Ask your sound system to select and play a specific song, or order something online using your voice, or tell your fridge when you run out of food or automatically diagnose it on your office printer. Claim the service.
Features like Smart Offices, Smart Homes, Smart Applications, Smart Buildings, and Smart Cities are driving demand – all connected via the Internet of Things (IoT).
IoT is a network of physical content equipped with sensors, software, and other technologies to exchange data with other devices and systems via the Internet. These include embedded systems, wireless sensor networks, control systems, home, and building automation systems, and smart home devices, as well as smartphones and smart speakers.
At the end of 2019, there were 7.6 billion active IoT devices worldwide, and by 2030 it will be 24.1 billion, according to digital transformation research firm Transform Insights.
Securing IoT networks
Legacy IoT devices, industrial control systems, including custom networking, are exceptionally difficult to secure. Typically, these devices have sufficient computing capabilities to support their initial operational function. They have limited memory, low power, limited CPU resources, and very low network bandwidth. They do not authenticate incoming messages, authorize users, log network traffic, do not support on-line updates, or use the OSI protocol stack. Many use fully proprietary, vendor-specific, bit- or byte-based protocols.
Beginning in the 1990s, IoT 1.0 hybrid network ICS devices for process control included Telnet, FTP, OCS (OLE [Microsoft’s Object Linking and Embedding]), ODBC (Microsoft’s Open Database Connectivity), and Standard. ICS vendors chose these criteria based on Microsoft’s apparent market leadership in the controversial software architecture, without any detailed analysis of the security risks they could bring to real networks. In the late 2000s, IT companies abandoned them as a serious threat. ICS devices typically have a service life span of 15 to 30 years or more. Many hybrid devices using these weak protocols will be in the 2020s today, monitored, and arbitrarily in service. Implementing conventional network protection creates a number of problems, including the challenges described in Figure 1 below. (Hint: Internet is not being counted, this network has 1 cell of secure access points, only one network service is active on the three cell phones that are captured. Most smartphones have four or five).
5 steps to increase IoT protection
One of the biggest concerns with the Internet of Things (IoT) is ensuring that networks, data, and devices are protected. Security incidents related to IoT have already occurred and the concern among IT, security and networking managers that the same incidents will happen is justified.
“In addition to the most limited environment, you’re going to have IoT devices in between,” said Jason Towell, vice president and CISO of the standards for security standards and assurance firm Heatroost. “But if that is not the case then how do you allow such devices to connect and interact with your network, system, and data.”
What can companies do to increase IoT security? There are plenty of options – including many exercises that may not be so obvious.
1) Run the security test IoT source code
For better security in IoT, companies should start with the smallest component of their network infrastructure – code, says Laura DDO, principal of research and consulting firm ITIC.
“Most of the IoT devices are very small,” DDO said. “SO, the source code tends to be written in C ++ and C# languages of the ‘general tongue’, which often leads to general problems such as memory leaks and buffer-overflow vulnerabilities. These issues are the common cold equivalent network.
The DDO said that like common colds, these are anxious and persistent. “In the IoT environment they can expand and become a big and often overlooked security issue,” he says. “The best defense here is to test, test and retest” There are various reputable testing tools on the market for IDT devices that are used, the DDO said.
Security and IT administrators can also use stack cookies, the DDO says. These are randomly informed strings that are coded to write to the stack just before the applications point to the pointer register, where any buffer overflow occurs if data overflow occurs. The application will be further coded to verify that the stack cookie string will match the code originally written. If the stack cookie does not match, the application will end.
2) IoT gear is required to meet safety standards
Organizations, of course, employ all kinds of service providers, and in some cases, those services are provided through equipment on the customer’s premises. In the age of IoT, devices have a better chance of being connected and are therefore at risk for hacking and other intrusions.
It is up to the customer to make sure there is accountability in place if something goes wrong.
“One place to start is in the deal,” said Brian Hogley, a former security executive at Hanover Insurance Group, a partner and insurer for security consulting firm SideChannels. “Are your vendors pushing an IoT on your initiative as part of their service or solution? If so, you must know about it and see that it is part of the contract/collection.
Housley said clarify who is responsible for the life cycle of updates and equipment, as well as if you have access to it in the event of an incident. “I’ve seen HVAC [heating, ventilation, and air conditioning] and the printer companies haven’t given up access because the response has stopped,” he says. In operating systems “those same vendors will leave behind the responsibility of routine patching or upgrades”.
In some cases, the contract does not specify when the customer will warrant a new piece of equipment with a supporting operating system, and the seller may be reluctant to accept the cost, Hagley said. As a result, an unsupported and weak device may be allowed to sit on the network for longer than it should.
If we do not communicate our requirements to our seller without
receiving steps to ensure compliance and responsibility, what is our basis for expecting these issues to be resolved? Towle says. Hardware OMS and software companies now expect to be responsible for identifying and fast resolving vulnerabilities in their products, as well as companies that provide our IP cameras, medical devices, printers, wireless access points, refrigerators, environmental controls, and more. The unchanged number of IoT devices, on which we gradually rely.
Towel said companies should apply the controls described in the general security framework to IoT devices. For example, include security protection requirements in your contract; Request scans of recent vulnerabilities or right-click to scan them manually; Force vendors to provide timely updates to address identified vulnerabilities; Restart the devices after a firmware update to ensure that the identified issues have been resolved and no new issues have been introduced.
3) Protect against IoT identity fraud
Hackers and their tactics have become more efficient over the years and this could represent a major threat to IoT security.
“They continue to play their game like frauds and forgeries,” DDO says. “Significant growth in IoT devices means that the attack or attack vector has increased significantly.”
This makes it imperative that businesses and their security and IT departments verify the identities of the IoT devices they are communicating with and ensure that they are legitimate for critical communication, software updates, and downloads.
DIDO says that all IoT devices must have a unique identity. In the absence of a unique identity, an organization is at high risk of being spoken or hacked from the microcontroller level to applications from the microcontroller level and devices on the edge of the transport layer, he said.
4) Do not allow IoT devices to start network connections
Pirani said companies need to increase the limitations of IoT devices in order to start connecting to the network and instead connect to them using only network firewalls and access control lists.
By making the principle of one-sided trust, IoT devices will never be able to initiate links to internal systems, which may limit the ability of the attacker to explore and lift their network points as jump points for attack, says Pirani.
Pirani said it would not prevent opponents from attacking their direct connecting systems, it would limit their ability to move internally across networks, Pirani said.
Enterprises can also force connections to IoT devices to go through Jump Host and/or network proxies, Parenti said. By proxying a connection to a funnel point, a club can check network traffic before IoT devices arrive and ask [traffic] more effectively, he narrated. This enables the traffic and the payloads that it carries to determine if it is suitable for receiving or transmitting IoT devices.
5) Supply protection in the supply chain
IoT efforts typically reach multiple partners in a supply chain, including technology vendors, suppliers, and customers, and security must be considered.
If you haven’t already done so, go into your agreement, financing, or any other community in your club that manages the supply chain, Toul said. / src / NamedConfOptions.py: 327 msgid “Start a conversation and a relationship with them so that no IoT purchase is approved without a security team meeting.”
Towell said the departments would eagerly comply with the offer to shoulder the workload for safety analysis.
How the optimal process of supply chain vendor selection can be maximized depends on the individual organization, Towell says, but he advises manufacturers to consider what allows for independent validation; This type of advice is for a right-protection switch on the device so that the firmware cannot be updated without your knowledge; And to collect only authentic products without counterfeiting.