With an increasing focus on digital transformation within the enterprise it is clear that the investment into foundational technologies such as the IoT has increased exponentially over the past few years. IoT is being used to drive automation through the new ability to monitor, report, alert, react and automate business processes which in turn drives the transformation of digital products, service models and critical business operations.
Throughout 2020 and 2021 the increased focus on transforming critical sectors that were impacted by COVID-19 or saw the changes as a point to enter a new market led to the need to either adapt existing products or to re-think the model and deploy a new solution. The time sensitive pressure of getting to market quickly always manifests in the ask from our customers “how can I increase the velocity of my product launch”. This has been asked more and more in specific verticals that are facing large investment such as supply chain solutions, remote monitoring and of course healthcare solutions.
The increasing need to satisfy the near instant needs of the consumer or end user can often lead to certain elements of the solution being de-prioritized or becoming an afterthought, which was traditionally the case with IoT Security. However with new and upcoming regulatory frameworks requiring IoT devices to be deployed with a minimum security level coupled with the convergence of IT and OT networks, security has quickly moved to the forefront of everyone’s minds.
Security is a large topic in every industry however within IoT it ranges from
- Device security principles
- Device credential and identity management
- Application security
- Network security and application data transport
- Data Storage Security
- Cloud and IT security
In this blog, I will cover the concept of zero trust networks and the operational management of securely deployed devices.
What is Zero Trust?
Over the past five years zero trust has emerged as a foundational cyber security concept that guides the approach that organizations use when securing their networks, devices and users. Historically networks were secured through a hardened firewall protecting the network from external variables. Devices that were connected onto the internal network were assumed to be verified, secured and trusted. However, the boundaries of the internal networks has been stretched with the deployment of connected IoT devices outside the traditional IT network and with users increasingly accessing the data from outside the office this approach quickly became a security liability.
The Zero trust approach removes any presumption of security and instead replaces it with the principle of “never trust, always verify”. This means treating everyone and everything on your network as potentially malicious and that no implicit trust of that device or connection should be granted. Zero trust has gained good momentum within the enterprise IT space however most have struggled to implement this for IoT devices. The basic premise is understanding every connected user and device and every bit of data they are trying to access, which is simpler with managed hardware like laptops, services and mobile phones but is how do you apply this approach to connected IoT devices?
Connected Devices : Secure by design
Securing an IoT solution with a Zero Trust model begins with some traditional security considerations to ensure that the identity of connected devices and the access they have is already managed. The secure by design principles as laid out by the UK Government are:
- Security should be built into products from the beginning, it can’t be added in later;
- Security should be added to treat the root cause of a problem, not its symptoms;
- Security is never a goal in and of itself, it is a process – and it must continue throughout the lifetime of the product;
- Security should never compromise usability – products need to be secure enough, then maximise usability;
- Security should not require extensive configuration to work, and should just work reliably where implemented;
- Security should constantly evolve to meet and defeat the latest threats – new security features should take longer to defeat than they take to build;
- Security through obscurity should be avoided;
- Security should not require specific technical understanding or non-obvious behaviour from the user.
Essentially, ensuring that devices are deployed with a certificate-based identity that is remotely updatable and configurable coupled with the ability to remotely update the devices firmware or application stack provides the foundation for a secure device.
Managing devices like users
With the previous security design principles implemented and understood, we can move onto Zero Trust and the operational management of networks of connected IoT Devices.
A key element of Zero Trust is that it starts with the user identity and privileges but is not limited to only the user. Security must focus on where the threat is and if the massive number of connected devices are communicating critical information to critical infrastructure, then Security divisions need to re-examine the concept of identity within with network. Every connected device needs to have an identity, a security profile and be under the consideration of the Zero Trust network.
Four key steps to managing IoT devices as users on a Zero Trust approach.
1. Uniqueness of devices change attack vectors
Understand the purpose and capabilities for the connected device. This can be a vastly difficult task, as there is a plethora of devices that each come with their own use case, risks and technical limitations. Consider a battery powered smart meter or industrial pump versus a connected car or edge gateway, the hardware capabilities on each of these solutions will be vastly different however all can communicate as an equal citizen on the network.
The key requirement is to reliably discover and classify devices on the network. Solutions should provide critical information around its identity, purpose, capabilities, location and standard behavior. It is critical that this is automated, so that a device can be initially deployed with a trusted identity and then immediately segmented and profiled for its standard use.
2. Operationalization of Trust, identify at-risk devices
Once core device visibility has been created, it is now the time to understand and identify devices operational risk profile. This includes understanding devices that are operating with known vulnerabilities, hardware issues, outdated authentication methods or access credentials. From here the information of the devices state can be balanced with the risk profile of the use case, so the right corrective action can be made.
This information can be used to identify and resolve the security issues with one device, but enterprises may want to use this information to drive security policies within their network to dynamically and automatically lower the overall risk. An example could be that every high risk device must immediately update the firmware over the air to the latest version when the firmware is released
3. Understand network behavior
Now that the device is deemed to be understood and the tools to take action are in place, we need to evaluate and understand the network behavior as well as the communication requirements of each device. It’s well understood that an IoT device should have fairly predictable communication behaviors, such as connecting at specific time intervals, sending known amounts of data to known IP addresses and using known protocols and ports to achieve this.
Organisations should create a reference point of how they expect the device to behave, this could either be through a profile that is created and understood or looking at an application to learn and build a baseline of how the device behaves over the initial term of its deployment. This information can then be used to detect anomalies and threats by identifying that a devices behaviour on the network has changed and having the tools to identify that is key. For example, if a device starts to send duplicate data to an unknown IP address is this valid? Has the device had its firmware or application stack updated recently to enforce this change in behaviour? Is this happening on one device or many? Having this information allows you to take action.
4. Automatically Segregate Devices
With the policies above creating a secure device with tools to manage in field behaviour, coupled with a framework to manage and understand device behavior, it is key that this information is used and enforced rigorously.
Security policies should be created, updated and managed continuously with the most recent known set of information that then enforces the policies throughout the entire network of connected devices. This can be achieved by creating policies for the use cases on the network that segregate devices if they do not conform to this policy. This provides the level of trust that only assets that meet these policies can achieve and it means the asset list of segregated assets at risk are understood and can have action taken to bring them into the policy.
The market is changing
In late 2020, Pelion and the GSMA launched a survey that focused on security for the enterprise. A key takeaway from the report was that an outstanding majority of respondents were clear in that they have changed their security practices as a result of their previous deployments. The market is changing to ensure that the products that impact our lives in every industry have a fundamental level of security moving forwards. With most organisations now building a security first strategy for their infrastructure it is important to remember that not only must the initial build of diverse devices be secure, but also the management of these devices throughout their lifecycle.
To recap, the security measures that most organisations utilise today were originally designed for a more traditional IT network of known and trusted assets. As the edge of the network is rapidly changing to include connected IoT devices the network environment must be re-evaluated from a security perspective. Zero Trust enables enterprises to implement a consistent security profile over a multitude of assets and across various use cases that helps minimize the risk presented by deploying devices built with security first in mind and helps improve trust in your network.