https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018
The two biggest challenges in 2018 will continue to be protecting against unauthorized access, and patching/updating the software of the device. Companies must not neglect the security problems of IoT and IIoT devices. Cyberattacks on the Internet of Things (IoT) are already a reality.
According to Gartner‘s market researchers, global spending on IoT security will increase to $1.5 billion this year.
1,645 Comments
Tomi Engdahl says:
NIST’s New Advice on Medical IoT Devices
https://www.securityweek.com/nists-new-advice-medical-iot-devices
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.
NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (PDF). NIST’s primary cybersecurity function is to develop standards and advice for federal agencies. Its 1800 Series, however, is a series of documents designed to present practical, usable, cybersecurity solutions to the cybersecurity community at large. Such documents do not describe regulations or mandatory practices, nor do they carry statutory authority.
SP 1800-8 applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately,” it says, “we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.” It does this using standards-based, commercially available cybersecurity technologies that protect the entire HDO infrastructure.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-8.pdf
Tomi Engdahl says:
Critical IoT Security Issues in the News
https://www.securerf.com/critical-iot-security-issues-in-the-news?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=65591578&_hsenc=p2ANqtz-9U6p3v32ZP2h4F_EZBuqklXQkz0fd404sDoL-5XFf0NWZULKle_m8Zl_i4Fkx9dSRnCIEUucUn-Y57XBEEACvi1r5GLIuf0xXBG_FEy2JvA3zTIxs&_hsmi=65591578
Israeli Researchers Find Vulnerabilities in Smart Sprinkler Systems
Researchers from the Ben-Gurion University of the Negev recently published a paper asserting that it is possible for bad actors to create a botnet of irrigation systems.
Hacked Smart Devices Could Trigger Mass Blackouts
At the Usenix Security conference in Baltimore last month, researchers from Princeton University demonstrated how an IoT botnet of high wattage home devices such as air conditioners and water heaters could take down an entire power grid, causing mass blackouts.
Quantum Computing Is Our Modern Space Race, Says Director of Quantum Computing at Intel
Jim Clarke, Director of Quantum Hardware at Intel Labs, recently expressed his support of the National Quantum Initiative Act currently making its way through Congress.
oT Security Issues Will Lead to Legal ‘Feeding Frenzy,’ Says Well-known Attorney at Black Hat Conference
At Black Hat USA 2018 in Las Vegas last month, the attorney who represented plaintiffs in the infamous 2015 Jeep hack spoke on the legal implications of IoT security issues. According to Ijay Palansky, partner at the law firm Armstrong Teasdale, plaintiff attorneys are anticipating hack-related lawsuits as more consumer IoT devices are rushed to release without adequate security.
Bad Actors Exploiting Networks Through IoT Devices, Says FBI
The FBI Internet Crime Complaint Center issued a public service announcement last month regarding cyber threat actors using IoT devices as a means of exploiting computer networks. The PSA points out that IoT devices in developed nations such as the United States are particularly susceptible to these attacks, as they provide an entrance to networks that would otherwise block suspicious IP addresses.
Tomi Engdahl says:
Black Hat 2018: IoT Security Issues Will Lead to Legal ‘Feeding Frenzy’
https://threatpost.com/black-hat-2018-iot-security-issues-will-lead-to-legal-feeding-frenzy/134997/
A “wave of litigation over IoT liability is on the horizon,” according to an attorney who has represented plaintiffs in the 2015 Jeep hack.
LAS VEGAS – The troves of insecure internet of things (IoT) devices have not yet led to widespread legal implications. But that’s set to change, a well-known attorney warned at Black Hat USA last week.
Ijay Palansky, partner at the law firm Armstrong Teasdale, said at the conference last week that IoT-related security issues have been challenging from a lawsuit perspective; despite high-profile headlines, there haven’t been that many IoT hacks, and there’s a lack of understanding of the technology and how the law applies to it, said Palansky.
However, he said that this is on the verge of changing.
“There will be more hacks,” he said from the stage during a session at the show. “The plaintiff’s bar has been salivating over [IoT] – it’s going to be a feeding frenzy.”
Palansky said that the IoT market is set to explode – particularly in the smart-home market, with consumer IoT spending set to reach $62 billion in 2018, making it the fourth-largest industry segment, according to market research firm IDC. Many of these devices are built with little to no security in mind: “Everyone’s been trying to get the latest and greatest device out – but haven’t been accurately valuing defense, and underinvesting in it,” said Palansky. “So the product won’t reach the right level of cybersecurity.”
Tomi Engdahl says:
IoT Security Maturity Model: Description and Intended Use
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
Tomi Engdahl says:
In the Know About Nodes? Exploring a New Patching System for Securing the IoT
https://innovate.ieee.org/innovation-spotlight/traffic-aware-patching-intermediate-nodes-cyber-security-iot-devices/#utm_source=facebook&utm_medium=social&utm_campaign=innovation%20reboot&utm_content=IoT%20Nodes%20reboot?LT=CMH_WB_2018_LM_XIS_Paid_Social
Fixing individual IoT devices infected by malware may not be the best solution to a widespread cyberattack.
IoT devices are prime targets for hackers. They are connected to multiple devices and often have weak security measures. To address this problem, researchers created a system to strengthen the cyber security in wireless networks connected to IoT devices.
The key is a new traffic-aware patching scheme that focuses on fixing critical intermediate nodes before an infected device has time to transmit its virus to a wireless network.
Tomi Engdahl says:
8 Critical IoT Security Technologies
https://www.electronicdesign.com/industrial-automation/8-critical-iot-security-technologies?PK=UM_Classics09118&utm_rid=CPG05000002750211&utm_campaign=19715&utm_medium=email&elq2=47899c1f362c41c3aba34db60c18739b
The growth of IoT devices coupled with the rise in cyberattacks means that system security cannot be engineered after the design.
A recent report by Gartner predicts that there will be 20.4 billion connected Internet of Things (IoT) devices by 2020, with 5.5 million new things getting connected every day. Furthermore, more than half of major new business processes and systems will include an IoT component by 2020.
These numbers are staggering and suggest that standard PC security and anti-virus solutions will not be able to counter future cybersecurity threats on connected IoT devices.
The following lists eight key technology considerations to improve IoT security:
Network security: IoT networks are predominately wireless now, as wireless overtook wired global internet traffic back in 2015. This makes security far more challenging than with traditional wired networks due to the variety of emerging RF and wireless communication protocols and standards.
Authentication: IoT devices must be authenticated by all legitimate users. Methods to achieve such authentication range from static passwords to two-factor authentication, biometrics, and digital certificates. Unique to IoT is that devices (e.g., embedded sensors) will need to authenticate other devices.
Encryption: Encryption will be needed to prevent unauthorized access to data and devices. This will be difficult to ensure due to the variety of IoT devices and hardware profiles. Encryption must be part of a complete security management process.
Security-side-channel attacks: Even with adequate encryption and authentication, another threat is possible, namely, side-channel attacks. Such attacks focus less on information transfer and more on how that information is being presented. Side-channel attacks (SCAs) collect operational characteristics—execution time, power consumers, electromagnetic emanation of the design to retrieve keys, and fault insertion—to gain other insights into the design (Fig. 2).
Security analytics and threat prediction: Not only must security-related data be monitored and controlled, it must also be used to predict future threats. It has to complement traditional approaches that look for activities that fall outside of an established policy. Prediction will require new algorithms and the application of artificial intelligence to access non-traditional attack strategies.
Interface protection: Most hardware and software designers access devices via an application programming interface (API). Securing these interfaces requires the ability to authenticate and authorize devices that need to exchange data (hopefully encrypted). Only authorized devices, developers, and applications should be capable of communication between secure devices.
Delivery mechanisms: Continuous updates and patches will be needed to deal with the constantly changing tactics of cyberattackers. This will require expertise in patches, essentially fixing gaps in critical software on the fly.
System development: IoT security requires an end-to-end approach in the network design. Also, security should be a full product-lifecycle development activity, which becomes difficult if the product is only a smart sensor. Security is still an afterthought for most designers, something that follows the implementation (not design) phase. It’s critical that both hardware and software be considered in these secure systems.
Tomi Engdahl says:
Finding the Middle Ground: Securing Smart Cities
https://www.securityweek.com/finding-middle-ground-securing-smart-cities
High-profile cyberattacks and data breaches have become somewhat of a norm. You’ve likely heard this before: it’s no longer a question of if an attack will happen but when. We expect ‘always on’ connectivity with access to business data and this means that the clear boundaries of the traditional security perimeter are fading fast; as this happens, the potential attack surface grows. Advanced smart infrastructure, cloud networks and the Internet of Things (IoT) add more points of entry and ultimately more risk for both network operators and end users.
This reality has sparked a rather polarized debate among government organizations and municipalities contemplating smart city technologies. Advocates are willing to throw caution to the wind to charge forward and implement these technologies, eager to harness the data and near real-time communications enabled by smart applications to positively impact their communities and citizens. On the other hand, skeptics are staving off adoption due to fears of destructive cyberattacks – and there’s no shortage of examples to justify their hesitancy.
Just recently, we saw the City of Atlanta crippled by a SamSam ransomware attack that lasted two weeks and cost nearly $3 million – a clear warning to municipalities using smart applications. Numerous attacks on smart cities fly under the public’s radar: local police departments hit by small ransomware attacks, fire department databases hacked and gas operators plagued by customer communications disruptions.
Tomi Engdahl says:
Designer’s Guide to IIoT Security
How to fit all the security puzzles together
https://www.eetimes.com/document.asp?doc_id=1333674
We’ve all heard of Internet of Things (IoT) and Industrial Internet of Things (IIoT). We know the two are different, because IoT is commonly used for consumer usages and IIoT is used for industrial purposes.
But how does a professional group like the Industrial Internet Consortium (IIC) actually define the IIoT?
The group see IIoT as a system that connects and integrates operational technology (OT) environments, including industrial control systems (ICS), with enterprise systems, business processes and analytics.
Sven Schrecker, chief architect of IoT security solutions at Intel and co-chair of the security working group at the IIC, said that security should not be the sole consideration when designing and deploying devices for IIoT systems, but developers should be thinking more broadly about five overall key factors:
safety
reliability
security
privacy
resilience
While design engineers might have to implement security elements into a chip, software, or platform, they may not necessarily be aware of how their work fits into their company’s bigger-picture security policies. “The security policy must be authored by both the IT team and the OT team together, so that everyone knows what device is allowed to talk to what,” Schrecker said.
Haydn Povey, a board member of the IoT Security Foundation and also CEO and founder of Secure Thingz, said security needs to be addressed at four levels:
CxO level
security architect
development engineer
operations manager
Tomi Engdahl says:
Embedding Security at the Edge
Lay of the land for IIoT security solutions
https://www.eetimes.com/document.asp?doc_id=1333678
Tomi Engdahl says:
Leveraging Segmentation to Secure IoT
https://www.securityweek.com/leveraging-segmentation-secure-iot
IoT is accelerating at an unprecedented rate
Most IT security architectures are unprepared
Leveraging segmentation to secure IoT
The answer is to work smarter. A critical strategy for achieving this objective is to implement a comprehensive segmentation strategy. Implementing such an effective IoT security strategy requires three fundamental steps:
1. Establishing Broad Visibility – The biggest challenge facing most organizations is simply identifying and tracking all IoT devices connected to the network. Network Access Control allows organizations to authenticate and classify IoT devices securely. Real-time discovery and classification of devices at the point of access allows IT teams to build risk profiles and automatically assign IoT devices to appropriate device groups, along with associated policies.
2. Segment IoT from Production Networks – Once the network has identified IoT devices, IT teams then need to establish IoT attack surface controls. Segmenting IoT devices and related communications into policy-based groups and secured network zones allow the network to automatically grant and enforce baseline privileges for specific IoT device profiles. While inventory management tools can track these devices, and behavioral analytics can monitor their behavior, Internal Segmentation Firewalls (ISFW) need to be applied to enable organizations to not only quickly and dynamically establish and control network segments but also inspect applications and other traffic that need to cross segmentation boundaries.
3. Protect the Network – Establishing policy-driven IoT groups and then combining them with internal network segmentation enables multi-layered monitoring, inspection, and enforcement of device policies based on activity, regardless of where across the distributed enterprise infrastructure they have been deployed. An integrated and automated security framework then enables traditionally isolated security devices to correlate threat intelligence as IoT traffic traverses the network—even between devices deployed across different network ecosystems. These integrated tools can then automatically apply advanced security functions to any IoT devices or traffic that begins to misbehave, anywhere across the network, including at access points, cross-segment network traffic locations, and across multi-cloud deployments.
Tomi Engdahl says:
One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne Attacks
https://www.securityweek.com/one-year-later-over-2-billion-devices-still-exposed-blueborne-attacks
One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.
The BlueBorne vulnerabilities were disclosed in September 2017 by Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices. Its researchers found that nine Bluetooth implementation flaws affected mobile, desktop and IoT systems, including Android, iOS, Windows and Linux devices.
Armis later also revealed that Amazon Echo and Google Home devices were also vulnerable to these attacks.
Tomi Engdahl says:
What Makes the IIoT So Vulnerable to Cyberattacks?
https://www.eetimes.com/document.asp?doc_id=1333693
— We are seeing a number of attacks both on industrial control systems (ICS) and on the operational technology (OT) side of the industrial IoT (IIoT) with increasing frequency.
The consensus was a list of several elements that have combined to create a perfect storm over the last few years:
a big increase in the number of sensors and devices being connected to each organization’s IIoT, forming a huge potential attack surface
decades-old OT equipment and control systems never designed for exposure to the internet and, therefore, not designed for security
a patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs)
poor or absent cybersecurity practices and technology, including a lack of either designed for the very different ICS/OT environment, not the IT environment
lack of budgets, or insufficient budgets, for implementing cybersecurity awareness, monitoring, and prevention technology
a steep escalation in the numbers and types of attackers
“First, most devices and networks used in our industrial control systems were designed 15 or more years ago, when connectivity to the internet was not standard practice and when it was assumed that if you had connectivity to the device, you had permission to configure the device. As a result, most have either no authentication or weak authentication, like passwords that can be easily sniffed from the wire.
“Second, connectivity between corporate IT networks and OT networks has increased significantly because of the need to get real-time intelligence from production. Whether it’s a gas pipeline, a factory floor, or a well site, companies want to optimize their operations and collect real-time intelligence. This means that the attack surface has increased: There are many more ways for attackers to get into industrial networks.
Tomi Engdahl says:
Understand network security: public key encryption and industrial automation
https://www.controleng.com/single-article/understand-network-security-public-key-encryption-and-industrial-automation/095cbe779ce8ccaeeb0b639d61b6e754.html?OCVALIDATE=
Remove unnecessary fear, take a proactive approach to network security as the Internet of Things (IoT) continues to rapidly expand.
Stay secure
Network security is a top priority for controls engineers today. Most control systems are in some way connected to an Ethernet network. Demand for technologies like remote access, data collection, and mobile apps, along with IoT will continue to grow.
As a result, controls engineers are working more and more with technologies based on public key encryption. While it may not be necessary to know the math behind it, a general understanding of public key encryption helps one understand how the technology relates to best security practices.
An understanding of public key encryption also helps when it comes to selecting secure devices and configuring them. Understanding security helps separate out unnecessary fear. Instead, a more proactive approach can be taken to network security.
Tomi Engdahl says:
IIoT cybersecurity for connected robots
https://www.controleng.com/single-article/iiot-cybersecurity-for-connected-robots/00e260adb1321182febb37852dc9adbb.html?OCVALIDATE=
Manufacturers are leveraging Industrial Internet of Things (IIoT) technology to generate insightful robotic data, which makes maintenance easier, but it also increases cybersecurity risks.
Industrial robots are no longer repetitive, inflexible systems that only perform one task over and over. Today’s industrial robots are dynamic. They are equipped with vision systems and better programming that give them more flexibility than ever, and most recently, they’ve been given connectivity to a variety of internal enterprise and cloud systems.
Savvy manufacturers are leveraging Industrial Internet of Things (IIoT) technology to generate insightful robotic data. This data makes maintenance easier, increases production efficiency and improves product quality. Connected robots bring many benefits, but as connectivity increases, so do cybersecurity risks.
Ensuring cybersecurity for connected robots
Cybersecurity is a shared responsibility, starting with device manufacturers—the designers and suppliers of robots, controllers and robotic equipment like machine vision sensors. Robot system integrators and end users are just as responsible for ensuring cybersecurity is at proper levels, however.
The “defense in depth” concept is one of the best strategies for cybersecurity. IIoT architecture is inherently multilayered and complex—attackers find the weakest link. With a defense in depth approach to cybersecurity, there are several layers of defense throughout the IIoT architecture. This prevents attackers from accessing critical information or systems, or at the very least slows them down enough for detection and response measures to kick in.
Tomi Engdahl says:
Industrial networks in need of RAT control
https://www.kaspersky.com/blog/rats-in-ics/23949/
Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause.
Tomi Engdahl says:
Privacy Protection Means Encryption at the Application Layer
https://www.securityweek.com/privacy-protection-means-encryption-application-layer
Comprehensive Data Security Measures Should Include a Formal Process for Application Security and Vulnerability Assessment
Tomi Engdahl says:
Establishing a Root of Trust to Secure the IoT
https://emea.info.mouser.com/mouser-rootoftrust-signup-emea-en?cid=email&pid=ICC
Security is not something that any developer can ignore. It is no longer safe, for the OEM or their customers, to assume that their product or service is immune to cyber attacks. The sheer size of the IoT increases the attack surface, creating a greater opportunity for the criminal element. Protection must now be endemic, meaning it is the responsibility of everyone to at least understand the threat, as well as the solutions available to protect devices from that threat.
This exclusive white paper explains the basic principles of security in a connected world and how a root of trust helps protect the IoT.
Tomi Engdahl says:
Why the IIoT is So Vulnerable to Cyberattacks
https://www.eetimes.com/document.asp?doc_id=1333693
We are seeing a number of attacks both on industrial control systems (ICS) and on the operational technology (OT) side of the industrial IoT (IIoT) with increasing frequency.
Why is the IIoT so vulnerable to cyberattacks?
We talked to ICS and OT specialists at major cybersecurity solutions providers, as well as key industry analysts, to suss out the answers.
everal elements that have combined to create a perfect storm over the last few years:
a big increase in the number of sensors and devices being connected to each organization’s IIoT, forming a huge potential attack surface
decades-old OT equipment and control systems never designed for exposure to the internet and, therefore, not designed for security
a patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs)
poor or absent cybersecurity practices and technology, including a lack of either designed for the very different ICS/OT environment, not the IT environment
lack of budgets, or insufficient budgets, for implementing cybersecurity awareness, monitoring, and prevention technology
a steep escalation in the numbers and types of attackers
Tomi Engdahl says:
Adi Robertson / The Verge:
California Governor has signed a bill that would require “reasonable security” for all new IoT devices, making California the first state with an IoT law
California just became the first state with an Internet of Things cybersecurity law
https://www.theverge.com/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law
California Governor Jerry Brown has signed a cybersecurity law covering “smart” devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August.
Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.
The bill has been praised as a good first step by some and criticized by others for its vagueness. Cybersecurity expert Robert Graham has been one of its harshest critics. He’s argued that it gets security issues backwards by focusing on adding “good” features instead of removing bad ones that open devices up to attacks.
Tomi Engdahl says:
Embedded Devices and Cyber Security
https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-engineering/embedded-devices-and-cyber-security/#gref
Below are some of the test scenarios that could be created as part of IOT testing and security:
Verify that a device can register with a network and the data connection is made successfully.
Verify that all the devices involved in the IoT testing can register with the network.
Verify that, devices involved in the IoT testing can transmit and receive data through the network.
Verify that only IoT devices with appropriate authentication and authorization can connect to the network.
Verify that IoT devices successfully disconnect from the network when the user asks them to.
Verify that, devices involved in IoT do not frequently disconnect from the network until the user specifically asks them to.
Verify that, if a maximum number of connections (as per the requirement) is attained, the IoT device stops any attempt to link to the network for a predefined duration.
Verify that, in the event that data volume surpasses what is defined in the requirement, the IoT device should not initiate any more transfer of data for a predefined duration.
Verify that IoT device can transfer data in low power mode.
Verify threshold signal range for an IoT device and how far the device can operate from the network.
In general, the process is lacking in:
Applying security into product development lifecycle, including lack of a formal security risk assessment
Raising awareness of device users (e.g., calling out specific security responsibilities for hospital users to adhere to via user manuals, training, standard end user license agreements, etc.)
Managing security for those products that are outsourced to third parties for design and development
A formalized security patch management process
There is a lack of basic security controls for most of the in-scope devices. The lack of these security capabilities (such as unique user account and password controls, anti-virus, security patching, logging and monitoring, etc.) introduces increased risk exposure, especially as these devices are moving online or becoming remotely accessible.
A lack of technical security control capabilities in devices is beginning to impact device sales.
Tomi Engdahl says:
Why a Zero Trust Security Model is Needed
https://www.akamai.com/uk/en/solutions/zero-trust-security-model.jsp?gclid=EAIaIQobChMImKDVlf3s3QIVS4uyCh1ziAUXEAAYAyAAEgLWu_D_BwE&utm_source=google&utm_medium=cpc&ef_id=WmWfwgAAGRGSD9mU:20181004141813:s
New business initiatives and processes have created new attack surfaces, and a corporate security perimeter no longer makes sense. Applications, users, and devices are moving outside, dissolving what was once the trusted enterprise perimeter. Protection is now needed where applications and data, and users and devices, are.
Tomi Engdahl says:
A Black-Box Approach to Embedded Systems Vulnerability Assessment
https://www.sans.org/reading-room/whitepapers/riskmanagement/paper/37452
Vulnerability assessment of embedded systems is becoming more important due to security needs of the ICS/SCADA environment as well as the emergence of the Internet of Things (IoT). Often, these assessments are left to test engineers without intimate knowledge of the device’s design, no access to firmware source or tools to debug the device while testing. This gold paper will describe a test lab black-box approach to evaluating an embedded device’s security profile and possible vulnerabilities. Open-source tools such as Burp Suite and python scripts based on the Sulley Fuzzing Framework will be employed and described.
Tomi Engdahl says:
OWASP Embedded Application Security
https://www.owasp.org/index.php/OWASP_Embedded_Application_Security
Tomi Engdahl says:
Security testing of IoT devices & embedded systems
https://www.xorlab.com/services/security-testing-for-device-manufacturers/
Tomi Engdahl says:
Security by Design Principles
https://www.owasp.org/index.php/Security_by_Design_Principles
Secure by design
https://en.wikipedia.org/wiki/Secure_by_design
Tomi Engdahl says:
Security testing of embedded open source systems creates a stronger enterprise security posture
https://www.timesys.com/security/security-testing-embedded-open-source-systems-creates-stronger-enterprise-security-posture/
Researchers and the technology media are reporting that the average application now contains more open source software components than proprietary code. And the use of open source components in embedded systems such as Internet of Things (IoT) devices likewise is on the rise.
The security posture is a way to describe the aggregated effectiveness of security controls, processes and procedures. As we discussed in previous blog posts, many security practitioners use the acronym CIA as a rule-of-thumb for considering IT security. It stands for:
Confidentiality — can the enterprise protect data and keep it private?
Integrity — can the enterprise ensure data is not altered or manipulated?
Availability — can the enterprise make sure that data is available and accessible when it is needed?
Penetration Testing and Security Assessments
Embedded Linux security has received a lot of attention as embedded open source systems have become increasingly widespread.
It’s important that developers consider Internet of Things device security and embedded system security for open source software as they relate to the overall security needs of the enterprises who eventually will deploy those systems.
This is accomplished with device security auditing, which is similar to penetration testing in the sense that it seeks to evaluate the security of the device and its embedded systems as viewed from the potential attacker’s point of view. An audit could consider questions such as:
Are the device’s software components updated with the latest versions?
Is the configuration of the systems appropriate to the application and the eventual deployment mode of the device?
Have any Common Vulnerabilities and Exposures (CVEs) been released that pertain to the systems and components in the device?
Tomi Engdahl says:
The Project : a Framework to audit IoT devices security
https://hardsploit.io/the-project/
How long can we continue to rely on hardware / critical electronic devices without being able to properly assess their security?
These technical devices are at the heart of what is called today “Internet of every things”.
We know that the technical knowledge needed to assess the security level of electronic equipment aren’t generally acquired by stakeholders (industry, software or IT security consultants, software pentesters etc.). This type of audit requires a wide range of electronics skills like analog signal processing, FPGA or the use of specific measurement tools (oscilloscope, logic analyzer, etc.). These skills are not part of those which are generally teach to people who choose to specialize in computer security.
Threats are (also) below the OS now !
Malicious actors are aware of this weakness !
Hardware security is different than software security:
The most surprising (disturbing?) fact is that our industrials and our security experts do not mastered secure design techniques or audit/pentest methodology related to hardware systems.
There is a gap between the threat and the operational response capacity of the actors in this field. Therefore the risks of attacks increased on the processed data in Internet of things world (personal, sensitive device supervision, industrial process, HealthCare products …).
Tomi Engdahl says:
OWASP Presentation on Penetration Testing Embedded Devices
https://www.paladion.net/blogs/owasp_presentation_on_penetrat
https://www.owasp.org/images/b/be/Cracking-into-embedded-devices-and-beyond.pdf
Tomi Engdahl says:
Vulnerability Scanning vs. Penetration Testing
https://www.tripwire.com/state-of-security/vulnerability-management/difference-vulnerability-scanning-penetration-testing/
Tomi Engdahl says:
California Poised to Enact Internet of Things Information Security Law
https://www.natlawreview.com/article/california-poised-to-enact-internet-things-information-security-law?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=66416888&_hsenc=p2ANqtz–Xnmp6VINxfo241_kjT_rv8IftwNKZZ__5DI3HyfM9t_e-lGHb8-3yoJYYMPHLd4e5N02bEHzOLIq44–JmErl7tTMC8-7XDDnDkj0eo7zu5WwKDg&_hsmi=66416888
California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:
appropriate to the nature and function of the device;
appropriate to the information the device may collect, contain or transmit; and
designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.
The law further provides that if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a “reasonable security feature” if the preprogrammed password is either unique to each device or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Tomi Engdahl says:
Consumers Are Concerned About IoT Security
https://www.securerf.com/consumers-are-concerned-about-iot-security?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=66416888&_hsenc=p2ANqtz–Xnmp6VINxfo241_kjT_rv8IftwNKZZ__5DI3HyfM9t_e-lGHb8-3yoJYYMPHLd4e5N02bEHzOLIq44–JmErl7tTMC8-7XDDnDkj0eo7zu5WwKDg&_hsmi=66416888
Consumer adoption of smart devices is at an all-time high and poised to grow. Despite the continued growth of connected devices, many consumers are still concerned about the security of those devices, and for good reason. The cost of an attack on an IoT device is high – device manufacturers can potentially see penalties of hundreds of dollars per consumer per incident – compared to the low cost of taking reasonable precautions.
Tomi Engdahl says:
Why the IIoT is So Vulnerable to Cyberattacks
https://www.eetimes.com/document.asp?doc_id=1333693&&utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=66416888&_hsenc=p2ANqtz–Xnmp6VINxfo241_kjT_rv8IftwNKZZ__5DI3HyfM9t_e-lGHb8-3yoJYYMPHLd4e5N02bEHzOLIq44–JmErl7tTMC8-7XDDnDkj0eo7zu5WwKDg&_hsmi=66416888
We are seeing a number of attacks both on industrial control systems (ICS) and on the operational technology (OT) side of the industrial IoT (IIoT) with increasing frequency.
Why is the IIoT so vulnerable to cyberattacks?
We talked to ICS and OT specialists at major cybersecurity solutions providers, as well as key industry analysts, to suss out the answers.
The consensus was a list of several elements that have combined to create a perfect storm over the last few years:
a big increase in the number of sensors and devices being connected to each organization’s IIoT, forming a huge potential attack surface
decades-old OT equipment and control systems never designed for exposure to the internet and, therefore, not designed for security
a patchwork of OT and control systems from multiple vendors running proprietary and non-updatable software, including human-machine-interface (HMI) computers with access to remote terminal units (RTUs), SCADAmaster (supervisory control computers), and programmable logic controllers (PLCs)
poor or absent cybersecurity practices and technology, including a lack of either designed for the very different ICS/OT environment, not the IT environment
lack of budgets, or insufficient budgets, for implementing cybersecurity awareness, monitoring, and prevention technology
a steep escalation in the numbers and types of attackers
Tomi Engdahl says:
Steve Gibson’s Three Router Solution to IOT Insecurity
https://www.pcper.com/reviews/General-Tech/Steve-Gibsons-Three-Router-Solution-IOT-Insecurity
Even before the formulation of the term “Internet of things”, Steve Gibson proposed home networking topology changes designed to deal with this new looming security threat. Unfortunately, little or no thought is given to the security aspects of the devices in this rapidly growing market.
One of Steve’s proposed network topology adjustments involved daisy-chaining two routers together.
Gibson presented us with his third (and hopefully final) foray into the magical land of theory-crafting as it related to securing our home networks against the Internet of Things.
With this iteration Steve moved us from a two-router solution to a three-router solution.
Maintaining three separate purpose-driven subnets affords our network some key protective features unavailable to us with both of our previous configurations.
Tomi Engdahl says:
California passes law that bans default passwords in connected devices
https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?sr_share=facebook&utm_source=tcfbpage
AdChoices
California passes law that bans default passwords in connected devices
Zack Whittaker
@zackwhittaker / 13 hours ago
MikroEM Tekhnologii, Russian manufacturer of electronic components
Good news!
California has passed a law banning default passwords like “admin,” “123456,” and the old classic “password” in all new consumer electronics starting in 2020.
Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”
It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.
Tomi Engdahl says:
California to Ban Weak Passwords
https://www.securityweek.com/california-ban-weak-passwords
California Bill Requires Unique Passwords in Connected Devices
The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.
The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use.
The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets.
By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities.
However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices.
Tomi Engdahl says:
NIST’s Considerations For ‘Cybersecuring’ The Internet Of Things
https://semiengineering.com/nists-considerations-for-cybersecuring-the-internet-of-things/
IoT cannot rely solely upon security practices designed for conventional devices.
Experts at the National Institute of Standards and Technology (NIST) have kicked off an initiative to support the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. NIST’s Cybersecurity for the Internet of Things (IoT) and Privacy Engineering Programs drafted a report titled NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks that is now available for public comment.
Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
The following principles can serve as a foundation to enable stronger IoT security:
Security by design: As many IoT devices are constrained by limited resources (CPU/RAM), device manufacturers can choose a chipset that includes integrated security hardware to reduce CPU load and RAM usage. It should be noted that building security in at the design stage could help reduce potential IoT service disruptions such as those caused by DDoS attacks. Moreover, integrated security features would allow manufacturers to avoid the difficult and expensive endeavor of adding security measures to IoT devices after they have already been deployed.
Use a multi-layered approach: Complex IoT systems can have many different types of users, devices, and data. This can be simplified for both OEMs and service providers by adopting an integrated chip-to-cloud solution rather than stitching together multiple, discrete components.
Implement well-studied crypto algorithms: The IoT device should support and use well-known and standardized cryptography algorithms and protocols for authentication, encryption, and data transmission.
Encourage use of a scalable provisioning platform: In addition to implementing security at the design phase, DHS recommends device manufacturers promote security updates and vulnerability management. Life cycle management which includes over-the-air (OTA) updates and vulnerability management, is essential to maintaining the continued security of IoT devices. A scalable provisioning platform should be implemented that utilizes a secure hardware root- of-trust to ensure secure updates of firmware and cryptographic keys.
Tomi Engdahl says:
Naming & Shaming Web Polluters: Xiongmai
https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29
What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras.
In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings.
Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors.
On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware.
“Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.”
Tomi Engdahl says:
Security in Manufacturing: Closing the Backdoor in IoT Products
https://www.electronicdesign.com/industrial-automation/security-manufacturing-closing-backdoor-iot-products?NL=ED-005&Issue=ED-005_20181010_ED-005_960&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=20552&utm_medium=email&elq2=d377f14133be4428bd2dca77e29475c2
This article explores the potential attacks that can occur in the process of designing, building, and testing IoT systems, as well as methods for preventing these attacks.
Tomi Engdahl says:
IoT, Security and Wi-Fi’s Krack
https://www.eetimes.com/author.asp?section_id=36&doc_id=1333841
Last year’s Krack attack on Wi-Fi networks showed the importance of engineering a layered security solution to promote the success of the Internet of Things.
Last year’s Krack attack on Wi-Fi networks showed the importance of engineering a layered security solution to promote the success of the Internet of Things.
My team woke up to this headline on Oct. 16, 2017: Update Every Device – This KRACK Hack Kills Your Wi-Fi Privacy.
The news appeared in more than 266 articles that made 2.3 billion impressions. My Wi-Fi group at Texas Instruments was flooded with questions and demands.
Tomi Engdahl says:
In the two years since Dyn went dark, what have we learned? Not much, it appears
DNS infrastructures still vulnerable to attacks
https://www.theregister.co.uk/2018/10/11/dns_insecurity_survey/
The majority (72 per cent) of FTSE 100 firms are vulnerable to DNS attacks, nearly two years after the major Dyn outage.
A similar three in five of the top 50 companies listed in the Fortune 500 are also ill-prepared for an attack similar to the Mirai botnet-powered assault against Dyn that left much of the web unreachable in late October 2016. A large minority (44 per cent) of the top 25 SaaS providers are also vulnerable, according to stats from a DNS Infrastructure Performance Report by security firm ThousandEyes published Wednesday.
Tomi Engdahl says:
ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
https://www.fireeye.com/blog/threat-research/2018/10/ics-tactical-security-trends-analysis-of-security-risks-observed-in-field.html
Tomi Engdahl says:
Enterprise IoT security sucks so much, it’s made Intel and Arm work together to tackle it
Chip rivals lock lips to make customers happy
https://www.theregister.co.uk/2018/10/15/intel_arm_iot/
Intel on Monday joined hands with Arm, its occasional rival, in an attempt to make the notoriously dismal state of Internet-of-Things security less so.
The two chip designers aren’t concerned with consumer IoT devices, which can be expected to remain a hot mess; rather they hope to provide corporate customers with a way to efficiently and securely adds sensors and the like to their networks.
The device provisioning process turns out to be rather involved, and so doesn’t scale well. IT admins may find it acceptable to spend 20 minutes or more configuring and authenticating a single device, but when there are hundreds or thousands of the things to set up, no one wants to enroll the assorted gadgets, geegaws and MacGuffins manually.
A year ago, Intel took a stab at addressing the device enrollment problem with its Secure Device Onboard service, which uses Intel Enhanced Privacy ID (EPID) data embedded in chips to automatically validate and provision corresponding IoT devices.
Arm, it turns out, has something similar, an IoT management platform called Pelion. And because kit from the two companies often turns up in the same deployment, the competitors have found common cause.
Together, the two chip firms believe they can provide a path to securely connect any device to any cloud, thanks to the provisioning data each embeds in its respective silicon.
A Transformative Device-to-Data Platform for Connected IoT that Empowers an Intelligent Enterprise
https://www.arm.com/products/iot/pelion-iot-platform
The Pelion IoT Platform is a flexible, secure, and efficient foundation spanning connectivity, device, and data management. It accelerates the time to value of your IoT deployments by helping you easily connect trusted IoT devices on global networks, invisibly administer them, and extract real-time data from them to drive competitive advantage
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Arm unveils its roadmap for internet infrastructure hardware, branding the IP portfolio Neoverse, the first products of which are slated to ship next year
https://techcrunch.com/2018/10/16/arm-launches-neoverse-its-ip-portfolio-for-internet-infrastructure-hardware/
Tomi Engdahl says:
Code of Practice for consumer IoT security
https://www.gov.uk/government/publications/secure-by-design/code-of-practice-for-consumer-iot-security
As we connect more devices in our homes to the internet, products and appliances that have traditionally been offline are now becoming part of the ‘Internet of Things’ (IoT).
The IoT represents a new chapter of how technology becomes increasingly common in our homes, making people’s lives easier and more enjoyable. As people entrust an increasing amount of personal data to online devices and services, the cyber security of these products is now as important as the physical security of our homes.
The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.
The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security.
Audiences
An indication is given for each guideline as to which stakeholder is primarily responsible for implementation. Stakeholders are defined as:
Device Manufacturer – The entity that creates an assembled final internet-connected product. A final product may contain the products of many other different manufacturers.
IoT Service Providers – Companies that provide services such as networks, cloud storage and data transfer which are packaged as part of IoT solutions. Internet-connected devices may be offered as part of the service.
Mobile Application Developers – Entities that develop and provide applications which run on mobile devices. These are often offered as a way of interacting with devices as part of an IoT solution.
Retailers – The sellers of internet-connected products and associated services to consumers.
Scope of applicability
This Code of Practice applies to consumer IoT products that are connected to the internet and/or home network and associated services. A non- exhaustive list of examples includes:
Connected children’s toys and baby monitors
Connected safety-relevant products such as smoke detectors and door locks
Smart cameras, TVs and speakers
Wearable health trackers
Connected home automation and alarm systems
Connected appliances (e.g. washing machines, fridges)
Smart home assistants
‘Associated services’ are here considered as the digital services that are linked to IoT devices, for example mobile applications, cloud computing/ storage and third party Application Programming Interfaces (APIs) to services such as messaging.
Guidelines
1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
4. Securely store credentials and security-sensitive data
5. Communicate securely
6. Minimise exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is protected
9. Make systems resilient to outages
10. Monitor system telemetry data
11. Make it easy for consumers to delete personal data
12. Make installation and maintenance of devices easy
13. Validate input data
Tomi Engdahl says:
Securing the Future of IoT
https://www.electronicdesign.com/industrial-automation/securing-future-iot?NL=ED-005&Issue=ED-005_20181017_ED-005_597&sfvc4enews=42&cl=article_2_b&utm_rid=CPG05000002750211&utm_campaign=20727&utm_medium=email&elq2=bd6a9a615c4a4622b7b435a1398c0d0b
It’s incumbent on IoT device manufacturers to build with a “security by design” mindset. And that means a future-proofing flexible approach, not one that’s hardware-centric.
But this explosion of connectivity is also unmatched in its risk. Smart doesn’t inherently mean secure, and with the millions of devices privileged to our personal information and data, the prospect of hackers infiltrating the intricate web of connectivity in our homes presents a serious threat to security and the well-being of our households and families.
This is why IoT device manufacturers must build with a “security by design” mindset, which begins by selecting a robust operating system that’s both secure and ready for future market demands. Devices need to not only protect home networks—they need to future-proof them. As malicious actors are constantly evolving their activities, businesses must be flexible and proactive in their approach to security, shedding the old hardware-centric view of IoT security. In addition, businesses risk missing out unless they differentiate on software-defined features. Software maintenance must also increase to align with a hardware device’s lifespan in order to stay relevant in the world of IoT and usable to the end user.
Apps for IoT
The Internet of Things is the gateway to the future. But like any gateway, unless somebody or something is standing guard, then anyone can walk in and tamper with your belongings. Thus, manufacturers are looking for ways to clamp down on that potential breach and secure their hardware.
For example, Fingbox, an IoT home-networking security and troubleshooting device developed by Fing, employs Canonical’s Ubuntu Core Linux-based operating system to help it secure and protect tens of thousands of homes. Ubuntu Core not only increases and enhances Fingbox’s hardware security, but also provides the necessary future-proofing by providing all of its software components in a secure and modular packaging format called Snaps.
Snaps are containerized software packages managed through Snapcraft, a platform that developers can use to build and publish Snap-based applications. Snaps enables developers to push software updates that install automatically and roll back in the event of failure.
The likelihood of an improper update breaking a device or degrading the end-user experience as a result is greatly reduced. If a security vulnerability is discovered in the code used by an application, the application publisher is notified so the Snap can be rebuilt quickly with the supplied fix and pushed out in a controlled and managed fashion.
In the case of smart-home devices, rolling out a security patch seamlessly without disrupting home life is a great advantage. Because external threats are ever-changing, and their degree and methods of attack vary, the modern home-security network demands an agile and reliable solution that can be managed by the home user.
Snaps are just one example in an emerging IoT trend that’s shifting from the traditional attitude toward embedded devices as being hardware-centric and a single, fixed function purpose.
Ready for the Future
There is now a keen focus on updating and extending the functionality of IoT devices, similar to what we’ve all become accustomed to with the modern-day world of mobile devices and the smartphone. In this approach, companies can create and publish new applications and services via their own branded IoT app stores and extend device lifecycles as well as increase customer retention and revenues.
The app store approach also encourages the creation of license models and revenue streams based on specific feature enablement and user behavior. For example, Tesla can remotely configure their cars to enable self-driving capabilities in different models. Likewise, IoT devices can allow for mass customization of devices based on specific customer needs, licensing, and market demands for a device manufacturer’s brand-specific offering.
Secure the Device Now, Secure Your Business for the Future
Despite hardware security being crucial to home network security, companies still aren’t paying sufficient attention to securing their defenses. Instead, device manufacturers place the responsibility on the end-user to monitor the security and safety of their home networks. This isn’t sustainable in the smart era of IoT.
With the arrival of the IoT application approach, the security burden can be taken off the end-user and homeowners as well as businesses. They can now trust a single piece of hardware as it silently stands guard, updating and remediating any security issues that might arise.
Modern IoT devices demand heightened security.
Tomi Engdahl says:
Timothy W. Martin / Wall Street Journal:
ARM and cybersecurity firm Cybereason, both backed by SoftBank, partner to help secure IoT home devices like connected lightbulbs and thermostats — SoftBank-backed Arm and Cybereason are teaming up to protect some of the cyberworld’s most vulnerable targets
The Hackers at Your Smart Door: New Cyberdefenses Planned for Connected Devices
https://www.wsj.com/articles/the-hackers-at-your-smart-door-new-cyberdefenses-planned-for-connected-devices-1539770321
SoftBank-backed Arm and Cybereason are teaming up to protect some of the cyberworld’s most vulnerable targets
Tomi Engdahl says:
History repeating: How the IoT is failing to learn the security lessons of the past
https://www.zdnet.com/article/history-repeating-how-the-internet-of-things-failed-to-learn-the-security-lessons-of-the-past/
The massive cyberattacks which took down some of the most popular websites on the internet show that device manufacturers are not learning from the mistakes of the past.
Tomi Engdahl says:
Edge computing: the cyber security risks you must consider
https://www.zdnet.com/article/edge-computing-the-cyber-security-risks-you-must-consider/
Edge computing could be an innovative new way to collect data, but it also opens up a world of additional security headaches.
Edge computing is based around the idea that, to cope with the vast amounts of data generated by IoT sensors and environmental monitors, computing and network infrastructure will need a rethink: a lot of that data will need to be analysed and processed at the edge of the network, rather than transported to a remote centralised data centre.
With processing being done close to where data is generated, such architectures will be able to deliver better performance and efficiency, and ultimately allow companies to reduce their operational expenses.
But like the IoT, the supposed benefits of edge computing also come with additional risks: adding more data-generating devices to your network in more locations — particularly those that are physically remote or aren’t well monitored — can lead to additional cyber security headaches.
“Security at the edge remains a huge challenge, primarily because there are highly diverse use cases for IoT, and most IoT devices don’t have traditional IT hardware protocols. So the security configuration and software updates which are often needed through the lifecycle of the device may not be present,” says Barika Pace, research director at analyst firm Gartner.
Tomi Engdahl says:
IoT security: Follow these rules to protect your users from hackers, gadget makers told
https://www.zdnet.com/article/iot-security-follow-these-rules-to-protect-your-users-from-hackers-gadget-makers-told/
New guidelines for IoT makers have been published. But will device manufacturers pay attention?
A government-backed scheme aims to tackle the issue of poor security in the Internet of Things (IoT) by encouraging manufacturers to produce connected devices that are secure by design and easy to update.
The Secure by Design code of practice for the IoT has been launched by the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) and is based on advice from from industry, security experts, academia, and consumer organisations.
Guidelines include telling hardware makers to eliminate universal default usernames and passwords for IoT devices, in order to ensure that products aren’t sold with basic login credentials that can easily be breached by attackers. Poor password security has been the cause of a number of IoT-related security breaches.
https://www.zdnet.com/article/is-admin-password-leaving-your-iot-device-vulnerable-to-cyberattacks/
Tomi Engdahl says:
How to design secure remote-controlled operations
https://www.controleng.com/single-article/how-to-design-secure-remote-controlled-operations/aeb78012c3b45e073634fc001f94d9c8.html?OCVALIDATE=
Six tips can help with cybersecurity and remote-controlled or remote-monitoring applications for industrial control systems (ICSs).
Remote access, a double-edged sword
Many remote access situations are unplanned such as when a piece of equipment fails and the technician is out of town, which requires the company to bring in a trusted third party for repairs. This urgency for immediate, unplanned access heightens the cybersecurity risk. Perhaps credentials are provided over the phone (“Your password is ‘password1′”), which is creating an open invitation for a hacker to gain access.
Remote access can be a double-edged sword: a necessity to keep productivity high, but also a low cost, easy entry point for hackers. The challenge is many of the leading market options to authenticate user logins, such as RSA SecurID and smart cards, have never found much traction among extranet users. Not only were they largely designed for enterprises, but they are quite costly, challenging to support and put too much burden on end users.
Two-factor authentication is needed
Best practices, including U.S. National Institute of Standards and Technology (NIST) recommendations, advise using strong authentication for all industrial control systems (ICSs). Many people think communication encryption mitigates the security risk, but even before the connection is made, credential exposure is the starting point and creates the vulnerability. Plus, practicalities and costs often get in the way.
Leaving authentication in the hands of the user is a surefire way for mistakes to happen. An even a bigger challenge is authenticating third-party users who don’t have the built-in foundation of a solid cryptographic virtual private network (VPN), which makes it impossible and impractical to authenticate. Without that level of credentialing, you may as well as be having a private conversation with a stranger.
To best secure remote access, public key cryptography, the gold standard for authentication, should be used.
Six remote-access checkboxes
To get on the road to secure remote access, look for technology that checks the following boxes:
1. Built-in mandatory mutual authentication: No dependence on user discretion to access organization resources
2. Automatic creation of an end-to-end encrypted tunnel
3. Operationally transparent to fit with existing cybersecurity systems: Provides an additional, not replacement, layer of security
4. Protocol independent to work with any combination of communications, whether WAN, LAN and any combination thereof
5. Responsive to unplanned deployment: Ability to be rapidly deployed to support secure connections
6. Software-free approach: Plug directly into network, without software or network configuration changes, using small hardware appliances.