The public sector has recently ramped up its investment in the IoT, with the federal government spending an estimated $35 billion on IoT solutions from fiscal 2011-2015. Analysts only predict that number will grow with the advent of sensors, smart cities and connected cars.
Recently several reports about the vulnerability of the IoT have been released. Krebs Security called out nefarious actors launching a distributed denial-of-service (DDoS) attack while a security research team in China hacked into a Tesla Model S. And what this means is that manufacturers of Internet-connected devices need to get a lot smarter about security — and governments purchasing IoT devices should be paying attention to product security.
To help guide startups toward creating more secure products, the Cloud Security Alliance (CSA), an organization dedicated to perfecting the best practices for secure cloud computing, released a report detailing 13 steps necessary to ensure a well protected product — steps that, when followed by vendors, will also protect government-procured devices on the Internet of Things from being exposed to breaches.
|
1. Start with a secure development methodology 2. Implement a secure development and integration environment 3. Identify framework and platform security features 4. Establish privacy protections 5. Design in hardware-based security controls 6. Protect data 7. Protect logical interfaces/APIs 8. Provide a secure update capability 9. Implement authentication, authorization and access control features 10. Establish a secure key management capability 11. Provide logging mechanisms 12. Perform security reviews internally 13. Perform security reviews externally — Cloud Security Alliance |
“Make sure as somebody who oversees technology for a local area that your vendors are actually following some best practices in how they develop things you're procuring,” Russell forewarned.
It is necessary to set up guidelines for any potential companies that are trying to sell to the public. And while the first step may be the most important in developing a secure device, the work doesn't end there.
The security process is cyclical, according to Russell. All steps taken in designing the product should be followed by security tests and reviews. Even if a city has already fielded IoT devices, it's not too late.
“Do something now,” Russell advised. At the very least, pay a security group to investigate products that have already been deployed and see of they can find any vulnerabilities. That is a cheap and efficient way to safeguard devices in your IoT network. External security testing, he said, can be done at, “low cost and be done immediately.”
Perhaps the biggest danger for municipalities is shelling out millions for a network of upgraded IoT devices and then question how secure the system is, said CSA Senior Research Analyst John Yeoh.
Public officials should be weary of retrofitting existing infrastructure and devices with smart sensors and Internet-enabled devices, he said, explaining that some of the biggest vulnerabilities are in legacy devices or systems trying to move into the smart market.
This is because systems in place, such as traffic control systems, were never envisioned to be Internet-connected. The predicted mass introduction of self-driving vehicles, however forces governments to introduce a communication medium for cars, traffic lights and pedestrian walk lights. And in these types of upgraded systems lie the greatest potential for danger.
Nobody wants to be the face of government incompetence. Security of data and IoT networks is crucial for the next decade. Whether procurement officers operate in cities the size of Chicago, putting hundreds of sensors on buildings and traffic lights or a smaller towns buying new smart water meters, the public sector needs to know what they are up against.
“As municipality or state government," Yeoh said, "the last thing you want to see is all the assets you procured to enable a smart city are now zombies in a botnet."