Device/IoT-Centric Security Countermeasures
We provide an overview of existing countermeasures that focus on one or more threats, and address gaps and challenges in Appendix A.1 of document D4.3. This section aims to present the status of cybersecurity solutions connecting them to identified threats and gaps. We discuss classes of countermeasures, each describing the most relevant solutions to date.
- C1.1 – Performing contextual vulnerability assessment. IoT devices have to be constantly monitored throughout their lifecycle to track potential vulnerabilities from inside the devices. Moreover, manufacturers should ensure that devices ship without vulnerabilities and are resistant to attacks by releasing timely critical updates and by monitoring devices for indications of possible software failures or other critical situations [1].
Threats: T1.3.3 – Lack of control on safety implications – COVID19, T1.4.2 – Denial of service, T1.4.3 – Malicious code/software/activity, T1.4.6 – Code execution and injection (unsecured APIs)
Gaps: G1.1 – Gaps on design, G1.4 – Gaps on diagnosis and response capabilities, G1.9 – Product lifecycle management leakages, G1.11 – Gaps in handling critical scenarios, G1.13 – Gaps on device management and the use of outdated components - C1.2 – Implementing segmentation. Segmentation can be done to increase data and network security in IoT devices and prevent attackers from traversing components laterally and thus infecting other components. It is a technique that isolates specific components and layers of security measures to ensure the security of sensitive data. The first step of the segmentation is to create a list of connected IoT devices, their respective connection methods, type of data transmitted, and to which other device each device connects. Devices that do not have access network should be disabled. During the segmentation process, it is advisable to segment IoT devices by category, including infrastructural, data-collecting, or user endpoints [2]. Afterward, network policies for thwarting unauthorized access should be assigned as per the requirements of each endpoint’s purpose [3].
Threats: T1.1.1 – Information leakage/sharing due to human errors, T1.2.1 – Interception of information, T1.2.2 – Unauthorized acquisition of information (data breach), T1.3.2 – Extraction of private information, T1.3.3 – Lack of control on safety implications – COVID19, T1.4.3 – Malicious code/software /activity, T1.4.7 – Device hijacking
Gaps: G1.2 – Gaps on protection mechanisms adoption and hardening, G1.12 – Gaps on insufficient data protection (communication and storage), G1.13 – Gaps on device management and the use of outdated components - C1.3 – Ensuring device authentication. Establishing necessary authentication measures, such as biometrics, multi-factor authentication, and digital certificates can ensure the protection of IoT endpoints [2]. All interconnected devices should be secured by full authentication and factory default passwords should be changed. Moreover, to enforce mutual authentication between devices and services lightweight cryptography symmetric and asymmetric key algorithms, such as the Secure Hash Algorithm (SHA-x) along with hash-based message authenticated code (HMAC) and Elliptic Curve Digital Signature Algorithm (ECDSA) can be deployed [4]. User data and communication streams from the sensors have to be encrypted to ensure their integrity by using hash integrity checkers and authentication methods that enable communication only between trusted entities [5].
Threats: T1.2.1 – Interception of information, T1.2.2 – Unauthorized acquisition of information (data breach), T1.3.2 – Extraction of private information, T1.4.1 – Identity fraud, T1.4.7 – Device hijacking
Gaps: G1.3 – Gaps on authorization and authentication, G1.12 – Gaps on insufficient data protection (communication and storage) - C1.4 – Deploying Public Key Infrastructure (PKI). A Public Key Infrastructure (PKI) utilizes a combination of encryption, authorization, authentication, and Intrusion detection mechanisms. It can be implemented in the recognition layer of IoT architecture. PKI is based on an RSA encryption algorithm as the public and private keys, in which the public key is stored at the base station and the private key is distributed to each connected node [6]. This way, security is ensured in each interconnected node. Furthermore, end-users can customize PKI systems according to their specifications to improve threats detection and thus fulfill the cybersecurity goals [7].
Threats: T1.2.1 – Interception of information, T1.2.2 – Unauthorized acquisition of information (data breach), T1.3.2 – Extraction of private information, T1.4.7 – Device hijacking
Gaps: G1.2 – Gaps on protection mechanisms adoption and hardening, G1.3 – Gaps on authorization and authentication, G1.11 – Gaps in handling critical scenarios - C1.5 – Deploying AI and machine learning. AI-based Intrusion Detection Systems (IDS) are one of the novel solutions for monitoring the network, collecting and analyzing information from previous attacks. These systems can predict incoming attacks based on historical data and suggest ways to mitigate them. Through real-time ML algorithms, these systems can even predict never before seen attacks that are based on some previous attacks. ML-based IDS systems can be categorized into two broad categories, namely anomaly IDS and misuse or signature IDS. The first can detect the attacks by comparing the current real-time traffic with the previous normal levels of real-time traffic. The latter one compares the current real-time traffic with the known patterns of various previous attacks. Moreover, other ML algorithms such as Linear Discriminant Analysis (LDA), Classification and Regression Trees (CART), and Random Forest are also efficient for attack identification and classification [1].
Threats: T1.4.2 – Denial of service, T1.4.3 – Malicious code/software/activity, T1.4.6 – Code execution and injection (unsecured APIs)
Gaps: G1.4 – Gaps on diagnosis and response capabilities, G1.11 – Gaps in handling critical scenarios - C1.6 – Utilizing security analytics, monitoring, and risk assessment techniques. . To ensure that interconnected IoT devices communicate regularly, organizations and end-users have to embrace a number of the available risk assessment tools, techniques, and strategies [8]. Device monitoring tools are highly useful in identifying and tracking suspicious activities and performing risk assessments. Moreover, security monitoring tools can be used to capture data about the overall state of all IoT devices and traffic between them and to use it to identify possible security violations and system threats. Afterward, actions in the context of security policies, such as device revocation and IoT device isolation can be enforced [4]. Another useful means of identifying suspicious events and responding to threats is through the use of IoT security analytics. They can be used for collecting, correlating, and analyzing the data, which can be then used for visualization of IoT activities. Both IoT gateways and sensor CPU activity should also be monitored and obtained data should be combined to ensure only approved activities can ensue [2].
Threats: T1.3.3 – Lack of control on safety implications – COVID19, T1.4.3 – Malicious code/software/activity, T1.4.6 – Code execution and injection (unsecured APIs)
Gaps: G1.2 – Gaps on protection mechanisms adoption and hardening, G1.4 – Gaps on diagnosis and response capabilities - C1.7 – Utilizing SDN with IoT. One of the trending network security management approaches in different areas, including smart homes and e-health systems, is software-defined networking. It consists of two separated planes, namely the control and the data plane, which execute in the hardware and the software respectively. SDN can be used for monitoring the traffic and detecting malicious activities by identifying and isolating the compromised nodes from the network [6].
Threats: T1.4.2 – Denial of service, T1.4.3 – Malicious code/software/activity, T1.4.6 – Code execution and injection (unsecured APIs), T1.4.7 – Device hijacking
Gaps: G1.2 – Gaps on protection mechanisms adoption and hardening, G1.4 – Gaps on diagnosis and response capabilities - C1.8 – Testing. Proper testing assures that the IoT devices and related protocols can cope with the IoT ecosystem by defining market-accepted test specifications, which in turn helps to accept devices that cooperate with IoT objects. To harden the security configurations, IoT web interface management should be tested, while physical ports and authentication and interaction between devices and the cloud should be assessed [9].
Threats: T1.1.2 – Inadequate design and planning or incorrect adaptation, T1.1.3 – Inadequate design and planning or incorrect adaptation in the critical scenario – COVID19, T1.4.2 – Denial of service
Gaps: G1.1 – Gaps on design, G1.2 – Gaps on protection mechanisms adoption and hardening, G1.3 – Gaps on authorization and authentication, G1.7 – Lack of security-dedicated budget - C1.9 – Fostering security-by-design approach. All personnel involved in the design and development of IoT devices should pay attention to security fundamentals and collaborate to accomplish security-by-design. Security features, such as firewalls, tamper detection capabilities, and encryption capabilities should be added in the design phase of IoT devices. Security-by-design should be an integral part of the entire ecosystem that is running IoT devices and services [10]. In addition, the CIA triad should be the primary goal for IoT vendors. Lastly, manufacturers should treat IoT devices as any other traditional devices they produce.
Threats: T1.1.2 – Inadequate design and planning or incorrect adaptation, T1.1.3 – Inadequate design and planning or incorrect adaptation in the critical scenario – COVID19, T1.4.4 – Misuse of assurance tools, T1.4.5 – Failures of business process
Gaps: G1.1 – Gaps on design, G1.7 – Lack of security-dedicated budget - C1.10 – Raising security awareness. One of the most important security measures for ensuring the success and growth of IoT frameworks is raising security awareness among participating users [11]. The study conducted by Patton et al. [12] showed that a large number of IoT devices, including web cameras, traffic control devices, and printers are either not using passwords or using default passwords, hence making them easily accessible. Continuing the same practice would render IoT devices to cause more harm than good. Therefore, security awareness campaigns and proper training can aid in mitigating the aforementioned issues.
Threats: T1.1.1 – Information leakage/sharing due to human errors, T1.3.3 – Lack of control on safety implications – COVID19, T1.4.5 – Failures of business process, T1.4.8 – Social engineering, T1.5.1 – Violation of laws or regulations, T1.6.2 – Lack of strong cyber hygiene practices – COVID19
Gaps: G1.5 – Lack of awareness and knowledge (skill shortage), G1.10 – Gaps in cyber hygiene practices - C1.11 – Firmware maintenance and integrity. Regular firmware updates and maintenance are essential for safeguarding the IoT ecosystem and handling functional operations. Maintenance interfaces should have access to the application runtime environment and security settings, hence enabling IoT firmware and OS updates [7]. To prevent attacks targeting firmware, the secure boot has to be used to ensure that a device can only execute OEM or trusted party code. IIoT devices should only be able to communicate with authorized services to avoid the risks of being targeted by malicious activities [4].
Threats: T1.3.1 – Device modification, T1.4.6 – Code execution and injection (unsecured APIs), T1.4.7 – Device hijacking
Gaps: G1.2 – Gaps on protection mechanisms adoption and hardening, G1.6 – Lack of interoperability, G1.9 – Product lifecycle management leakages, G1.11 – Gaps in handling critical scenarios, G1.12 – Gaps on insufficient data protection (communication and storage) - C1.12 – Enforcing regulations. More regulations are necessary for ensuring that manufacturers and vendors prioritize security and provide guidelines on IoT developers’ expectations, and thus providing the necessary level of transparency to the end-users. Policies such as IoT Cybersecurity Improvement Act 2020 [13] and the EU General Data Protection Regulation (GDPR) [14] should be enacted across the global level. The act is aimed at federal agencies and it obliges the National Institute of Standards and Technology (NIST) to develop IoT guidelines, while the GDPR introduced mandatory notification schema which coerces data controllers to report data breaches on time. Moreover, it ensures that data controllers reach data breaches according to the provided guidelines [15].
Threats: T1.3.3 – Lack of control on safety implications – COVID19, T1.4.4 – Misuse of assurance tools, T1.6.1 – Skill shortage
Gaps: G1.6 – Lack of interoperability, G1.8 – Fragmentation in security approaches and regulations
Highlights on Identified Countermeasures
Before the shipment, manufacturers must ensure that the IoT devices are robust to known attacks by releasing timely patches and analyzing critical situations. Segmentation, that is, isolating components by different categories can prevent attackers from disseminating infections to other IoT components. Due to the resource-constrained nature of the IoT devices, developers should focus on ensuring mutual authentication through lightweight cryptographic algorithms, such as SHA-x, HMAC, and ECDSA. Detecting and thwarting malicious activities and attacks calls for the deployment of novel technologies, including AI and ML-based IDSs, as well as taking advantage of IoT security analytics, monitoring, and risk assessment techniques. In addition, SDN can also be used for monitoring the traffic between IoT nodes and isolating compromised nodes from the network. IoT firmware can be protected from incoming attacks through regular maintenance and updates. Additionally, IIoT devices should only be allowed to communicate with authorized services to thwart potential malicious activities. More IoT-specific regulations and policies, such as IoT Cybersecurity Improvement Act 2020 are necessary to provide guidelines for IoT developers and ensure transparency for end-users.
[1] AN “INSIDE-OUT” APPROACH IS NECESSARY TO DETECT AND MITIGATE IOT BREACHES, https://www.cybeats.com/blog/an-inside-out-approach-is-necessary-to-detect-and-mitigate-iot-breaches
[2] HOW TO MITIGATE IOT SECURITY THREATS IN 2021, https://mobidev.biz/blog/mitigate-internet-of-things-iot-security-threats
[3] TOP IOT THREATS AND HOW TO AVOID THE NEXT BIG BREACH, https://www.cybeats.com/blog/top-iot-threats-and-how-to-avoid-the-next-big-breach
[4] Threat highlight: Analysis of 5+ million unmanaged, IoT, and IoMT devices, https://www.helpnetsecurity.com/2020/07/24/analysis-of-5-million-unmanaged-iot-and-iomt-devices/
[5] Bock, L.; “The Internet of 12 Things Operate on a Cowboy Code—There Are No Rules,” LinkedIn, 18 June 2017, https://www.linkedin.com/pulse/security-privacy-iot-lisa-bock/
[6] M. Litoussi, N. Kannouf, K. El Makkaoui, A. Ezzati and M. Fartitchou, “IoT security: challenges and countermeasures,” Procedia Computer Science, vol. 177, pp. 503-508, 2020.
[7] IOT SECURITY: UNDERSTANDING THE DANGERS AND MITIGATING THREATS, https://www.analyticsinsight.net/iot-security-understanding-the-dangers-and-mitigating-threats/
[8] L. Tawalbeh, F. Muheidat, M. Tawalbeh and M. a. o. Quwaider, “IoT Privacy and security: Challenges and solutions,” Applied Sciences, vol. 10, no. 12, p. 4102, 2020.
[9] Security Issues in IoT: Challenges and Countermeasures, https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/security-issues-in-iot-challenges-and-countermeasures
[10] White Hat Security, “IoT Security—Combining Innovation With Protection,” https://www.whitehatsec.com/trending/content/iot-security-combining-innovation-protection
[11] R. Mahmoud, T. Yousuf, F. Aloul and I. Zualkernan, “Internet of things (IoT) security: Current status, challenges and prospective measures,” 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 336-341, 2015.
[12] M. Patton, E. Gross, R. Chinn, S. Forbis, L. Walker and H. Chen, “Uninvited Connections: A Study of Vulnerable Devices on the Internet of Things (loT),” Joint Intelligence and Security Informatics Conference (JISIC), pp. 232-235, 2014.
[13] Cybersecurity Improvement Act signed into law inching IoT toward more robust security, https://www.securityinfowatch.com/cybersecurity/article/21203756/cybersecurity-improvement-act-signed-into-law-inching-iot-toward-more-robust-security
[14] Chapin, M., et al; Implication of the General Data Protection Regulation, March 2018, https://www.aacrao.org/docs/default-source/signature-initiative-docs/gdpr/gdpr_discussiondraft_03272018_v2.pdf?sfvrsn=4556dd66_0
[15] Bird & Bird, “Personal data Breaches and Notification,” https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/42–guide-to-the-gdpr–personal-data-breaches-and-notification.pdf?la=en