InfoGuard Cyber Security and Cyber Defence Blog

Getting IoT projects securely on track

Geschrieben von Andreas Koelliker | 14 Feb 2017

The Internet of Things (IoT) – currently the source of so much hype in the world of IT – is now also impacting businesses and energy suppliers. Nonetheless, today’s cyber threats constitute a major challenge for IoT projects. Furthermore, the various solutions and components involved require quite different levels of protection. It therefore makes sense to get informed about the different risks and critical vulnerabilities. Read on to find out what specific action you can take ...

The energy supply industry is in many ways a model of good practice with regard to safety and system availability. With the Internet of Things, however, industry solutions are moving – in all sorts of areas – towards an “operational technology” (OT) scenario, one in which critical systems are no longer adequately insulated from each other. While IoT is not new, the possibilities it now offers are more tempting than ever and offer opportunities for future business success. This is clearly demonstrated by some IoT projects that have already been implemented here in Switzerland. In one such project, for example, intelligent systems control a suite of hot-water boilers for the supply of balancing energy. In this case, systems are used to automate entire meter-to-cash processes, while complex smart grid components take over critical functions in the power grid. In such instances it’s important to protect not just the integrity and availability of individual systems but also the data. For some time now, the business case for IoT systems has derived not only from the ability to automate processes but also from the opportunities they bring for customising and personalising energy products and associated services. However, if suppliers are to retain consumers’ confidence, they will need to take the protection of their personal data seriously. This is all the more true because of the way in which data is processed in the cloud and transferred, via unreliable networks between objects, people and services. The security requirements of IoT project therefore involve competencies from the worlds of both IT and OT.

Identifying risks before the lights go out

At which stage of development and in respect of which activities should these security requirements be tackled in IoT systems? While IoT projects no longer involve complex science, they do display certain special features. For example, security by design is the current mantra in the security industry. In reality, however, from an innovation point of view, it's a principle that can only be applied in respect of critical projects or IoT-specific requirements. In order to assess the security requirements of an IoT project, the first step is to undertake an appropriate risk analysis. This will involve considering the impacts of potential incidents in the context of IoT system deployment and use cases. The following questions should be considered:

  • Would an incident impact on critical services?
  • Would the reputation of your company be affected?
  • Would the failure to provide services or a breach of statutory obligations result in a financial loss for your business?

On this basis, you can undertake an initial assessment of how critical the impacts would be and identify an appropriate way forward. This could mean that security by design is indeed an absolute necessity or alternatively could require individual security measures to be implemented first of all. In IoT projects involving a heightened need for security, the next phase should be to identify the likelihood of incidents and define the resulting priorities. This can be done by evaluating the potential organisational and technical vulnerabilities both in the overall system and in respect of the individual components.

Test, test and test again ...

In the next stage, you should investigate and test both your IT security set-up and the physical robustness of the components in use. Additionally, however, you should consider the communication between those components, the central data processing systems, and the interaction between users and operators. Also important is the need to test the overall structure in conjunction with the related processes.


For these tests, a variety of methods can be used depending on the issues involved, including:

  • Network scans of the IoT infrastructure
  • Penetration tests of the processing networks, the application infrastructure and the remote maintenance access points
  • Testing of the IT security elements such as firewalls, SIEM systems and authentication mechanisms
  • Penetration tests of web applications such as customer portals
  • Source code reviews of the IoT components and applications in use
  • Hardware reverse engineering of the IoT components
  • Organisational audits for compliance with the desired or required standard
  • Social engineering audits of the IoT system operators

 

In practice, applications are often an easy target for attackers. The majority of IoT applications rely on open source software, third-party components and software developed in house. In addition, they are often exposed, making the applications particularly vulnerable. An application test based on the OWASP IoT Top 10 vulnerability categories can be a useful tool for identifying vulnerable areas. Security testing can and should be carried out in every phase of IoT solution development. In this context it can be helpful to work with test automations. These can help you avoid new or recurrent errors as you continue to develop your applicationn.

Our recommendations

To fulfil the specific security requirements of IoT projects, we would recommend an analysis based on realistic risk scenarios. These will help you to gain a better understanding to inform your security efforts and to create conditions of transparency and trust. In addition, you can use these scenarios later on for the modelling of threats during testing. This will build greater awareness in the project and help you to continually tackle vulnerabilities. To eradicate these, it’s also vital to design a stable, encrypted and authenticated update system.

In 5 steps to IoT & Industrie 4.0 Security - with the Security Barometer from InfoGuard

Our specialists are convinced: It needs a systematic approach and a holistic approach to establishing cybersecurity in the rapidly growing Internet of Things and Industry 4.0. We will show you how to do this successfully in our free whitepaper with 5 simple steps. We have developed the ultimate IoT & Industry 4.0 Security Barometer specifically for you. Are you ready? Download now and receive free valuable expert tips!

 


The article appeared in the 2-2016 edition of EnergieRundschau magazine. Read the entire article here!