How to protect IoT systems against hacking attacks. Recommendations of ENISA
In late 2018, the European Union Agency for Network and Information Security (ENISA) developed practical recommendations on the provision of cyber security in IoT systems. Currently, this paper provides the most detailed guidelines in the field.
Good Practices for Security of Internet of Things in the context of Smart Manufacturing contains technical information about security challenges in IoT, analysis of current documentation, classification of vulnerabilities, and 110 practices to prevent them.
Below you will find keynote statements of the paper.
Main gaps in the security of IoT systems
Data protection experts have been advising IoT manufacturers to adhere to the principles of thorough information security. According to them, security of IoT products should be sustainable at all stages of the device lifecycle – from production to utilization.
However, providers of IoT services and devices usually do not pay enough of attention to this aspect and use unprotected cloud infrastructure or unaudited software.
As a result, a number of problems arise:
- lack of support from manufacturers even when the vulnerability has been detected;
- difficulties with or no possibility to update software and operating system;
- vulnerability of one gadget allows penetrating the whole network.
All these factors lead to the growing number of hacking attacks on IoT systems.
IoT cyber security attack scenarios
Each attack scenario has a criticality level – low, medium, or high. Overall, the paper distinguishes 12 zones of risk, of which we will review 6 most dangerous ones.
1. Attacks against sensors of IoT devices
An affected sensor can ignore a power leap, resulting in the physical damage to the system. Consequences of this attack may include manipulation of hardware and software, sabotage or malfunction of the sensor / actuator, breakdown of the control system.
2. Attacks against network data
This attack targets data transmitted via the network. At the level of controller and control system (DCS, SCADA), actions of hackers cannot be noticed, as system owners see correct values. Manipulation can be detected by monitoring of network layer traffic.
The attack can affect production process or cause serious damage to the enterprise. For example, changes in furnace temperature can lead to the explosion.
3. Attacks against IIoT gateways
This type of attack comprises several stages and is usually launched in a covert way. Malefactor tries to hack the IIoT gateway potentially compromising the entire information environment. The attack is especially dangerous if the enterprise uses weak passwords or protocols by default.
In this case, the malefactor gains access to data, devices, systems, and network equipment. During this attack, the malefactor can steal passwords, personal data, launch malware and DDoS.
4. Attacks against remote controller devices
Besides, malefactors can hack devices located far away from the control system, for example, smartphones. Wearable gadgets are simple to hack and by using them, hackers can receive access to systems faster than by other means.
Password attacks, use of software vulnerabilities, session hijacking, data disclosure, blackmailing – all of it may become a consequence of attacks against remote controller devices.
5. Attacks based on human errors
Attacks of this type usually target big corporations, where many people have access to administration systems. Loopholes in the security system caused by the human factor are difficult to detect due to their nontechnical nature. This may include erroneous use of devices, undeliberatechange of data in the OT system or physical damage of equipment.
The attack can lead to system failures or become part of more complex manipulations related to the theft of data, money, or intellectual property.
6. Attacks using artificial intelligence (AI)
Such attacks require a lot of time and money, and for this reason, they usually target large-scale systems, for example, IIoT systems. Using AI, malefactors can combine data collected in the Internet and known data, speeding up the search for security loopholes.
These attacks often target specific people, for example, system administrators. They can become a reason for the loss of data.
Organizational practices for IoT security
The ENISA believes that producers of IoT devices should secure their products at the production stage. Here the organization of processes inside the company plays a vital role.
Therefore, the agency has drafted organizational principles for IoT producers:
- ensure security of software and hardware at every stage of the product lifecycle;
- take into account security measures within the supply chain;
- conduct cybersecurity field testing to define the compliance with the technical specification of products;
- streamline secure document flow at all stages of the project – from the development of IoT device or service to its exploitation;
- build an integral security architecture of the IoT system;
- control the compliance with requirements in the established security architecture;
- detect and check promptly every unusual event related to security;
- define the process of handling incidents (identification of affected assets, detection and classification of vulnerabilities, elimination of the latter);
- think over the establishment of a Cybersecurity Operations Centre (SOC), where specialists will handle these issues.
Technical practices for IoT security
Apart from the organizational aspects, security also depends on the technical capabilities of the IoT environment. Technical security measures should be realized in devices.
To realize them, the ENISA offers to:
- check the integrity of software before launching it;
- authorize all IIoT devices of the OT network using relevant methods, for example, digital certificates or PKI;
- draft a list of data exchange channels between IIoT devices and choose only secure channels;
- draft application whitelists and review the list not less than once per year;
- restrict access to systems through detailed authorization;
- provide access to the system only to a restricted number of users with the least access privileges;
- create a device, where privileged code and processes are isolated from the part of the firmware that does not need to interact with them;
- implement a balanced infrastructure resilient to DDoS attacks;
- make sure that web interfaces encrypt user sessions, from device to server services, and that they are not exposed to XSS, CSRF attacks, SQL injections, etc.
Protection of IoT systems against unauthorized access is gaining momentum. According to data Gartner analytics firm, global expenses on IoT cyber protection increased by 29% from $912 million to $1.17 billion from 2016 to 2017. Arrival of additional investments, practical recommendations and cyber security specialists may positively affect the general development of the IoT market.
Learn more about information security of IoT systems
at the international Internet of Things Forum
held in Moscow on March 27.