Factories of the Future
Media & Entertainment
Smart Cities
Smart Energy
Smart Ports
SME Opportunities
Societal Impacts
Technology Development
Telecoms Providers
5G Automotive
5G CAM Standardisation
5G Corridors
5G Multimodal Connectivity
5G Transport Network
Artificial Intelligence & Machine Learning
Artificial Intelligence & Machine Learning in big data
Artificial Intelligence & Machine Learning technologies
Big data
Big data algorithms
Big data analytics
Collaborative Classification and Models
Business Models, Process Improvement, Contract Management, KPIs and Benchmarking Indexes
Collaboration Risk and Value Sharing
Collaborative Planning and Synchromodality
Customs & Regulatory Compliance
Environmental Performance Management
Logistics Optimisation
Stock Optimisation
Supply Chain Corrective and Preventive Actions (CAPA)
Supply Chain Financing
Supply Chain Visibility
Common Information Objects
Customs Declarations
Transport Service Description
Transport Status
Computing and Processing
Big Data Management and Analytics
Knowledge Graphs
Machine Learning
Stream Processing
Connectivity Interfaces
Technologies (Bluetooth, Ethernet, Wifi)
Data Management, Simulation and Dashboards
Data Fusion
Data Governance, Integrity, Quality Management and Harmonization
Event Handling
Open Data
Statistics and Key Performance Indicators (KPIs)
Data market
Data ecosystem
Data marketplace
Data Platform
Data Providers
IoT Controllers
IoT Gateways
IoT Sensors
Tracking Sensors
Digitisation Frameworks
Control Towers
Data Pipelines
National Single Windows
Port Community Systems
Data Federation
Platform Federation
Industrial IoT Sectors
Rail Sector Active Predictive Maintenance
Data interoperability
Data interoperability mechanisms
Interoperability solutions
Platform interoperability
IoT Secuirty, Privacy and Safety Systems
PKI Technology
Data privacy preserving technologies
Privacy preserving technologies
Project Results
5G-SOLUTIONS Deliverables
5G-SOLUTIONS Publications
CHARIOT Capacity Building and Trainings
CHARIOT Deliverables
CHARIOT Publications
SELIS Deliverables
SELIS Publications and Press Releases
Project Results - 5g Routes
5G-ROUTES Deliverables
5G-ROUTES Innovation
5G-ROUTES Publications
Project Results - TRUSTS
TRUSTS Deliverable
TRUSTS Publications
Safety, Security and Privacy Systems
Access Management
Coordinated Border Management
Information Security
International Organisations
Risk Assessment and Management
Risk Management
Safety and Security Assessment
Source Code Analysis
Sectors and Stakeholders
Airports and Air Transport
Banks, investors and other funding providers
Custom Authorities
Facilities, Warehouses
Freight Forwarders
Inland Waterways
Multimodal Operators
Ports and Terminals
Road Transport
Smart Buildings
Trusties and other Intermediary Organizations
Urban and Countryside Logistics
Urban Logistics
Sectors and Stakeholders - TRUSTS
Audit & Law firms
Corporate offices
Financial Institutions
Secured Data
Secured Infrastructure
Secured Platform
Data sovereignty
Good Distribution Practices
International data standards
International Organization for Standardization (ISO)
World Customs Organization (WCO)
Supply Chain Management
Business Models, Process Improvement, Contract Management, KPIs and Benchmarking Indexes
Risk Management
Risk-Based Controls
Screening and tracking
Supervision Approach
Agile Deployment, Configuration Management
Business Applications
Business Integration Patterns, Publish-Subscribe
Cloud Technologies/Computing, Services Virtualisation
Community Node Platform and Application Monitoring
Connectivity Technologies (Interfaces and Block Chain)
Hybrid S/T Communication and Navigation Platforms
IoT (Sensors, platforms)
Physical Internet (PI)
Public key infrastructure (PKI)
Radio-frequency identification (RFID)

Cloud Technologies/Computing, Services Virtualisation

Addressing IoT Security Challenges From the Cloud to the Edge
Written by Brian Buntz 26/05/2020 00:00:00

Key takeaways:
. Securing environments with IoT devices requires a comprehensive functionality assessment as well as access control measures. 
. Addressing IoT security challenges is not possible without a mature security foundation, which many organizations still lack. 
. As organizations build a robust security architecture, their focus can gradually shift from remediation to a more proactive stance, which is a theme also explored in the companion piece “Developing a Critical Infrastructure Cybersecurity Strategy”

Despite the wide variety of cybersecurity guidelines, relatively few organizations deploying emerging technology have a mature security strategy. While cybersecurity awareness has increased, businesses with an ineffective cybersecurity posture face mounting risks. Cyberattacks themselves have become more damaging, and regulatory pressures related to security and privacy have escalated.

The Internet of Things (IoT) continues to raise the stakes, extending digital technology’s reach into the physical realm. Thanks to the interface between the digital and physical world created by IoT technologies, a cyberattack could potentially prompt various scenarios, from business disruption to industrial accidents. In addition, as IoT technology becomes more sophisticated and distributed within IT environments from the cloud to edge architectures, cybersecurity grows more complex.

The question of what to defend has also grown murkier. Decades ago, organizations using computing technology had a clear perimeter to protect. Typically, their computing and networking hardware was located in one or more buildings. Similar to how nobility erected castles in the Middle Ages, computer security professionals built a series of defenses for assets. People and processes inside a defined perimeter were largely trusted, while those outside were not.

Although the castle approach remains, its limitations have grown more apparent. One of the central IoT security challenges is its incompatibility with a perimeter-based security model focused on guarding a homogenous set of computing assets. The popularity of cloud computing and remote working pose further hurdles. The increasing risk of attacks occurring within the traditional security perimeter is another worry. As Forrester observed, the castle model tends to create a network “with a hard, crunchy outside and a soft, chewy center.” Additionally, over the past decade, a series of organizations with substantial — often multimillion-dollar security budgets focused on perimeter-based defenses — have fallen prey to attacks exposing troves of data.

Identifying What to Protect 
One of the first steps in establishing a strong security foundation is to assess your various assets and related processes. Cybercriminals targeting your organization are likely to start with that same focus.

For manufacturers incorporating IoT functionality into products, this foundational stage involves addressing potential vulnerabilities early on as well as taking steps to harden products over time. While the need to incorporate baseline security in IoT devices is clear, until recently, manufacturers had little incentive to do so. Now, a growing body of legislation and regulatory precedent has spurred manufacturers to prioritize security.

“It is creating a commercial pressure [for manufacturers] to at least have a baseline security level, or you could face legal ramifications,” said Andrew Jamieson, director of technology and security at UL. 

Similarly, organizations building IoT technology into an environment should assess the risk of each node on a network while addressing potential vulnerabilities created by new technology interfacing with legacy software and hardware.

Such an assessment isn’t possible without an accurate asset inventory, which is difficult to create as connected devices proliferate. “One of the biggest challenges is that there are so many different industry verticals and different kinds of devices,” said Zulfikar Ramzan, chief technology officer at RSA.


Possible Attack Types
Hijacked processor Cryptocurrency mining
Unsecured data storage  Identity theft, data theft or data modification 
Weak authentication on IoT device Distributed denial-of-service attacks that can interfere or disable business services 
Espionage, blackmail or intellectual property theft
Remote control of assets by an attacker
Potential breach to other networked assets as an attacker moves into a personal or corporate network after compromising an IoT device 
Unsecured firmware  “Bricking” devices in which an attacker with firmware access could render them unusable 
Safety or physical-security incident where an attacker with the ability to modify firmware of a connected vehicle or piece of industrial machinery could interfere with the function of devices. 

The goal of establishing an accurate inventory is challenging for many industrial organizations. “Because of the proliferation of IoT devices on [operational technology] networks, there’s a large discrepancy between what they think they have and what they actually have,” said Dave Weinstein, expert associate partner at McKinsey & Co. Further, in industrial and enterprise contexts many IoT devices are unmanaged. “You’ve got folks who install them on an as-needed basis,” Weinstein said.

There is also a challenge in defining normal behavior for a given connected device. “It’s one thing to know there is, for instance, an MRI machine on the network. It is another to know if it is being used for some nefarious purpose,” Ramzan said.

Macro- to Micro-Level Risk Assessment 
Once an organization creates a comprehensive asset inventory, it can perform an in-depth analysis of its attack surface, which consists of various entry points attackers could abuse. The process is multifaceted, including analyzing how devices communicate, how they are administered, and the software and hardware they use.

This step involves documenting physical assets, IoT endpoints and related workstations and networking hardware, digital assets (including databases and cloud capabilities) and assessing who can access them. Another consideration is the communication and interaction among various components and assets. While few organizations understand their entire inventory, such knowledge can assist in identifying, prioritizing and remediating vulnerabilities.

A first step in creating a risk-based security strategy is establishing a bird’s-eye view of assets. But more challenging is quantifying the risk these assets pose. Once a baseline schematic is created, the next step is to take a closer look at the various components in the architecture and the attack surface they create. Given the broad and often malleable definition of IoT technology, “one of the first things you have to do is decide on a taxonomy of what these systems are,” Jamieson said. “And as our ability to understand security increases, we’re going to see an evolution of that taxonomy.”

Organizations can start by creating functional block diagrams for individual IoT devices that cite the software stack they use, including relevant software frameworks, third-party tools and so forth.

Relevant software considerations include security controls of the following:

What degree of control does the software have over assets and what type of data does it store? How could an attacker exploit those elements? 
- Does the software have known vulnerabilities or include back doors?
- How does the software respond to various hardware malfunctions or performance problems? 
- What type of encryption and authentication does the software support? 
- What kind of code review has the software received?
- Is there a secure infrastructure for regular automatic software updates, including for firmware?
- How secure is the authentication process? 
- Does the software collect sensitive data? If so, are there defined procedures for protecting it?

Many IoT devices feature lightweight computing capabilities and rely on cloud-based services for some degree of their functionality. For cloud-based IoT services, organizations should ensure that off-premises software is configured correctly and that appropriate access controls are in place. Lax cloud security controls have fueled myriad data breaches in recent years. 

Conversely, secure cloud infrastructure can enable organizations to streamline security operations. Consider the benefits for IoT device makers relying on cloud functionality for their products. The centralization of cloud architecture enables manufacturer agility in terms of software updates that improve security while maintaining interoperability and functionality. “If we have a mature cloud framework interacting with IoT systems, you can use that framework to benefit new products … and currently fielded products as well,” Jamieson said.

Despite hardware costs declining, IoT devices have matured in processing capabilities and functionality. The edge computing model, which brings computation and data storage closer to the data source, is becoming more prevalent. Given that edge computing deployment is initial, edge-specific cyberattacks are still minimal.

But IoT deployments using an edge computing architecture often deserve special security consideration. First, edge computing devices communicating with gateway devices can complicate network visibility. Second, as endpoints gain functionality, they demand more sophisticated software. “As you increase the amount of code, you increase the attack surface,” Jamieson said. Similar to the situation with the cloud, the expanding capabilities of edge computing offer pros and cons from a security perspective. On the one hand, it potentially allows attackers to run more code to survey network components, perform crypto-mining and so forth. On the other, the increase in processing capabilities enables IoT implementers to take advantage of more sophisticated security software agents.

Given the “Internet of Things” moniker, two foundational security considerations are networking and hardware. While IoT promises a dramatic increase in the types of networked devices, the basic architectural underpinning in most implementations remains broadly similar to traditional networking deployments. For that reason, traditional reference architecture models such as the Open Systems Interconnection (OSI) model and the Purdue Model of Control Hierarchy for industrial control systems can benefit IoT deployments, depending on the context. While such models can help organizations evaluate architectural hierarchy and interconnection between assets, they are no substitute for a security reference architecture.

Networking and hardware considerations relevant to cybersecurity include the following criteria:

What types of communication protocols and wireless authentication methods does the system use? 

- What type of network security features are supported? 
- Is end-to-end encryption supported and feasible? 
- How secure is the hardware? Do endpoints include embedded security features such as trusted platform modules or hardware security modules? 
- What threat might the hardware or networking gear pose to an attacker who is physically present, (i.e., vandalism and tampering)?

The OSI model can be valuable when assessing a range of networking attacks. An essential element is to implement the principle of least privilege, which limits to the greatest extent possible access control without interfering with core processes. Organizations can also improve their maturity to embrace cryptographically protected and multi-factor authentication where feasible. 

One element that can complicate a centralized approach to access control is third-party business relationships with business and channel partners. A variety of vendor security assessment tools are available. Frameworks such as the recently released Department of Defense’s Cybersecurity Maturity Model Certification can also be valuable in assessing third-party cybersecurity maturity.

Putting the Pieces Together, Securely
Once organizations have addressed basic and intermediate-level cyber-hygiene issues, their focus can become more proactive validating security controls and enhancing them over time. Organizations pursuing advanced cybersecurity maturity stand to not only reduce a vital element of business risk, but also stand to safeguard their reputation and the potential to differentiate themselves in the marketplace. 

Such maturity isn’t possible without factoring in cybersecurity from the beginning of a relevant process, whether designing a new product or rolling out a smart factory. “Organizations need to shift security earlier in the process,” said Sean Peasley, a partner at Deloitte.

While regulations such as the European Union’s General Data Protection Regulation and the California IoT Security Law are helping drive security awareness, they are less valuable to organizations with ambitions to make considerable progress in optimizing security controls. “They are a minimum set of requirements,” Jamieson said. “If you are a company that wants to market on security, the baseline is not good enough. You need to represent to your customers that you go beyond that.”
Reference Link

Attached Documents

The “CHARIOT IoT Search Index” aims to provide a web location where publications, articles, and relevant documents can be centralized hosted in a well-structured and easily accessed way.


Contact Us
Enter Text
Contact our department