputs. These decisions could include
taking a specific action in response to a trigger (such as detecting an excessive
temperature) or could also include sending an alert to an external party to
notify them that it is time to take corrective action.
To illustrate a typical IoT configuration,
consider the following example taken from the IoT forum reference architecture:
''Ted is a truck''
driver transporting highly sensitive orchids to a retail store. After loading
the orchids on his truck, he attaches an array of sensors to the load carriers
in order to measure the temperature. While he is driving, Ted gets hungry and
decides to stop and have lunch. He parks the truck at a resting spot, turns off
the engine and goes into a nearby restaurant. Unfortunately, Ted forgot that by
turning of the engine, air condition for the transported goods highly sensitive
orchids - shuts off, too, and since it is a very hot day, the temperature
inside the truck starts rising. When the temperature reaches a predefined
critical level inside one of the load carriers, one of its sensors notices this
and its node sends an emergency signal to Ted's IoT-Phone, which due to its
delicate nature cannot be received by the phones of other drivers.
''On the IoT-Phone's''
display, Ted can now see that the orchids in load carrier number 6 are in
danger due to high temperature so he rushes back to the vehicle and turns the
air condition back on. The IoT-Phone also keeps track of any alert messages it
receives from the load carriers and saves this message history for future
inspection in a way that cannot be altered. When the truck reaches the retail
store for delivery, the sensor history is transferred to the store‘s enterprise
system and the sensors authenticate themselves as being untampered.‖'''[2]'''
=== Security and Operational Considerations ===
There is an extensive list of
considerations for IoT systems and while most are not unique, the impact and
method of dealing with IoT systems will differ from traditional IT systems.
==== Lifecycle management ====
Like all other IT Systems it is important
to plan for the lifecycle of IoT systems and give consideration to how all the
components of the specific IoT system will be managed throughout their
lifecycle. The lifecycle plans for IoT
components should take into account to the devices will be configured
initially, how the devices will be updated on an ongoing basis to ensure that
they remain secure and operational for their lifespan and should also consider
how long the system will be maintained as most vendors will only support system
components for a fixed period of time.
Each of these lifecycle phases have their
own list of considerations. For new
deployments, the initial configuration will need to ensure that when there are
options to consider that the security requirements to protect the devices and
the information they process are taken into account. Are there specific options that need to be
enabled to protect the communication channels between the sensors and the
eUtility? Are there options regarding
the level of encryption? Are there
password complexity settings to ensure no weak passwords are used? How are these devices configured and tailored
for your organization? Are all default
account passwords known and updated before they are rolled out? What network is used to interconnect these
devices? How will the organization update devices to ensure discovered
vulnerabilities are addressed? Do these
devices verify updates are from a valid source? Are the updates done over the communication
channel or do they require manual interaction? How long are the end points
supported and do you have a plan to replace the fleet on an ongoing basis?
==== Logging and Monitoring ====
To effectively use any IT system there is
always a requirement to know the status of the system components. With an IoT system that may be relatively self-contained,
how will the organization know what the general health of the fleet of all IoT
assets is at any given time? Do these
devices report back to a central console on premises or in the cloud? What is the sensitivity of the data that is
collected and reported back to the central console? Who will review the logs that the system is
generating on a regular basis and what actions should they take upon finding
events that are outside normal operating parameters? Does the organization have any capability or
support to properly investigate potential security events involving an IoT
system? Often, special tools and
capabilities will be required to conduct forensic analysis of these devices if
any capability event exists and due to the nature of the devices the amount of
information that would even be available on board the IoT endpoints may be
quite limited.
==== Physical Security ====
Due to the nature of the IoT devices and
the sensors specifically, there will often be times when the sensor components
would need to exist in a less physically secure environment than other
traditional IT components. For example a
security camera will often need to be placed outside of a secure area in order
to monitor for movement or attempts to breach a security perimeter. The results is that these sensors will often
be more susceptible to physical tampering than the back end components. It is important to factor these considerations
into the overall IoT design to ensure that the endpoints do not become an entry
point into the more secure portions of an enterprise network.
==== Data Sensitivity ====
As with any other system, it is important
to consider the type of data that is being collected and processed by the
overall system. In addition to these
regular considerations, there is the increased consideration that should be
given to the data that is being aggregated through the use of IoT. While the information from one individual
sensor may or may not be considered sensitive alone, are there any new concerns
that would arise from having the data from all sensors collected in a single
location?
==== Privacy considerations ====
As IoT systems have the potential to
collect a large volume of data including data from public locations, it is
important to give consideration to what types of data are being collected,
where it is being sent, processed and stored (third party site? On premises?
Commercial cloud?). As part of the
system design it is therefore important to include privacy experts from your
organization in the discussion to ensure that any potential privacy
considerations are taken into account.
=== Risks ===
==== Insecure Default settings ====
IoT devices have historically been focused
on ease of use and targeting consumers rather than enterprise customers and as
a result these devices are often shipped with weak configuration settings and
default passwords that are rarely changed by end users.
==== Vulnerable Network services ====
For a variety of reasons, IoT devices are
configured with insecure network services.
At times this is because the developer leveraged already out of date
libraries and components during the build time or else due to other factors such
as the developer not releasing periodic updates or end users not applying regular
updates, devices will be left running vulnerable services that leave them exposed
to potential compromise.
==== Insecure Administrative Options ====
Due to the historic lack of a secure
development process within the IoT vendor community, there have been several
examples of IoT devices being left with insecure administrative interfaces and
APIs that have left customers with vulnerable IoT devices. This leaves the components susceptible to
compromise and leaves the information on the devices exposed to high levels of
risk.
==== Lack of Secure Update ====
Due to limitations of the platforms running
IoT services and the general lack of enterprise grade services in the IoT
space, the update process for IoT devices is generally far behind the existing
processes that support traditional workstations and servers within the
enterprise. As a result when vendors do
support update processes there are sometimes weaknesses in the process such as
a failure to download the updates over a secure connection or failure to
validate that the update is digitally signed to ensure that no malicious
updates are applied.
==== Lack of endpoint security features ====
IoT end points have historically had
limited ability to process and handle data which has meant that these devices
are not equipped with the same level of endpoint protection as other more
robust platforms within the organization.
Without modern protections that are now found on traditional endpoints,
the degree of sophistication required to exploit these devices is significantly
lower.
IoT devices are often connected to high
speed internet connections, have significantly lower security protections and
as a result have become an attractive targets for attackers looking to build
botnets of machines to conduct DDoS attacks.
=== Recommendations ===
To address these risks and gain the benefit
of IoT systems, there are a series of normal secure development practices that
can be employed to minimize the associated risk of deploying IoT systems within
the enterprise. A series of
recommendations can be found in the Cloud Security Alliance Security Guidance
for Early Adopters of the Internet of Things in Section 5[3]
<nowiki>https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf</nowiki>
==== Analyze privacy impacts to stakeholders ====
Given the complexity and scale of IoT
systems, it is vital that privacy considerations be given sufficient thought
and planning throughout the development and implementation phase to ensure that
there are adequate safeguards in place to protect potentially private
information from accidental or deliberate disclosure. Failure to address these concerns early in
the process could result in the organization running afoul of privacy
legislation and put personal information at risk.
==== Apply a Secure Systems Engineering approach ====
As with any system, the deployment of an IoT solution can be best
secured if the solution is well thought out from the start and takes into
consideration and security requirements in the beginning. The specific information that is to be
collected and processed should be evaluated to ensure that it is protected in
transit and at rest where necessary and the unique characteristics of the IoT
system such as the potential use of any third party or cloud based resources to
store and process the sensor information will need to be taken into account
throughout all phases of the deployment.
==== Implement layered security protections to defend IoT assets ====
Once the security requirements have been analyzed
and defined during the planning phase, sufficient security controls will need
to be planned for and deployed at various points in the IoT architecture to
ensure that information is adequately protected while it is being collected,
transferred and processed.
==== Implement data protection best-practices to protect sensitive information ====
Where possible and practical technologies
such as encryption should be implemented to protect sensitive information and
at all points in the system, the authentication and authorization solution much
be sufficiently robust to ensure that weak and default passwords are not in
use.
==== Define lifecycle controls for IoT devices ====
As with any IT component, a full lifecycle
from purchasing to the decommissioning of IoT devices will need to be
defined. Too often solutions are rapidly
developed and deployed with no clear plan for how the solution will be maintained
while under operation nor how long it will be operated before being replaced
with a newer technology or decommissioned and taken out of service.
==== Define and implement an authentication/authorization framework ====
Given the nature of IoT devices, it is not
always possible to integrate an IoT solution into an enterprise authentication
and authorization solution however even when this is not possible, it is vital
to ensure that there is a plan in place to manage who within the organization
should and should not have access to the IoT components during the course of
their normal duties. This is another
area where the lifecycle of user access must be planned for to ensure that as
people come into or exit the organization their access is added and removed in
a timely manner.
==== Define and implement a logging/audit framework ====
This is another area of overlap with other
IT systems within the organization but also one where there are unique
challenges as the end points and sensors in the IoT deployment have varying
degrees of capabilities when it comes to logging and auditing. In some cases, there will be limited ability
to generate and or forward log and audit events on the sensors due to power,
computational power and storage constraints.
These constraints and any limitations should be factored into the design
discussions and documented to ensure that there is a clear understanding of
what is and is not possible within the solution.
=== Additional Resources ===
In addition to the general guidance for
Internet of Things technologies and in response to some of the unique
challenges that exist with this technology, there have been several new
publications on specific topics of interest for IoT.
To address the potential for IoT devices to
be used as part of a DDoS botnet organizations have been working on the
implementation of a Manufacture Usage Descriptions which intends to facilitate
efforts to restrict data flows to and from IoT devices to only those flows
required to operate the devices and thereby limit their usefulness in DDoS
attacks. Draft guidance from NIST
SP1800-15 outlines how to go about configuring an enterprise network to
implement such a solution. <nowiki>https://www.nccoe.nist.gov/sites/default/files/library/sp1800/iot-ddos-nist-sp1800-15-preliminary-draft.pdf</nowiki>
To address limitations of IoT devices in
terms of their processing power and energy consumption restrictions that
prevent the implementation of robust cryptography solutions, the National Institute of Standards and
Technology (NIST) has issued a call for a lightweight cryptography solution
that would allow for secured communications without the usual overhead of a
standard solution. Information on this
can be found at: <nowiki>https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics</nowiki>
[1] Wikipedia page
retrieved 30 April 2019 <nowiki>https://en.wikipedia.org/wiki/Internet_of_things</nowiki>
[2] Pages 49-50 ''<nowiki>https://iotforum.org/wp-content/uploads/2014/09/D1.5-20130715-VERYFINAL.pdf</nowiki>''
[3] CSA Security Guidance for IoT https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
[[File:IOT - Get Cyber Safe.jpg|thumbnail]]
== The Internet of Things ([https://www.getcybersafe.gc.ca/cnt/rsks/ntrnt-thngs/index-en.aspx Public Safety - Get Cyber Safe])==
<br>
'''What is the Internet of Things?'''
<br>
The Internet of Things (IoT) refers to physical devices (also called “smart” or “connected” devices) that connect to each other via the internet. They collect and exchange information with one another and with us. Smart devices can be remotely controlled and monitored, or work automatically, through a variety of software, cameras and sensors.
<br>
<br>
'''Types of IoT technology'''
<br>
There are many types of smart devices, and more emerging every day.
<br>
<br>
'''IoT in the Home'''
<br>
* Entertainment systems including a television, gaming system, speakers and headphones
* Heating and cooling systems such as the a thermostat, ceiling fan, carbon monoxide detector and smoke alarm, and lights
* Home security systems including alarms, smart locks, garage door openers, baby monitors, cameras, and home assistants
* Smart home appliances like a refrigerator, coffee maker, oven, and vacuum
'''IoT on the Go'''
<br>
* Connected smart cars, buses, trains, and airplanes
* Wearables like a fitness tracker, watch Healthcare devices like heart and blood pressure monitors are converting to smart devices as well. Even your pet can be connected with a tracking collar.
'''How IoT technology works?'''
<br>
Web-enabled smart devices transmit information gathered from their surroundings using embedded sensors, software and processors. Smart devices communicate with one another (machine to machine) or with us through our smartphones. After initial setup, most smart devices work automatically, collecting and sending information.
<br>
<br>
'''Why IoT is popular?'''
<br>
Because of the automatic nature of the IoT, smart devices have many advantages. Coffee starts brewing when your alarm goes off in the morning. Your child forgets their keys, but you can unlock the door from work. You can remotely monitor your home and your family to keep them and your belongings safe. You can streamline your home's functions to make things run more efficiently. The IoT can change how you organize and schedule, and adding convenience and connection.
<br>
<br>
'''What are the risks?'''
<br>
With the automatic flow of information and connection between IoT devices comes a new set of cyber security risks. If you can access all your data remotely, a cybercriminal might be able to as well. The very nature of the IoT is connectivity, but with so many devices on one network, hackers could have multiple access points to your information. That's why security settings can be important. For example, a thermostat connected to your home network that is not properly secured could be a gateway to your identity, money, your address and other devices.
<br>
Not only is a breach of information a risk, but also someone taking control of a device and its functions. For example, someone hacking your smart lock system may not steal information, but they may be able to unlock the doors and steal your belongings.
[[File:IOT - CSE Cyber Journal.jpg|thumbnail]]
== Internet of Things - The Future is Now ([https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 CSE Cyber Journal June 2017])==
The Internet of Things (IoT) is a popular term used to describe everyday electronic products that are able to communicate with other connected devices and networks, such as the Internet. IoT devices include anything from fitness trackers, TVs, lightbulbs, or even your coffee maker. While IoT devices can be economical and convenient, using them can have a significant impact on security and privacy.
<br>
'''How will IoT Impact your Network's Security?'''
There is currently no standard for communication between IoT devices, which increases the complexity of managing network security. Most IoT devices use proprietary software with weak encryption schemes and limited endpoint security to protect your information.
<br>
'''How do Threat Actors Target IoT Vulnerabilities?'''
In many cases, IoT devices lack the technical ability to apply security patches when vulnerabilities are discovered. As a result, vulnerable IoT devices can be used to carry out malicious activities such as launching Distributed Denial of Service (DDOS) attacks, manipulating smart building controls or even turning off automobile safety features.
<br>
'''How can you Minimize IoT Security and Privacy Concerns?'''
As an emerging technology, mitigations are not always available. Organizations must learn how to manage these new end-points within their networks by introducing appropriate governance, policies and security controls into their departmental security plans. Data generated by IoT devices can reveal private information about your daily activities. Conventional methods of protecting private information continue to evolve as federal authorities work to anticipate the possible privacy impacts of IoT.
<br>
While IoT may provide many benefits, departments will have to effectively manage the additional IT security and privacy risks by following the principles in CSE’s [https://www.cse-cst.gc.ca/en/node/265/html/22814 ITSG-33] and [https://www.cse-cst.gc.ca/en/node/1297/html/25231 Top 10 IT Security Actions].
== Links to GC Information ==
[https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 Internet of Things: The Future is Now - Cyber Journal, June 2017 - Communications Security Establishment]
<br>
[https://cyber.gc.ca/en/guidance/internet-things-security-small-and-medium-organizations-itsap00012 Internet of Things Security for Small and Medium Organizations - Cyber Centre]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170127-en.aspx Protect your privacy while using the Internet of Things - Get Cyber Safe]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20141014-en.aspx Just What is the "Internet of Things?" - Get Cyber Safe]
<br>
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170901-en.aspx How to #ConnectSmarter on the Internet of Things - Get Cyber Safe]
<br>
[https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/02_05_d_72_iot/ Privacy and the Internet of Things - Office of the Privacy Commissioner of Canada]
== Links to Relevant Articles ==
[https://www.us-cert.gov/ncas/tips/ST17-001 US-CERT - Securing the Internet of Things: Security Tip (ST17-001)]
<br>
[https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf DHS - Strategic Principles for Securing the Internet of Things]
<br>
[https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program NIST - Cybersecurity for IoT Program]
<br>
[https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf U.K Department for Digital, Culture, Media and Sport (DMCS) code of practice for IoT]
