Difference between revisions of "Internet of Things"

From wiki
Jump to navigation Jump to search
(Created page with "<div class="center"><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549...")
 
(Replaced content with "<div class="center"><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/278...")
Tag: Replaced
 
Line 28: Line 28:
 
<br>
 
<br>
 
{{TOCright}}
 
{{TOCright}}
<br>
+
{{Delete|reason=Expired Content}}
== Security Considerations Paper for Internet of Things within the Government of Canada ==
 
 
 
=== Executive Summary ===
 
With the ongoing explosion of Internet of
 
Things technologies, organizations are beginning to explore a large number of
 
use cases for the technology to assist in the delivery of their respective
 
mandates.  The combination of low cost
 
sensors and the ability to retrieve and analyze the data from these devices
 
offers benefits to organizations.  In
 
order to ensure that these systems do not introduce undue levels of risk, there
 
are a number of security considerations that should be taken into account as
 
part of the deployment and lifecycle planning for these devices.
 
 
 
While many of the challenges for
 
implementing an IoT system are common with any other technology deployment, the
 
method for addressing this challenges will differ as there are fewer enterprise
 
grade options for addressing common operational and security concerns for the
 
fleet of IoT devices due to the characteristics of the devices themselves.  While traditional IT systems and components
 
have had decades to become enterprise ready in terms of the ability to
 
configure, monitor and manage a large number of devices from a centralized
 
position, the nature of an IoT system leads to limited functionality at the
 
endpoints in terms of the ability to configure and manage the device. 
 
 
 
This paper introduces a few core concepts
 
and explores a few of the key critical security considerations organizations
 
need to factor in to their deployment plans for IoT systems. 
 
 
 
=== What is IoT ===
 
The Internet of things (IoT) is the
 
extension of Internet connectivity into physical devices and everyday objects.
 
Embedded with electronics, Internet connectivity, and other forms of hardware
 
(such as sensors), these devices can communicate and interact with others over
 
the Internet, and they can be remotely monitored and controlled.  [1]
 
 
 
IoT components or primitives defined within
 
NIST 800-183 include Sensors, Aggregators, Communication Channel, eUtility and
 
a Decision Trigger. 
 
 
 
Sensors are physical objects designed to
 
capture information about the physical environment and will usually relay this
 
information through a communication channel for external processing.  Sensors are devices that operate at the edge
 
of an IoT system and are usually lightweight devices with limited processing
 
and storage capabilities. 
 
 
 
Aggregators are intermediaries that receive
 
and forward information from sensors.  In
 
some implementations this function will be performed by processing chips inside
 
other sensors and in other situations this might be performed inside a cloud
 
environment.
 
 
 
Communication Channels are the medium
 
through which information is relayed between IoT components and may be physical
 
such as a Universal Serial Bus (USB) or may be over wireless channels such as
 
WiFi or RFID channels.
 
 
 
Electronic Utilities (eUtilities) are
 
software or hardware implementations that process information collected within
 
an IoT system.  These utilities require sufficient
 
computing power and storage to process the information collected within an IoT
 
system.
 
 
 
Decision Triggers are the output of an IoT
 
system and are built based upon the results of the eUtility’s processing of the
 
IoT inputs.  These decisions could include
 
taking a specific action in response to a trigger (such as detecting an excessive
 
temperature) or could also include sending an alert to an external party to
 
notify them that it is time to take corrective action.
 
 
 
To illustrate a typical IoT configuration,
 
consider the following example taken from the IoT forum reference architecture:
 
 
 
''Ted is a truck''
 
driver transporting highly sensitive orchids to a retail store. After loading
 
the orchids on his truck, he attaches an array of sensors to the load carriers
 
in order to measure the temperature. While he is driving, Ted gets hungry and
 
decides to stop and have lunch. He parks the truck at a resting spot, turns off
 
the engine and goes into a nearby restaurant. Unfortunately, Ted forgot that by
 
turning of the engine, air condition for the transported goods highly sensitive
 
orchids - shuts off, too, and since it is a very hot day, the temperature
 
inside the truck starts rising. When the temperature reaches a predefined
 
critical level inside one of the load carriers, one of its sensors notices this
 
and its node sends an emergency signal to Ted's IoT-Phone, which due to its
 
delicate nature cannot be received by the phones of other drivers.
 
 
 
''On the IoT-Phone's''
 
display, Ted can now see that the orchids in load carrier number 6 are in
 
danger due to high temperature so he rushes back to the vehicle and turns the
 
air condition back on. The IoT-Phone also keeps track of any alert messages it
 
receives from the load carriers and saves this message history for future
 
inspection in a way that cannot be altered. When the truck reaches the retail
 
store for delivery, the sensor history is transferred to the store‘s enterprise
 
system and the sensors authenticate themselves as being untampered.‖'''[2]'''
 
 
 
=== Security and Operational Considerations ===
 
There is an extensive list of
 
considerations for IoT systems and while most are not unique, the impact and
 
method of dealing with IoT systems will differ from traditional IT systems.    
 
 
 
==== Lifecycle management ====
 
Like all other IT Systems it is important
 
to plan for the lifecycle of IoT systems and give consideration to how all the
 
components of the specific IoT system will be managed throughout their
 
lifecycle.  The lifecycle plans for IoT
 
components should take into account to the devices will be configured
 
initially, how the devices will be updated on an ongoing basis to ensure that
 
they remain secure and operational for their lifespan and should also consider
 
how long the system will be maintained as most vendors will only support system
 
components for a fixed period of time. 
 
 
 
Each of these lifecycle phases have their
 
own list of considerations.  For new
 
deployments, the initial configuration will need to ensure that when there are
 
options to consider that the security requirements to protect the devices and
 
the information they process are taken into account.  Are there specific options that need to be
 
enabled to protect the communication channels between the sensors and the
 
eUtility?  Are there options regarding
 
the level of encryption?  Are there
 
password complexity settings to ensure no weak passwords are used?  How are these devices configured and tailored
 
for your organization?  Are all default
 
account passwords known and updated before they are rolled out?  What network is used to interconnect these
 
devices? How will the organization update devices to ensure discovered
 
vulnerabilities are addressed?  Do these
 
devices verify updates are from a valid source? Are the updates done over the communication
 
channel or do they require manual interaction? How long are the end points
 
supported and do you have a plan to replace the fleet on an ongoing basis?
 
 
 
==== Logging and Monitoring ====
 
To effectively use any IT system there is
 
always a requirement to know the status of the system components.  With an IoT system that may be relatively self-contained,
 
how will the organization know what the general health of the fleet of all IoT
 
assets is at any given time?  Do these
 
devices report back to a central console on premises or in the cloud?  What is the sensitivity of the data that is
 
collected and reported back to the central console?  Who will review the logs that the system is
 
generating on a regular basis and what actions should they take upon finding
 
events that are outside normal operating parameters?  Does the organization have any capability or
 
support to properly investigate potential security events involving an IoT
 
system?  Often, special tools and
 
capabilities will be required to conduct forensic analysis of these devices if
 
any capability event exists and due to the nature of the devices the amount of
 
information that would even be available on board the IoT endpoints may be
 
quite limited. 
 
 
 
==== Physical Security ====
 
Due to the nature of the IoT devices and
 
the sensors specifically, there will often be times when the sensor components
 
would need to exist in a less physically secure environment than other
 
traditional IT components.  For example a
 
security camera will often need to be placed outside of a secure area in order
 
to monitor for movement or attempts to breach a security perimeter.  The results is that these sensors will often
 
be more susceptible to physical tampering than the back end components.  It is important to factor these considerations
 
into the overall IoT design to ensure that the endpoints do not become an entry
 
point into the more secure portions of an enterprise network. 
 
 
 
==== Data Sensitivity ====
 
As with any other system, it is important
 
to consider the type of data that is being collected and processed by the
 
overall system.  In addition to these
 
regular considerations, there is the increased consideration that should be
 
given to the data that is being aggregated through the use of IoT.  While the information from one individual
 
sensor may or may not be considered sensitive alone, are there any new concerns
 
that would arise from having the data from all sensors collected in a single
 
location? 
 
 
 
==== Privacy considerations ====
 
As IoT systems have the potential to
 
collect a large volume of data including data from public locations, it is
 
important to give consideration to what types of data are being collected,
 
where it is being sent, processed and stored (third party site? On premises?
 
Commercial cloud?).  As part of the
 
system design it is therefore important to include privacy experts from your
 
organization in the discussion to ensure that any potential privacy
 
considerations are taken into account.
 
 
 
=== Risks ===
 
 
 
==== Insecure Default settings ====
 
IoT devices have historically been focused
 
on ease of use and targeting consumers rather than enterprise customers and as
 
a result these devices are often shipped with weak configuration settings and
 
default passwords that are rarely changed by end users.
 
 
 
==== Vulnerable Network services ====
 
For a variety of reasons, IoT devices are
 
configured with insecure network services. 
 
At times this is because the developer leveraged already out of date
 
libraries and components during the build time or else due to other factors such
 
as the developer not releasing periodic updates or end users not applying regular
 
updates, devices will be left running vulnerable services that leave them exposed
 
to potential compromise. 
 
 
 
==== Insecure Administrative Options ====
 
Due to the historic lack of a secure
 
development process within the IoT vendor community, there have been several
 
examples of IoT devices being left with insecure administrative interfaces and
 
APIs that have left customers with vulnerable IoT devices.  This leaves the components susceptible to
 
compromise and leaves the information on the devices exposed to high levels of
 
risk.
 
 
 
==== Lack of Secure Update ====
 
Due to limitations of the platforms running
 
IoT services and the general lack of enterprise grade services in the IoT
 
space, the update process for IoT devices is generally far behind the existing
 
processes that support traditional workstations and servers within the
 
enterprise.  As a result when vendors do
 
support update processes there are sometimes weaknesses in the process such as
 
a failure to download the updates over a secure connection or failure to
 
validate that the update is digitally signed to ensure that no malicious
 
updates are applied.
 
 
 
==== Lack of endpoint security features ====
 
IoT end points have historically had
 
limited ability to process and handle data which has meant that these devices
 
are not equipped with the same level of endpoint protection as other more
 
robust platforms within the organization. 
 
Without modern protections that are now found on traditional endpoints,
 
the degree of sophistication required to exploit these devices is significantly
 
lower.
 
 
 
IoT devices are often connected to high
 
speed internet connections, have significantly lower security protections and
 
as a result have become an attractive targets for attackers looking to build
 
botnets of machines to conduct DDoS attacks.
 
 
 
=== Recommendations ===
 
To address these risks and gain the benefit
 
of IoT systems, there are a series of normal secure development practices that
 
can be employed to minimize the associated risk of deploying IoT systems within
 
the enterprise.  A series of
 
recommendations can be found in the Cloud Security Alliance Security Guidance
 
for Early Adopters of the Internet of Things in Section 5[3]
 
 
 
<nowiki>https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf</nowiki>
 
 
 
==== Analyze privacy impacts to stakeholders ====
 
Given the complexity and scale of IoT
 
systems, it is vital that privacy considerations be given sufficient thought
 
and planning throughout the development and implementation phase to ensure that
 
there are adequate safeguards in place to protect potentially private
 
information from accidental or deliberate disclosure.  Failure to address these concerns early in
 
the process could result in the organization running afoul of privacy
 
legislation and put personal information at risk.
 
 
 
==== Apply a Secure Systems Engineering approach ====
 
As with any system, the deployment of an IoT solution can be best
 
secured if the solution is well thought out from the start and takes into
 
consideration and security requirements in the beginning.  The specific information that is to be
 
collected and processed should be evaluated to ensure that it is protected in
 
transit and at rest where necessary and the unique characteristics of the IoT
 
system such as the potential use of any third party or cloud based resources to
 
store and process the sensor information will need to be taken into account
 
throughout all phases of the deployment.
 
 
 
==== Implement layered security protections to defend IoT assets ====
 
Once the security requirements have been analyzed
 
and defined during the planning phase, sufficient security controls will need
 
to be planned for and deployed at various points in the IoT architecture to
 
ensure that information is adequately protected while it is being collected,
 
transferred and processed.
 
 
 
==== Implement data protection best-practices to protect sensitive information ====
 
Where possible and practical technologies
 
such as encryption should be implemented to protect sensitive information and
 
at all points in the system, the authentication and authorization solution much
 
be sufficiently robust to ensure that weak and default passwords are not in
 
use.
 
 
 
==== Define lifecycle controls for IoT devices ====
 
As with any IT component, a full lifecycle
 
from purchasing to the decommissioning of IoT devices will need to be
 
defined.  Too often solutions are rapidly
 
developed and deployed with no clear plan for how the solution will be maintained
 
while under operation nor how long it will be operated before being replaced
 
with a newer technology or decommissioned and taken out of service. 
 
 
 
==== Define and implement an authentication/authorization framework ====
 
Given the nature of IoT devices, it is not
 
always possible to integrate an IoT solution into an enterprise authentication
 
and authorization solution however even when this is not possible, it is vital
 
to ensure that there is a plan in place to manage who within the organization
 
should and should not have access to the IoT components during the course of
 
their normal duties.  This is another
 
area where the lifecycle of user access must be planned for to ensure that as
 
people come into or exit the organization their access is added and removed in
 
a timely manner.
 
 
 
==== Define and implement a logging/audit framework ====
 
This is another area of overlap with other
 
IT systems within the organization but also one where there are unique
 
challenges as the end points and sensors in the IoT deployment have varying
 
degrees of capabilities when it comes to logging and auditing.  In some cases, there will be limited ability
 
to generate and or forward log and audit events on the sensors due to power,
 
computational power and storage constraints. 
 
These constraints and any limitations should be factored into the design
 
discussions and documented to ensure that there is a clear understanding of
 
what is and is not possible within the solution.
 
 
 
=== Additional Resources ===
 
In addition to the general guidance for
 
Internet of Things technologies and in response to some of the unique
 
challenges that exist with this technology, there have been several new
 
publications on specific topics of interest for IoT. 
 
 
 
To address the potential for IoT devices to
 
be used as part of a DDoS botnet organizations have been working on the
 
implementation of a Manufacture Usage Descriptions which intends to facilitate
 
efforts to restrict data flows to and from IoT devices to only those flows
 
required to operate the devices and thereby limit their usefulness in DDoS
 
attacks.  Draft guidance from NIST
 
SP1800-15 outlines how to go about configuring an enterprise network to
 
implement such a solution. <nowiki>https://www.nccoe.nist.gov/sites/default/files/library/sp1800/iot-ddos-nist-sp1800-15-preliminary-draft.pdf</nowiki>
 
 
 
To address limitations of IoT devices in
 
terms of their processing power and energy consumption restrictions that
 
prevent the implementation of robust cryptography solutions,  the National Institute of Standards and
 
Technology (NIST) has issued a call for a lightweight cryptography solution
 
that would allow for secured communications without the usual overhead of a
 
standard solution.  Information on this
 
can be found at: <nowiki>https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics</nowiki>
 
 
 
[1] Wikipedia page
 
retrieved 30 April 2019 <nowiki>https://en.wikipedia.org/wiki/Internet_of_things</nowiki>
 
 
 
[2] Pages 49-50 ''<nowiki>https://iotforum.org/wp-content/uploads/2014/09/D1.5-20130715-VERYFINAL.pdf</nowiki>''
 
 
 
[3] CSA Security Guidance for IoT https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
 
 
 
[[File:IOT - Get Cyber Safe.jpg|thumbnail]]
 
 
 
== The Internet of Things ([https://www.getcybersafe.gc.ca/cnt/rsks/ntrnt-thngs/index-en.aspx Public Safety - Get Cyber Safe])==
 
<br>
 
'''What is the Internet of Things?'''
 
<br>
 
The Internet of Things (IoT) refers to physical devices (also called “smart” or “connected” devices) that connect to each other via the internet. They collect and exchange information with one another and with us. Smart devices can be remotely controlled and monitored, or work automatically, through a variety of software, cameras and sensors.
 
<br>
 
<br>
 
'''Types of IoT technology'''
 
<br>
 
There are many types of smart devices, and more emerging every day.
 
<br>
 
<br>
 
'''IoT in the Home'''
 
<br>
 
* Entertainment systems including a television, gaming system, speakers and headphones
 
* Heating and cooling systems such as the a thermostat, ceiling fan, carbon monoxide detector and smoke alarm, and lights
 
* Home security systems including alarms, smart locks, garage door openers, baby monitors, cameras, and home assistants
 
* Smart home appliances like a refrigerator, coffee maker, oven, and vacuum
 
'''IoT on the Go'''
 
<br>
 
* Connected smart cars, buses, trains, and airplanes
 
* Wearables like a fitness tracker, watch Healthcare devices like heart and blood pressure monitors are converting to smart devices as well. Even your pet can be connected with a tracking collar.
 
'''How IoT technology works?'''
 
<br>
 
Web-enabled smart devices transmit information gathered from their surroundings using embedded sensors, software and processors. Smart devices communicate with one another (machine to machine) or with us through our smartphones. After initial setup, most smart devices work automatically, collecting and sending information.
 
<br>
 
<br>
 
'''Why IoT is popular?'''
 
<br>
 
Because of the automatic nature of the IoT, smart devices have many advantages. Coffee starts brewing when your alarm goes off in the morning. Your child forgets their keys, but you can unlock the door from work. You can remotely monitor your home and your family to keep them and your belongings safe. You can streamline your home's functions to make things run more efficiently. The IoT can change how you organize and schedule, and adding convenience and connection.
 
<br>
 
<br>
 
'''What are the risks?'''
 
<br>
 
With the automatic flow of information and connection between IoT devices comes a new set of cyber security risks. If you can access all your data remotely, a cybercriminal might be able to as well. The very nature of the IoT is connectivity, but with so many devices on one network, hackers could have multiple access points to your information. That's why security settings can be important. For example, a thermostat connected to your home network that is not properly secured could be a gateway to your identity, money, your address and other devices.
 
<br>
 
Not only is a breach of information a risk, but also someone taking control of a device and its functions. For example, someone hacking your smart lock system may not steal information, but they may be able to unlock the doors and steal your belongings.
 
 
 
[[File:IOT - CSE Cyber Journal.jpg|thumbnail]]
 
 
 
== Internet of Things - The Future is Now ([https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 CSE Cyber Journal June 2017])==
 
The Internet of Things (IoT) is a popular term used to describe everyday electronic products that are able to communicate with other connected devices and networks, such as the Internet. IoT devices include anything from fitness trackers, TVs, lightbulbs, or even your coffee maker. While IoT devices can be economical and convenient, using them can have a significant impact on security and privacy.
 
 
 
<br>
 
'''How will IoT Impact your Network's Security?'''
 
There is currently no standard for communication between IoT devices, which increases the complexity of managing network security. Most IoT devices use proprietary software with weak encryption schemes and limited endpoint security to protect your information.
 
 
 
<br>
 
'''How do Threat Actors Target IoT Vulnerabilities?'''
 
In many cases, IoT devices lack the technical ability to apply security patches when vulnerabilities are discovered. As a result, vulnerable IoT devices can be used to carry out malicious activities such as launching Distributed Denial of Service (DDOS) attacks, manipulating smart building controls or even turning off automobile safety features.
 
 
 
<br>
 
'''How can you Minimize IoT Security and Privacy Concerns?'''
 
As an emerging technology, mitigations are not always available. Organizations must learn how to manage these new end-points within their networks by introducing appropriate governance, policies and security controls into their departmental security plans. Data generated by IoT devices can reveal private information about your daily activities. Conventional methods of protecting private information continue to evolve as federal authorities work to anticipate the possible privacy impacts of IoT.
 
 
 
<br>
 
While IoT may provide many benefits, departments will have to effectively manage the additional IT security and privacy risks by following the principles in CSE’s [https://www.cse-cst.gc.ca/en/node/265/html/22814 ITSG-33] and [https://www.cse-cst.gc.ca/en/node/1297/html/25231 Top 10 IT Security Actions].
 
 
 
== Links to GC Information ==
 
[https://www.cse-cst.gc.ca/en/node/2097/html/27699#a4 Internet of Things: The Future is Now - Cyber Journal, June 2017 - Communications Security Establishment]
 
<br>
 
[https://cyber.gc.ca/en/guidance/internet-things-security-small-and-medium-organizations-itsap00012 Internet of Things Security for Small and Medium Organizations  - Cyber Centre]
 
<br>
 
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170127-en.aspx Protect your privacy while using the Internet of Things - Get Cyber Safe]
 
<br>
 
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20141014-en.aspx Just What is the "Internet of Things?" - Get Cyber Safe]
 
<br>
 
[https://www.getcybersafe.gc.ca/cnt/blg/pst-20170901-en.aspx How to #ConnectSmarter on the Internet of Things - Get Cyber Safe]
 
<br>
 
[https://www.priv.gc.ca/en/privacy-topics/technology-and-privacy/02_05_d_72_iot/ Privacy and the Internet of Things - Office of the Privacy Commissioner of Canada]
 
 
 
== Links to Relevant Articles ==
 
[https://www.us-cert.gov/ncas/tips/ST17-001 US-CERT - Securing the Internet of Things: Security Tip (ST17-001)]
 
<br>
 
[https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf DHS - Strategic Principles for Securing the Internet of Things]
 
<br>
 
[https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program NIST - Cybersecurity for IoT Program]
 
<br>
 
[https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf U.K Department for Digital, Culture, Media and Sport (DMCS) code of practice for IoT]
 

Latest revision as of 12:41, 20 April 2021