Security in IoT: Comprehensive Security Strategy
To ensure an adequate level of security for the IoT infrastructure, a comprehensive protection strategy is needed. It provides data protection in the cloud, data integrity protection during transmission to the Internet, as well as the safe production of devices.
The article presents the classification of specialists of the whole chain for ensuring the security of IoT-infrastructure and recommendations for each of them.
1. Azure IoT Suite for those who start from scratch .
2. A comprehensive protection strategy .
3. Security system architecture .
4. Secure your Azure IoT deployment .
')
Various specialists in the production, development and deployment of IoT devices and infrastructure can be involved in the development and implementation of a comprehensive protection strategy.
Manufacturer / integrator of IoT equipment . As a rule, such specialists include manufacturers of deployed IoT equipment, integrators performing assembly of equipment from different manufacturers, or suppliers of equipment for deploying IoT infrastructure manufactured by third-party manufacturers.
IoT solution developer . IoT solutions are usually developed by a solution developer. This may be the company's own specialist or system integrator of the corresponding specialization. An IoT solution developer can develop various solution components from scratch, integrate standard or open source components into it, and also implement pre-configured solutions, making only minor changes to them.
IoT Solution Deployment Specialist . Upon completion of the IoT solution development phase, you must deploy it in place. This process involves the deployment of equipment, connections between devices, and the deployment of solutions on cloud hardware platforms.
IoT solution operator . After deployment, the IoT solution moves to the long-term operation phase, where the solution is also monitored, updated and maintained. These tasks can be performed by the company's own specialists, which include specialists from the IT department, equipment operation and maintenance, as well as specialized specialists who monitor the behavior of the IoT infrastructure as a whole.
Further we will tell about recommendations for these experts in development, expansion and operation of the protected infrastructure of IoT.
Recommendations for manufacturers and integrators of IoT equipment.
Equipment compliance with minimum requirements . When designing equipment, it is necessary to take into account only the minimum requirements for components and functions that are necessary for the operation of the equipment. For example, USB ports should be provided only if they are needed to operate the equipment. Such additional components may expose the device to the risk of unwanted attacks that must be prevented.
Protect equipment from unlawful changes . Embedding mechanisms to detect an unlawful physical change (for example, opening the device case or removing a part of the device). Signals about illegal changes can be transmitted along with the data stream to the cloud, they serve as an alert for the operators of these events.
Build infrastructure using secure equipment . If the price allows, you should provide security features (for example, secure and encrypted storage or a boot function based on a trusted platform module). All of these features enhance the security of devices and help protect the entire IoT infrastructure.
Protection during upgrade . At a particular stage of the life cycle of the device, it is necessary to update the firmware. Secure ways of installing updates and cryptographic confirmation of firmware versions, which are provided at the device assembly stage, provide protection for the device during and after the update.
Recommendations for developers of IoT solutions.
Application of protected application development techniques . The development of secure applications requires an integrated approach to security at all stages - from the development of a project concept to the final stage of implementation, testing and deployment. The choice of platform, language and tools is determined in accordance with this methodology. Microsoft Security Development Lifecycle ( SDL ) provides step-by-step guidance on how to create secure software.
A thoughtful approach to choosing open source software . Open source software gives you the ability to quickly develop solutions. When choosing open source software, it is recommended to consider for each of the evaluated software components the level of user activity in the respective community. If users in the community are active, then software support is provided at the proper level, problems are quickly detected and eliminated. Low activity in the community, on the contrary, may indicate that the software is not supported, problems are not identified in a timely manner.
Precautions when integrating with third-party libraries and APIs . Libraries and APIs may have vulnerabilities that could affect the security of the software as a whole. To ensure the security of the entire solution, check all integrable interfaces and components for vulnerabilities.
Recommendations for deployers of the IoT solution.
Secure hardware deployment . Deploying IoT infrastructure may involve placing equipment in unprotected locations (for example, publicly available or unsupervised). In such cases, you need to make sure that this equipment will be protected from unauthorized alteration as much as possible. If the equipment has USB ports or any other ports, it is necessary to provide for their reliable physical protection. Attackers often use them as entry points for attacks.
Securely store authentication keys . During the deployment process, each device is assigned an identifier and associated authentication keys created by the cloud service. These keys must be stored in a physically secure location, even after deployment is complete. Malicious devices can use compromised keys to impersonate an existing legitimate device.
Recommendations for IoT solution operators.
Constant updating of the system . Make sure that the latest operating system and drivers are installed on the devices. In Windows 10, you can enable the automatic installation of updates (IoT or other SKUs).
Protection against malicious activity . If the operating system supports this feature, it is recommended that you install the latest version of the anti-virus and anti-malware software for all OS devices. This will significantly reduce the risk of external attacks. Proper security measures protect most modern operating systems from various threats.
Regular audit. IoT infrastructure audits for security issues are critical to effective incident response. Most operating systems have built-in logging features. It is recommended to regularly check the log in order to timely detect security holes. Audit data can be sent to the cloud service for analysis as a separate telemetry data stream.
Physical IoT Infrastructure Protection . The most serious IoT infrastructure attacks are carried out by physically accessing the device. To ensure security, it is important to securely protect USB ports and other physical access from unauthorized use. One of the most effective ways to detect security breaches is to keep a log of physical access (for example, using a USB port). Windows 10 (IoT and other SKUs) provides detailed logging of such events.
Protection of credentials in the cloud . The credentials for authentication in the cloud, which are used in the process of setting up and operating an IoT deployment, are perhaps the most serious vulnerability that attackers can easily use to gain access to the IoT system and compromise it. To protect your credentials, it is recommended that you regularly change your password and try not to use these credentials on public computers.
On different IoT devices, the functionality may vary. Some devices have a standard desktop operating system, others have a lightweight OS. The security recommendations described above apply differently to different devices. It is also necessary to take into account additional recommendations of device manufacturers regarding deployment and security.
Some legacy devices or devices with limited functions may not support the capabilities required to use devices in an IoT deployment. They may not support data encryption, Internet connectivity, or advanced auditing. In this case, the aggregation of data received from legacy devices is performed by a modern, reliably protected field gateway, which also provides the required level of security when connecting such devices to the Internet. Field gateways perform secure authentication, negotiation of encrypted sessions, receiving commands from the cloud, and other security features.
1. Overview of predictive maintenance features in pre-configured solutions .
2. Azure IoT Suite: frequently asked questions .
3. Account author of the material on GitHub .
If you see an inaccuracy of the translation, please report this to private messages.
The article presents the classification of specialists of the whole chain for ensuring the security of IoT-infrastructure and recommendations for each of them.
Cycle of articles "Security in IoT"
1. Azure IoT Suite for those who start from scratch .
2. A comprehensive protection strategy .
3. Security system architecture .
4. Secure your Azure IoT deployment .
')
IoT Infrastructure Protection: Professional Classification
Various specialists in the production, development and deployment of IoT devices and infrastructure can be involved in the development and implementation of a comprehensive protection strategy.
Manufacturer / integrator of IoT equipment . As a rule, such specialists include manufacturers of deployed IoT equipment, integrators performing assembly of equipment from different manufacturers, or suppliers of equipment for deploying IoT infrastructure manufactured by third-party manufacturers.
IoT solution developer . IoT solutions are usually developed by a solution developer. This may be the company's own specialist or system integrator of the corresponding specialization. An IoT solution developer can develop various solution components from scratch, integrate standard or open source components into it, and also implement pre-configured solutions, making only minor changes to them.
IoT Solution Deployment Specialist . Upon completion of the IoT solution development phase, you must deploy it in place. This process involves the deployment of equipment, connections between devices, and the deployment of solutions on cloud hardware platforms.
IoT solution operator . After deployment, the IoT solution moves to the long-term operation phase, where the solution is also monitored, updated and maintained. These tasks can be performed by the company's own specialists, which include specialists from the IT department, equipment operation and maintenance, as well as specialized specialists who monitor the behavior of the IoT infrastructure as a whole.
Further we will tell about recommendations for these experts in development, expansion and operation of the protected infrastructure of IoT.
IoT equipment manufacturer / integrator
Recommendations for manufacturers and integrators of IoT equipment.
Equipment compliance with minimum requirements . When designing equipment, it is necessary to take into account only the minimum requirements for components and functions that are necessary for the operation of the equipment. For example, USB ports should be provided only if they are needed to operate the equipment. Such additional components may expose the device to the risk of unwanted attacks that must be prevented.
Protect equipment from unlawful changes . Embedding mechanisms to detect an unlawful physical change (for example, opening the device case or removing a part of the device). Signals about illegal changes can be transmitted along with the data stream to the cloud, they serve as an alert for the operators of these events.
Build infrastructure using secure equipment . If the price allows, you should provide security features (for example, secure and encrypted storage or a boot function based on a trusted platform module). All of these features enhance the security of devices and help protect the entire IoT infrastructure.
Protection during upgrade . At a particular stage of the life cycle of the device, it is necessary to update the firmware. Secure ways of installing updates and cryptographic confirmation of firmware versions, which are provided at the device assembly stage, provide protection for the device during and after the update.
IoT Solution Developer
Recommendations for developers of IoT solutions.
Application of protected application development techniques . The development of secure applications requires an integrated approach to security at all stages - from the development of a project concept to the final stage of implementation, testing and deployment. The choice of platform, language and tools is determined in accordance with this methodology. Microsoft Security Development Lifecycle ( SDL ) provides step-by-step guidance on how to create secure software.
A thoughtful approach to choosing open source software . Open source software gives you the ability to quickly develop solutions. When choosing open source software, it is recommended to consider for each of the evaluated software components the level of user activity in the respective community. If users in the community are active, then software support is provided at the proper level, problems are quickly detected and eliminated. Low activity in the community, on the contrary, may indicate that the software is not supported, problems are not identified in a timely manner.
Precautions when integrating with third-party libraries and APIs . Libraries and APIs may have vulnerabilities that could affect the security of the software as a whole. To ensure the security of the entire solution, check all integrable interfaces and components for vulnerabilities.
IoT Solution Deployment Specialist
Recommendations for deployers of the IoT solution.
Secure hardware deployment . Deploying IoT infrastructure may involve placing equipment in unprotected locations (for example, publicly available or unsupervised). In such cases, you need to make sure that this equipment will be protected from unauthorized alteration as much as possible. If the equipment has USB ports or any other ports, it is necessary to provide for their reliable physical protection. Attackers often use them as entry points for attacks.
Securely store authentication keys . During the deployment process, each device is assigned an identifier and associated authentication keys created by the cloud service. These keys must be stored in a physically secure location, even after deployment is complete. Malicious devices can use compromised keys to impersonate an existing legitimate device.
IoT Solution Operator
Recommendations for IoT solution operators.
Constant updating of the system . Make sure that the latest operating system and drivers are installed on the devices. In Windows 10, you can enable the automatic installation of updates (IoT or other SKUs).
Protection against malicious activity . If the operating system supports this feature, it is recommended that you install the latest version of the anti-virus and anti-malware software for all OS devices. This will significantly reduce the risk of external attacks. Proper security measures protect most modern operating systems from various threats.
Regular audit. IoT infrastructure audits for security issues are critical to effective incident response. Most operating systems have built-in logging features. It is recommended to regularly check the log in order to timely detect security holes. Audit data can be sent to the cloud service for analysis as a separate telemetry data stream.
Physical IoT Infrastructure Protection . The most serious IoT infrastructure attacks are carried out by physically accessing the device. To ensure security, it is important to securely protect USB ports and other physical access from unauthorized use. One of the most effective ways to detect security breaches is to keep a log of physical access (for example, using a USB port). Windows 10 (IoT and other SKUs) provides detailed logging of such events.
Protection of credentials in the cloud . The credentials for authentication in the cloud, which are used in the process of setting up and operating an IoT deployment, are perhaps the most serious vulnerability that attackers can easily use to gain access to the IoT system and compromise it. To protect your credentials, it is recommended that you regularly change your password and try not to use these credentials on public computers.
On different IoT devices, the functionality may vary. Some devices have a standard desktop operating system, others have a lightweight OS. The security recommendations described above apply differently to different devices. It is also necessary to take into account additional recommendations of device manufacturers regarding deployment and security.
Some legacy devices or devices with limited functions may not support the capabilities required to use devices in an IoT deployment. They may not support data encryption, Internet connectivity, or advanced auditing. In this case, the aggregation of data received from legacy devices is performed by a modern, reliably protected field gateway, which also provides the required level of security when connecting such devices to the Internet. Field gateways perform secure authentication, negotiation of encrypted sessions, receiving commands from the cloud, and other security features.
Useful materials
1. Overview of predictive maintenance features in pre-configured solutions .
2. Azure IoT Suite: frequently asked questions .
3. Account author of the material on GitHub .
If you see an inaccuracy of the translation, please report this to private messages.
Source: https://habr.com/ru/post/315578/
All Articles