How to Set High IoT Security Standards for Your Team
The lack of globally accepted IoT security standards has been an issue in the IoT industry since usage of IoT devices exploded in popularity a decade ago, The industry’s security protocols simply couldn’t keep up with the rapid increase in threats. According to Palo Alto Networks’ Unit 42 IoT Threat Report, 57% of IoT devices are vulnerable to medium- or high-severity attacks. The sheer number of IoT devices deployed in OT, the insecure deployment of Internet-capable devices, and a lack of security updates for many devices have made IoT networks an easy target for hackers aiming to steal your data.
Today, there are a few industry standards in place, a significant one being ETSI's EN 303 365, which highlights 13 requirements for manufactures securing their devices. However, many IoT devices do not meet these security guidelines, nor do they have the ability to be updated to meet them, because they were designed and installed before these standards existed. So, it’s up to individual actors to take security into their own hands. Fortunately, you don’t need to sacrifice large amounts of money and resources to implement robust security practices; you just need to commit to security measures early, create a review plan, and make sure these practices are revisited as your IoT network grows.
Because many IoT devices are not meeting IoT security standards, we recommend following a few easy-to-implement security practices. Here are four measures you can make standard amongst both new and old team members that will help keep your IoT devices secure.
1) Use a Password Manager
If you aren’t taking passwords seriously, you absolutely should be. After all, your system is only as strong as your weakest password. A vast majority, 81%, of the total number of security breaches leveraged stolen or weak passwords according to the 2020 Verizon Data Breach Investigations Report, so it’s safe to assume that if you haven’t considered passwords to be a weak point of your overall security approach, hackers certainly have.
Hackers have concocted numerous methods for cracking passwords. Keyloggers, for instance, record all of your keyboard keystrokes, allowing them to see the information you input. They could also try to guess a password by trying out different words from a “dictionary” of common passwords. Or, if you’re still using the default passwords set by device manufacturers, a hacker hardly needs to put forth any effort at all.
Worse? Those who reuse the same password for multiple accounts are going to see a much larger impact than a user who utilizes unique passwords for each of their accounts. A hacker who obtains your password and email can easily attempt that same email and password combination for a list of popular web accounts. By using unique passwords, a breach in one account will not impact the others.
Our Tip: At EDG, we employ a password manager to store and protect our passwords. This not only allows us to keep our passwords complex and unique (without the burden of attempting to remember them or needing to write them down somewhere), it notifies us if a password has been compromised. This gives us the ability to move quickly to change that password and respond to any potential breaches of data. Further, a password manager lets us restrict individual passwords or groups of passwords by setting up user roles with access levels, allowing us to provide account access to team members on an as-needed basis. (This is a great first step to practicing “Zero Trust”, which we’ll expand on later.)
2) Isolate Your IoT Devices
In most circumstances, your IoT devices will need access to the Internet, but if you’re using a Wi-Fi network to access the Internet, you’re exposing your devices to every other entity also using the same network. If another machine on the same network is compromised, it’s all too easy for hackers to use it as an entry point to go after all of the other devices sharing space on the same network.
Our Tip: Use a dedicated Wi-Fi network (or multiple Wi-Fi networks) to isolate your IoT devices, and set up virtual LANs (VLANs) in your router to segment traffic between the Wi-Fi network of your IoT devices and your other Wi-Fi networks. To truly isolate your devices, make sure you have configured firewalls between each VLAN combination to make sure a device on one VLAN cannot communicate with a device on another VLAN. This will prevent hackers from seeing other devices logged into the same network, other devices logged into networks created by the same router, and other devices connected to the network via an Ethernet cable.
Of course, this tip specifically applies to Wi-Fi-connected devices. If you have the ability to connect your devices to the Internet using a cellular network, you have more inherent security built in since a machine on the same cellular network is less likely to see the other devices on it. (For a more robust cellular network, talk to your cellular device manufacturer about putting your devices on a VPN.) However, cellular networks don’t reach everywhere, and sometimes it makes more sense to use Wi-Fi instead. In those cases, it’s important that you configure these networks appropriately.
3) Implement a “Zero Trust” Model
The traditional approach to IT security has always been to automatically trust users and endpoints within an organization’s perimeter, but in our modern digital environment, following a “trust but verify” leaves you exposed to ransomware and cyberattacks. A Zero Trust model, on the other hand, follows the principle of “never trust, always verify”. All users, whether in or outside your network, should be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to apps and data.
Whereas the “trust but verify” model of old implicitly trusted users and assets based solely on their physical or network location, Zero Trust assumes there is no perimeter. For that reason, you should continuously monitor and validate that users and devices have the right privileges and attributes to be connected to your system. In addition to verifying access, Zero Trust helps you limit the damage should a breach occur by segmenting information and mandating additional layers of security.
Our Tip: Zero Trust is more than just a digital standard for security, its principles should exist at all levels of your organization. At EDG, we have a “need to know” policy. This means we only provide information to team members if and when they need it. If they are not working on an application, we don't give them access to it, and when a team member will no longer be working with us, we follow a strict set of offboarding rules to ensure nothing sensitive leaves with them. Need-to-know access can be as simple as limiting password access to a user with a password manager, or hiding customer contact information from employees who only interface with internal team members.
4) Treat Development Repositories as Sacred
For software development teams, having a code repository is a godsend, offering a central place to save resources that everyone can pull from and more open collaboration channels amongst the team. It does this without sacrificing security. Most repositories have some sort of additional authentication measures and anti-malware protections in place.
A code repository is only as secure as you make it, though. In 2020 alone, GitGuardian detected over 2 million secrets in public repositories. And, back in 2019, a lapse in password security by a SolarWinds intern — in which the password, “solarwinds123,” was stored on a private GitHub account — may have contributed to the SolarWinds hack. While it’s unclear how significant this leak ultimately was, it still highlights the risks associated when your repository is not properly maintained to high IoT security standards.
Stack Overflow was made aware of a similar breach in May of 2019, when they discovered that a new user had gained moderator and developer level access across all of the sites in the Stack Exchange Network — which barely scraped the surface of what the attack truly entailed. After a deep analysis of the breach, the team realized that their repository URL was inadvertently referenced in a public GitHub repo containing some of their open source code. Stack Overflow has since made a number of changes to how they structure access to their systems and manage secrets to prevent attacks such as this from occurring in the future.
Our Tip: It’s imperative that you treat your repositories as sacred places. All too often when we work with outside teams, we notice that their developers opt to store passwords and other app secrets on central repositories that everyone has access to. This is a huge violation of the Zero Trust doctrine in which information is segmented and nobody has access to something they don’t explicitly need. If a team member somewhere has access to a repository on their machine, any passwords or app secrets within it are at risk of being stolen should that machine fall into the wrong hands.
Your IoT Data is Safe With EDG
Engineering Design Group (EDG) offers a complete IoT ecosystem for companies to monitor their distributed sensors from anywhere in the world. With EDG, find the hardware, software, and cloud infrastructure you need to build a secure, scalable, robust IoT system without sinking your own time and money into developing one from scratch. Whether we’re working with you to build a custom mobile app or you’re making use of our Client Portal to see all of your data in one place, EDG follows the strictest IoT security standards and protocols in the industry. If you’re interested in learning more about how our end-to-end solution enables you to seamlessly and securely collect IoT data, contact EDG today!