IoT Security from the Ground Up

By Chris Francosky

How to safeguard your network in the age of the Internet of Things.

According to a recent study from Ponemon Institute that surveyed 16,450 IT and IT security professionals working in mobile and Internet of Things (IoT) security, only 30 percent of respondents said their organization dedicates an appropriate amount of budget to secure mobile applications and IoT devices. As the number of IoT endpoints skyrockets, this low attention to security is a significant concern. While the data generated by IoT devices can create great value for businesses, it also represents a growing treasure trove for cyber criminals.

You can reduce your exposure to IoT security risks by following the best practices discussed below:

Design Considerations
Are you building your IoT solution with security in mind, or is it an afterthought? If security is not prioritized in the initial design, it will be more difficult to integrate later in the process. Identifying potential threats early in the design stages allows you to proactively reduce liabilities and be better prepared if a breach occurs.

As you are building an IoT application, weave security into every aspect of its design. Assign at least one member from the development team to be focused on security, and, if possible, have that person complete an industry-standard security certification. Also, establish protocols for internal security and regular testing, and update future guidelines based on those findings.

Data Encryption
Is your data sufficiently protected? Many IoT devices transmit some degree of confidential or personal information. Some examples include patient information (in the health-care industry), credit card numbers (for retailers) or Social Security information (with financial services organizations). Data encryption changes information so that it is unreadable to threat actors that may be eavesdropping on the connection.

To sufficiently protect data in transit, at a minimum it is critical to deploy a site-to-site VPN tunnel from the IoT operator network to the back-end server's network. Doing so enables encrypted data transmission across the most vulnerable segment of the network path. That said, even under the assumption that the VPN tunnel is between two trusted networks, it is still important to use controls for strong authentication on the endpoints should a device or the channel be compromised.

Partner Integrity
Your network is only as secure as your weakest partner or link, so make sure each link meets or exceeds your security standards. A vast number of IoT applications rely on cellular connectivity, and this often involves three network connection partners:
• The mobile network operator (MNO)
• The IoT network operator
• The internet service provider (ISP)

If any of these third-party network providers do not meet security requirements, your data is at risk. It is crucial to vet partners to ensure they employ the most up-to-date protocols and technology, so be sure to conduct due diligence regarding proficiencies in the following areas:
• Intrusion prevention systems (IPS)
• Distributed denial-of-service (DDoS) defense systems
• Security patch and update processes
• Firewall models
• Real-time network operations monitoring
• Incident response

Access Control
Who can access your data and systems? In some instances, confidentiality is far less important than access control. An example use-case is an IoT application that locks or unlocks your car door; no confidential information is being shared, but you would not want unauthorized parties to access this system.

Understanding who has access to your data or systems is not always as easy as it seems. Employees may leave the company, be promoted or transfer to other divisions, but often retain access rights that should be changed or discontinued. It is critical to make sure privileges are up-to-date to avoid unauthorized access, whether unintentional or otherwise.

Furthermore, IoT devices should be designed with internal security components, allowing wireless connectivity to be protected. Ensure that devices with removable SIM cards are not accessible by unauthorized parties. If you use over-the-air application updates, implement a preventative mechanism, such as code-signing, to protect your devices from unauthorized updates.

Do you know when a security breach has occurred on your network or IoT device? If so, how soon will you be notified? Even the strongest preventive security systems aren't foolproof. Statistically, every organization will likely experience a security breach of some degree, regardless of precautions. The key is shrinking potential damage to its least liability. Early detection of an event allows for a quicker response, thus reducing the risk of malicious use.

When a breach occurs, time is of the essence. As soon as something goes wrong, you should know about it—every minute that passes can be costly. Make sure that back-end applications have the ability to log abnormalities. Partnering with an IoT network operator that provides alerting tools for fraud detection and prevention can give you more rapid insight into potential problems. Your internal teams should also monitor data logs and create automatic alerts for signs of compromise for an extra layer of security.

In Conclusion
The Internet of Things continues to blur the lines between our physical and digital worlds, in which everything is connected and has the potential to transmit sensitive data. And while the IoT is becoming a necessary capability for businesses to remain competitive, the security risks are real. Follow the guidelines described above and you will be in a better place to mitigate potential breaches.

Chris Francosky is KORE's VP of network engineering and IT operations. With more than 20 years of information technology industry experience, Chris has overseen dozens of large-scale wireless and mobile technology projects. Prior to leading the IT Operations group at KORE, Chris served as the VP of technology at RacoWireless, a leading provider of wireless products and services focusing on the machine-to-machine (M2M) industry. He has an extensive background in cybersecurity, IoT application design and high-availability SaaS/PaaS architecture.