Security for Internet of Things Device Manufacturers

The Internet of Things (IoT) has introduced new security risk factors that are unprecedented in scope and scale. Although the recommendations presented here are intended for IoT manufacturers, many of them are equally applicable to other stakeholders in the IoT community, such as service providers and software developers. From the perspective of manufacturers, securing IoT requires answers to the following questions:

• To what risk factors are IoT stakeholders exposed?
• Why and how are IoT devices impacted?
• What are the latest laws and guidelines that affect IoT manufacturers?
• How can IoT manufacturers secure their devices and customers’ data?

SECURITY VULNERABILITIES IN IOT PRODUCTS CAN EXPOSE MANUFACTURERS TO SERIOUS CYBERSECURITY RISK, POTENTIALLY RESULTING IN REPUTATIONAL DAMAGE AND HEAVY FINES.

According to two recent surveys, top executives consider building trust and ensuring cybersecurity in IoT deployment the most essential considerations.^{1, 2} A significant portion of the revenue derived from an IoT-driven economy is produced through monetization of the data generated from the IoT ecosystem.³ Once data are part of the equation, security and privacy naturally become important considerations.

The Current State of IoT Security

In the past, consumer gadgets or industrial devices were designed primarily to provide the necessary functionality and performance. They were produced at the lowest cost and were brought to market as quickly as possible. These devices or software often lacked the basic mechanisms to protect themselves against misuse or hacking.

Recent IoT-related security incidents range from the massive, such as the Internet blackout caused by the Mirai attack in 2016,⁴ to specific attacks, such as the security compromise of a digital thermometer in a fish tank.⁵ These kinds of attacks affect not just the commercial sector but also household consumers, as evidenced by the Jeep hack in 2015⁶ and the hack of Internet-connected smart toys in 2017.⁷

Security vulnerabilities in IoT products can expose manufacturers to serious cybersecurity risk, potentially resulting in reputational damage and heavy fines. Another issue that demands attention is counterfeiting. Counterfeit products pose an immediate and tangible threat to manufacturers in economic terms through the loss of revenue. For example, the semiconductor industry estimates that between US$75 billion and US$169 billion worth of counterfeit semiconductor parts are currently circulating in the marketplace.⁸ Because of the uncertainty of the behavior of these counterfeit products, the confidentiality, integrity, availability (CIA) triad may be impacted where the data stored, transmitted or processed in the system may be subject to accidental or unauthorized storage, processing, access, destruction, alteration, loss or lack of availability during the life cycle of the IoT components. If the IoT industry is aware of the damage caused by this lapse in security, why are manufacturers and users of IoT devices not doing more to mitigate these security threats?

One of the challenges facing security experts and manufacturers is that the IoT ecosystem is complex and presents a large attack surface. The situation is complicated by the fact that IoT devices are traditionally not cyberresilient, and they have long life spans (typically greater than 10 years). Finally, the need to physically go on-site and manually replace IoT devices often deters operators from conducting the necessary maintenance, even when a serious vulnerability has been identified.

Regulations and Guidelines

Recognizing the importance of security and the long-term implications of flawed IoT devices, the US Senate,^{9, 10} the US State of California,¹¹ and the US Food and Drug Administration^{12, 13} have spearheaded efforts to regulate IoT security. On the other side of the Atlantic, the European Parliament¹⁴ and the Department of Digital, Culture, Media and Sport in the United Kingdom¹⁵ have issued regulations and guidelines that govern the security of IoT. Figure 1 summarizes the applicable EU and US laws and their impacts on IoT business stakeholders.

In addition to publications by the US Department of Homeland Security¹⁶ and the US National Institute of Standards and Technology (NIST),^{17, 18} guidelines have been published by other bodies and industry associations. Because the IoT touches on many disciplines and is applied at different levels, some IoT security guidelines are written for a specific industry,^{19, 20, 21} while others are more generally applicable.^{22, 23}

IoT Security Framework

It would be highly desirable to adopt one baseline security framework, but unfortunately, there is no one-size-fits-all solution to IoT security. The security framework adopted by most security-conscious practitioners is the NIST Cybersecurity Framework (CSF).²⁴ The following sections explain how some well-proven technical measures can be implemented to achieve security and privacy by design, thereby enabling manufacturers to identify threats and protect against them. This helps service operators detect, respond and recover in the operation phase more effectively and efficiently.

Five Key Principles of IoT Security
The five key principles of IoT security are summarized in figure 2. If these principles are followed, the business goals of IoT device manufacturers will be aligned with security and compliance requirements. These requirements can be met when the relevant technological and procedural controls are in place.

1. Ensure that devices function only as specified:
   • Devices accept only authorized, trusted data from trusted sources.
   • Devices will not run unauthorized firmware or application codes, including malware.
   • Unauthorized commands cannot run in devices.
2. Prevent counterfeits from running in the system:
   • Only trusted devices can be connected and communicated with.
   • Devices, software codes and commands are mutually authenticated.
   • Software, including firmware and application codes, cannot be illegally copied.
   • There is no fixed password.
3. Ensure security and privacy:
   • Only authorized entities can read data intended for them.
   • Data security and privacy are protected in accordance with international standards such as the EU General Data Protection Regulation (GDPR) and industry-specific standards such as the Payment Card Industry Data Security Standard (PCI DSS).
   • Protection extends to the edge and in the cloud.
4. Ensure sustainable operation:
   • Security is updatable on devices.
   • Firmware and application codes are updated and cryptographically signed.
   • Crypto-agility is built into devices and at the back end for postquantum operation.²⁵
   • There is automated operation with no human intervention.
5. Ensure sound situational awareness:
   • Continual assessment and assurance are performed.
   • Monitoring includes access attempts, network traffic and behavior with the help of artificial intelligence (AI) and shared intelligence.

By following these principles, IoT devices and systems can defend themselves against cybersecurity risk.

Protecting the Chain of Trust
Public key infrastructure (PKI) is the technology that enables the mutual authentication of devices and codes. This ensures that only authorized devices, firmware and application codes can run in a system. This technology also supports subscriber identity module (SIM)-based security.²⁶ The idea is that each entity in the system (this includes the IoT hardware, bootstrap, firmware and application code) is given a unique digital certificate signed by a trusted party. The signing process is usually performed during the manufacturing stage using the manufacturer’s private key. When a device needs an update and firmware is going to be loaded into the device, the firmware and the device mutually authenticate each other based on the signed certificates before the firmware is accepted and loaded. Similarly, communications between devices are cryptographically protected (via cryptographic signature and encryption), so that only authorized devices can communicate with each other and hackers or other unauthorized parties cannot eavesdrop on the communications.

PROTECTING THE CHAIN OF TRUST AND THE CRYPTOGRAPHIC SIGNING KEYS IS CRITICAL IN ANY IOT SYSTEM.

Clearly, protecting the chain of trust (figure 3) and the cryptographic signing keys is critical in any IoT system. The private keys of IoT devices can usually be protected within the enclave of the machine control unit.²⁷ Manufacturers can centrally generate cryptographic keys before loading them into devices as part of the device provisioning process. The equipment deployed for this task should follow industry standards, such as using US Federal Information Processing Standards (FIPS)-certified hardware security modules (HSMs).²⁸ For ease of deployment and to cater to sudden increases in usage, IoT manufacturers may explore the on-demand services offered by trusted service providers.²⁹

Conclusion

Manufacturers can demonstrate due care and win customer trust by following the security design described previously. Security at the IoT device level is attainable, and prevention is the best option. By protecting the chain of trust, IoT can defend itself, and manufacturers and operators can minimize losses from counterfeits, attain regulatory compliance, minimize misuse and facilitate future maintenance. Such protection covers device hardware, firmware and application codes and the data they process. Finally, cybersecurity and privacy risk factors should be assessed and mitigated throughout the product life cycle.

Endnotes

¹ PricewaterhouseCoopers (PWC), “2019 IoT Survey: Speed Operations, Strengthen Relationships and Drive What’s Next,” https://www.pwc.com/us/en/services/consulting/technology/emerging-technology/iot-pov.html#about-survey
² AT&T, AT&T Cybersecurity Insights Report, 2019/2020 Edition, https://cybersecurity.att.com/resource-center/analyst-reports/cybersecurity-insights-report-ninth-edition
³ Russo, M.; M. Albert; “How IoT Data Ecosystems Will Transform B2B Competition,” BCG Henderson Institute, 27 July 2018, https://www.bcg.com/publications/2018/how-internet-of-things-iot-data-ecosystems-transform-b2b-competition.aspx
⁴ Hilton, S.; “Dyn Analysis Summary of Friday October 21 Attack,” Dyn, 26 October 2016, https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
⁵ Schiffer, A.; “How a Fish Tank Helped Hack a Casino,” The Washington Post, 21 July 2017, https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/?utm_term=.09f1f239b5dc
⁶ Greenberg, A.; “The Jeep Hackers Are Back to Prove Car Hacking Can Get Much Worse,” Wired, 1 August 2016, https://www.wired.com/2016/08/jeep-hackers-return-high-speed-steering-acceleration-hacks/
⁷ Frenkel, S.; “A Cute Toy Just Brought a Hacker Into Your Home,” The New York Times, 21 December 2017, https://www.nytimes.com/2017/12/21/technology/connected-toys-hacking.html
⁸ McKeefry, H. L.; “Counterfeits Costing Semiconductor Industry Billions,” EET Asia, 14 March 2019, https://www.eetasia.com/news/article/Counterfeits-Costing-Semiconductor-Industry-Billions
⁹ Govtrack, “S. 734: Internet of Things Cybersecurity Improvement Act of 2019,” 23 September 2019, https://www.govtrack.us/congress/bills/116/s734
¹⁰ Govinfo, “Senate Committee on Homeland Security and Governmental Affairs Report on S.734,” 23 September 2019, https://www.govinfo.gov/content/pkg/CRPT-116srpt112/pdf/CRPT-116srpt112.pdf
¹¹ California Senate, “SB-327 Information Privacy: Connected Devices,” USA, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
¹² US Food and Drug Administration, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” 2 October 2014, https://www.fda.gov/media/86174/download
¹³ US Food and Drug Administration, “Postmarket Management of Cybersecurity in Medical Devices,” Guidance for Industry and Food and Drug Administration Staff, 28 December 2016, https://www.fda.gov/media/95862/download
¹⁴ Official Journal of the European Union “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), 17 April 2019, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0881&from=EN
¹⁵ Department of Digital, Culture, Media and Sport in the UK, “UK Code of Practice for Consumer IoT Security,” 14 October 2018, https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security/code-of-practice-for-consumer-iot-security
¹⁶ US Department of Homeland Security, “Strategic Principles for Securing the Internet of Things Version 1.0,” 15 November 2016
¹⁷ National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1,” USA, 16 April 2018, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
¹⁸ National Institute of Standards and Technology, “Security and Privacy Controls for Federal Information Systems and Organizations Revision 4,” Special Publication (SP) 800-53, USA, April 2013, http://dx.doi.org/10.6028/NIST.SP.800-53r4
¹⁹ Groupe Speciale Mobile Association (GSMA), “CLP.11—IoT Security Guidelines Overview Document Version 1.0,” 8 February 2016, https://www.gsma.com/iot/wp-content/uploads/2016/02/CLP.11-v1.1.pdf
²⁰ International Society of Automation (ISA), “New ISA/IEC 62443 Standard Specifies Security Capabilities for Control System Components,” InTech Magazine, September–October 2018, https://www.isa.org/intech/201810standards/
²¹ Heyl, J.; “UL2900 Overview,” October 2017, https://cybersecuritysummit.org/wp-content/uploads/2017/10/4.00-Justin-Heyl.pdf
²² IoT Security Foundation, “Secure Design Best Practice Guides Release 2,” November 2019
²³ ISACA^®, Assessing IoT Internet of Things: Upsides, Downsides and Emerging Ethics, USA, 2017, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoYQEA0
²⁴ Op cit NIST 2018
²⁵ Thales, “Quantum Computing and Cybersecurity,” 23 October 2019, https://www.thalesgroup.com/en/germany/magazine/quantum-computing-and-cybersecurity
²⁶ GSMA, “Common Implementation Guide to Using the SIM as a ‘Root of Trust’ to Secure IoT Applications,” 3 December 2019, https://www.gsma.com/iot/wp-content/uploads/2019/12/IoT.04-v1-Common-Implementation-Guide-1.pdf
²⁷ Microsoft, “Seven Properties of Highly Secure Devices,” March 2017, https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf
²⁸ National Institute of Standards and Technology, “Cryptographic Module Validation Program,” USA, 11 October 2016, https://csrc.nist.gov/Projects/cryptographic-module-validation-program
²⁹ Gemalto, “SafeNet Data Protection on Demand,” https://safenet.gemalto.com/data-protection-on-demand/

Welland Chu, Ph.D., CISA, CISM
Is the business development director, Asia and Pacific Region, at the cloud protection and licensing business unit of Thales. He serves as the secretary and vice president of certification at the ISACA China–Hong Kong Chapter. During his 26 years in the security industry, Chu has led teams of security professionals in assessing and implementing security solutions for clients in the critical infrastructure sector. He can be reached at Welland.Chu@thalesgroup.com.