Internet of Things
Security Considerations Paper for Internet of Things within the Government of Canada
With the ongoing explosion of Internet of Things technologies, organizations are beginning to explore a large number of use cases for the technology to assist in the delivery of their respective mandates. The combination of low cost sensors and the ability to retrieve and analyze the data from these devices offers benefits to organizations. In order to ensure that these systems do not introduce undue levels of risk, there are a number of security considerations that should be taken into account as part of the deployment and lifecycle planning for these devices.
While many of the challenges for implementing an IoT system are common with any other technology deployment, the method for addressing this challenges will differ as there are fewer enterprise grade options for addressing common operational and security concerns for the fleet of IoT devices due to the characteristics of the devices themselves. While traditional IT systems and components have had decades to become enterprise ready in terms of the ability to configure, monitor and manage a large number of devices from a centralized position, the nature of an IoT system leads to limited functionality at the endpoints in terms of the ability to configure and manage the device.
This paper introduces a few core concepts and explores a few of the key critical security considerations organizations need to factor in to their deployment plans for IoT systems.
What is IoT
The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. Embedded with electronics, Internet connectivity, and other forms of hardware (such as sensors), these devices can communicate and interact with others over the Internet, and they can be remotely monitored and controlled. 
IoT components or primitives defined within NIST 800-183 include Sensors, Aggregators, Communication Channel, eUtility and a Decision Trigger.
Sensors are physical objects designed to capture information about the physical environment and will usually relay this information through a communication channel for external processing. Sensors are devices that operate at the edge of an IoT system and are usually lightweight devices with limited processing and storage capabilities.
Aggregators are intermediaries that receive and forward information from sensors. In some implementations this function will be performed by processing chips inside other sensors and in other situations this might be performed inside a cloud environment.
Communication Channels are the medium through which information is relayed between IoT components and may be physical such as a Universal Serial Bus (USB) or may be over wireless channels such as WiFi or RFID channels.
Electronic Utilities (eUtilities) are software or hardware implementations that process information collected within an IoT system. These utilities require sufficient computing power and storage to process the information collected within an IoT system.
Decision Triggers are the output of an IoT system and are built based upon the results of the eUtility’s processing of the IoT inputs. These decisions could include taking a specific action in response to a trigger (such as detecting an excessive temperature) or could also include sending an alert to an external party to notify them that it is time to take corrective action.
To illustrate a typical IoT configuration, consider the following example taken from the IoT forum reference architecture:
Ted is a truck driver transporting highly sensitive orchids to a retail store. After loading the orchids on his truck, he attaches an array of sensors to the load carriers in order to measure the temperature. While he is driving, Ted gets hungry and decides to stop and have lunch. He parks the truck at a resting spot, turns off the engine and goes into a nearby restaurant. Unfortunately, Ted forgot that by turning of the engine, air condition for the transported goods highly sensitive orchids - shuts off, too, and since it is a very hot day, the temperature inside the truck starts rising. When the temperature reaches a predefined critical level inside one of the load carriers, one of its sensors notices this and its node sends an emergency signal to Ted's IoT-Phone, which due to its delicate nature cannot be received by the phones of other drivers.
On the IoT-Phone's display, Ted can now see that the orchids in load carrier number 6 are in danger due to high temperature so he rushes back to the vehicle and turns the air condition back on. The IoT-Phone also keeps track of any alert messages it receives from the load carriers and saves this message history for future inspection in a way that cannot be altered. When the truck reaches the retail store for delivery, the sensor history is transferred to the store‘s enterprise system and the sensors authenticate themselves as being untampered.‖
Security and Operational Considerations
There is an extensive list of considerations for IoT systems and while most are not unique, the impact and method of dealing with IoT systems will differ from traditional IT systems.
Like all other IT Systems it is important to plan for the lifecycle of IoT systems and give consideration to how all the components of the specific IoT system will be managed throughout their lifecycle. The lifecycle plans for IoT components should take into account to the devices will be configured initially, how the devices will be updated on an ongoing basis to ensure that they remain secure and operational for their lifespan and should also consider how long the system will be maintained as most vendors will only support system components for a fixed period of time.
Each of these lifecycle phases have their own list of considerations. For new deployments, the initial configuration will need to ensure that when there are options to consider that the security requirements to protect the devices and the information they process are taken into account. Are there specific options that need to be enabled to protect the communication channels between the sensors and the eUtility? Are there options regarding the level of encryption? Are there password complexity settings to ensure no weak passwords are used? How are these devices configured and tailored for your organization? Are all default account passwords known and updated before they are rolled out? What network is used to interconnect these devices? How will the organization update devices to ensure discovered vulnerabilities are addressed? Do these devices verify updates are from a valid source? Are the updates done over the communication channel or do they require manual interaction? How long are the end points supported and do you have a plan to replace the fleet on an ongoing basis?
Logging and Monitoring
To effectively use any IT system there is always a requirement to know the status of the system components. With an IoT system that may be relatively self-contained, how will the organization know what the general health of the fleet of all IoT assets is at any given time? Do these devices report back to a central console on premises or in the cloud? What is the sensitivity of the data that is collected and reported back to the central console? Who will review the logs that the system is generating on a regular basis and what actions should they take upon finding events that are outside normal operating parameters? Does the organization have any capability or support to properly investigate potential security events involving an IoT system? Often, special tools and capabilities will be required to conduct forensic analysis of these devices if any capability event exists and due to the nature of the devices the amount of information that would even be available on board the IoT endpoints may be quite limited.
Due to the nature of the IoT devices and the sensors specifically, there will often be times when the sensor components would need to exist in a less physically secure environment than other traditional IT components. For example a security camera will often need to be placed outside of a secure area in order to monitor for movement or attempts to breach a security perimeter. The results is that these sensors will often be more susceptible to physical tampering than the back end components. It is important to factor these considerations into the overall IoT design to ensure that the endpoints do not become an entry point into the more secure portions of an enterprise network.
As with any other system, it is important to consider the type of data that is being collected and processed by the overall system. In addition to these regular considerations, there is the increased consideration that should be given to the data that is being aggregated through the use of IoT. While the information from one individual sensor may or may not be considered sensitive alone, are there any new concerns that would arise from having the data from all sensors collected in a single location?
As IoT systems have the potential to collect a large volume of data including data from public locations, it is important to give consideration to what types of data are being collected, where it is being sent, processed and stored (third party site? On premises? Commercial cloud?). As part of the system design it is therefore important to include privacy experts from your organization in the discussion to ensure that any potential privacy considerations are taken into account.
Insecure Default settings
IoT devices have historically been focused on ease of use and targeting consumers rather than enterprise customers and as a result these devices are often shipped with weak configuration settings and default passwords that are rarely changed by end users.
Vulnerable Network services
For a variety of reasons, IoT devices are configured with insecure network services. At times this is because the developer leveraged already out of date libraries and components during the build time or else due to other factors such as the developer not releasing periodic updates or end users not applying regular updates, devices will be left running vulnerable services that leave them exposed to potential compromise.
Insecure Administrative Options
Due to the historic lack of a secure development process within the IoT vendor community, there have been several examples of IoT devices being left with insecure administrative interfaces and APIs that have left customers with vulnerable IoT devices. This leaves the components susceptible to compromise and leaves the information on the devices exposed to high levels of risk.
Lack of Secure Update
Due to limitations of the platforms running IoT services and the general lack of enterprise grade services in the IoT space, the update process for IoT devices is generally far behind the existing processes that support traditional workstations and servers within the enterprise. As a result when vendors do support update processes there are sometimes weaknesses in the process such as a failure to download the updates over a secure connection or failure to validate that the update is digitally signed to ensure that no malicious updates are applied.
Lack of endpoint security features
IoT end points have historically had limited ability to process and handle data which has meant that these devices are not equipped with the same level of endpoint protection as other more robust platforms within the organization. Without modern protections that are now found on traditional endpoints, the degree of sophistication required to exploit these devices is significantly lower.
IoT devices are often connected to high speed internet connections, have significantly lower security protections and as a result have become an attractive targets for attackers looking to build botnets of machines to conduct DDoS attacks.
To address these risks and gain the benefit of IoT systems, there are a series of normal secure development practices that can be employed to minimize the associated risk of deploying IoT systems within the enterprise. A series of recommendations can be found in the Cloud Security Alliance Security Guidance for Early Adopters of the Internet of Things in Section 5
Analyze privacy impacts to stakeholders
Given the complexity and scale of IoT systems, it is vital that privacy considerations be given sufficient thought and planning throughout the development and implementation phase to ensure that there are adequate safeguards in place to protect potentially private information from accidental or deliberate disclosure. Failure to address these concerns early in the process could result in the organization running afoul of privacy legislation and put personal information at risk.
Apply a Secure Systems Engineering approach
As with any system, the deployment of an IoT solution can be best secured if the solution is well thought out from the start and takes into consideration and security requirements in the beginning. The specific information that is to be collected and processed should be evaluated to ensure that it is protected in transit and at rest where necessary and the unique characteristics of the IoT system such as the potential use of any third party or cloud based resources to store and process the sensor information will need to be taken into account throughout all phases of the deployment.
Implement layered security protections to defend IoT assets
Once the security requirements have been analyzed and defined during the planning phase, sufficient security controls will need to be planned for and deployed at various points in the IoT architecture to ensure that information is adequately protected while it is being collected, transferred and processed.
Implement data protection best-practices to protect sensitive information
Where possible and practical technologies such as encryption should be implemented to protect sensitive information and at all points in the system, the authentication and authorization solution much be sufficiently robust to ensure that weak and default passwords are not in use.
Define lifecycle controls for IoT devices
As with any IT component, a full lifecycle from purchasing to the decommissioning of IoT devices will need to be defined. Too often solutions are rapidly developed and deployed with no clear plan for how the solution will be maintained while under operation nor how long it will be operated before being replaced with a newer technology or decommissioned and taken out of service.
Given the nature of IoT devices, it is not always possible to integrate an IoT solution into an enterprise authentication and authorization solution however even when this is not possible, it is vital to ensure that there is a plan in place to manage who within the organization should and should not have access to the IoT components during the course of their normal duties. This is another area where the lifecycle of user access must be planned for to ensure that as people come into or exit the organization their access is added and removed in a timely manner.
Define and implement a logging/audit framework
This is another area of overlap with other IT systems within the organization but also one where there are unique challenges as the end points and sensors in the IoT deployment have varying degrees of capabilities when it comes to logging and auditing. In some cases, there will be limited ability to generate and or forward log and audit events on the sensors due to power, computational power and storage constraints. These constraints and any limitations should be factored into the design discussions and documented to ensure that there is a clear understanding of what is and is not possible within the solution.
In addition to the general guidance for Internet of Things technologies and in response to some of the unique challenges that exist with this technology, there have been several new publications on specific topics of interest for IoT.
To address the potential for IoT devices to be used as part of a DDoS botnet organizations have been working on the implementation of a Manufacture Usage Descriptions which intends to facilitate efforts to restrict data flows to and from IoT devices to only those flows required to operate the devices and thereby limit their usefulness in DDoS attacks. Draft guidance from NIST SP1800-15 outlines how to go about configuring an enterprise network to implement such a solution. https://www.nccoe.nist.gov/sites/default/files/library/sp1800/iot-ddos-nist-sp1800-15-preliminary-draft.pdf
To address limitations of IoT devices in terms of their processing power and energy consumption restrictions that prevent the implementation of robust cryptography solutions, the National Institute of Standards and Technology (NIST) has issued a call for a lightweight cryptography solution that would allow for secured communications without the usual overhead of a standard solution. Information on this can be found at: https://www.nist.gov/news-events/news/2018/04/nist-issues-first-call-lightweight-cryptography-protect-small-electronics
 Wikipedia page retrieved 30 April 2019 https://en.wikipedia.org/wiki/Internet_of_things
 Pages 49-50 https://iotforum.org/wp-content/uploads/2014/09/D1.5-20130715-VERYFINAL.pdf
 CSA Security Guidance for IoT https://downloads.cloudsecurityalliance.org/whitepapers/Security_Guidance_for_Early_Adopters_of_the_Internet_of_Things.pdf
The Internet of Things (Public Safety - Get Cyber Safe)
What is the Internet of Things?
The Internet of Things (IoT) refers to physical devices (also called “smart” or “connected” devices) that connect to each other via the internet. They collect and exchange information with one another and with us. Smart devices can be remotely controlled and monitored, or work automatically, through a variety of software, cameras and sensors.
Types of IoT technology
There are many types of smart devices, and more emerging every day.
IoT in the Home
- Entertainment systems including a television, gaming system, speakers and headphones
- Heating and cooling systems such as the a thermostat, ceiling fan, carbon monoxide detector and smoke alarm, and lights
- Home security systems including alarms, smart locks, garage door openers, baby monitors, cameras, and home assistants
- Smart home appliances like a refrigerator, coffee maker, oven, and vacuum
IoT on the Go
- Connected smart cars, buses, trains, and airplanes
- Wearables like a fitness tracker, watch Healthcare devices like heart and blood pressure monitors are converting to smart devices as well. Even your pet can be connected with a tracking collar.
How IoT technology works?
Web-enabled smart devices transmit information gathered from their surroundings using embedded sensors, software and processors. Smart devices communicate with one another (machine to machine) or with us through our smartphones. After initial setup, most smart devices work automatically, collecting and sending information.
Why IoT is popular?
Because of the automatic nature of the IoT, smart devices have many advantages. Coffee starts brewing when your alarm goes off in the morning. Your child forgets their keys, but you can unlock the door from work. You can remotely monitor your home and your family to keep them and your belongings safe. You can streamline your home's functions to make things run more efficiently. The IoT can change how you organize and schedule, and adding convenience and connection.
What are the risks?
With the automatic flow of information and connection between IoT devices comes a new set of cyber security risks. If you can access all your data remotely, a cybercriminal might be able to as well. The very nature of the IoT is connectivity, but with so many devices on one network, hackers could have multiple access points to your information. That's why security settings can be important. For example, a thermostat connected to your home network that is not properly secured could be a gateway to your identity, money, your address and other devices.
Not only is a breach of information a risk, but also someone taking control of a device and its functions. For example, someone hacking your smart lock system may not steal information, but they may be able to unlock the doors and steal your belongings.
Internet of Things - The Future is Now (CSE Cyber Journal June 2017)
The Internet of Things (IoT) is a popular term used to describe everyday electronic products that are able to communicate with other connected devices and networks, such as the Internet. IoT devices include anything from fitness trackers, TVs, lightbulbs, or even your coffee maker. While IoT devices can be economical and convenient, using them can have a significant impact on security and privacy.
How will IoT Impact your Network's Security? There is currently no standard for communication between IoT devices, which increases the complexity of managing network security. Most IoT devices use proprietary software with weak encryption schemes and limited endpoint security to protect your information.
How do Threat Actors Target IoT Vulnerabilities? In many cases, IoT devices lack the technical ability to apply security patches when vulnerabilities are discovered. As a result, vulnerable IoT devices can be used to carry out malicious activities such as launching Distributed Denial of Service (DDOS) attacks, manipulating smart building controls or even turning off automobile safety features.
How can you Minimize IoT Security and Privacy Concerns? As an emerging technology, mitigations are not always available. Organizations must learn how to manage these new end-points within their networks by introducing appropriate governance, policies and security controls into their departmental security plans. Data generated by IoT devices can reveal private information about your daily activities. Conventional methods of protecting private information continue to evolve as federal authorities work to anticipate the possible privacy impacts of IoT.
While IoT may provide many benefits, departments will have to effectively manage the additional IT security and privacy risks by following the principles in CSE’s ITSG-33 and Top 10 IT Security Actions.
Links to GC Information
Internet of Things: The Future is Now - Cyber Journal, June 2017 - Communications Security Establishment
Internet of Things Security for Small and Medium Organizations - Cyber Centre
Protect your privacy while using the Internet of Things - Get Cyber Safe
Just What is the "Internet of Things?" - Get Cyber Safe
How to #ConnectSmarter on the Internet of Things - Get Cyber Safe
Privacy and the Internet of Things - Office of the Privacy Commissioner of Canada
Links to Relevant Articles
US-CERT - Securing the Internet of Things: Security Tip (ST17-001)
DHS - Strategic Principles for Securing the Internet of Things
NIST - Cybersecurity for IoT Program
U.K Department for Digital, Culture, Media and Sport (DMCS) code of practice for IoT