Architectural Design Considerations for Security in IoT Solutions
One of my dissertations for the MS in Cybersecurity Risk and Strategy course that I am a graduate from. I highly recommend the course for anyone seeking to expand their skills and knowledge in the field of Cybersecurity.
a) Abstract
Internet of Things (IoT) solutions are constantly evolving and security vulnerabilities are inherent. Exploitation of IoT security vulnerabilities has resulted in major IoT cyber-attacks, including the Mirai Botnet attack on Dyn and the Stuxnet attack on Iranian uranium enrichment plants. Cyber attacks on IoT solutions can result in major inconveniences, economic disaster and even bodily harm. Security best practices and enhancements can reduce the risk of cyber-attacks of IoT solutions to a minimal.
b) IoT Solution Definition
IoT solutions provide both convenience and productivity for society. IoT solutions comprise of a large number of interconnected hardware devices sharing data. These devices consist of sensors, smart devices, actuators and appliances. Connectivity and data transfer occurs over both trusted Intranet and public Internet infrastructure.
c) Threat Analysis
The following threats to IoT solutions have associated mitigation strategies.
1. Ransomware and Malware attack
Malware renders the operating environments unusable. A business continuity strategy, with scheduled vulnerability scanning, backups of operating environment filesystem and device firmware updates, help to mitigate risk of such attacks.
2. DoS (Denial of Service) attack
Cyber-attack that overwhelms IoT solutions with huge amounts of traffic, in order to render all functionality useless. Firewalls and API security plays crucial roles in safeguarding this attack.
3. IP Spoofing
Manipulation of IP packets bound for IoT solution can lead to system compromise. User identity management, payload and connection security helps to reduce risk of such an attack.
4. Data and Identity theft
As a follow-on activity after a Malware attack or IP spoofing, IoT data and user identity can be stolen from the system, resulting in economic losses. Among a few security measures, a key one is a modular approach to architectural design, which can help to shut compromised modules to limit the progress of the attack.
5. Man In The Middle attack
Impersonation and eavesdropping by cyber-attackers on IoT message exchanges can lead to system compromise. Multiple security measures including cloud services security, user authentication and identity management can prevent such an attack from occurring.
d) Security Best Practices and Enhancements
The following security best practices can be incorporated into IoT solution design, to address and mitigate the risk of cyber-attacks.
1. “Security By Design” architectural approach
Adopt a “Security By Design” approach to solution design, by catering for security in the architecture.
Start by identifying critical zones, connection points and routes that require immediate isolation upon a cyber-attack occurring.
This leads to the design of the DMZ (demilitarized or bastion zone), which can be separated by firewalls from trusted zone(s). During a cyber-attack, device-to-gateway connections can be blocked to prevent spread of malware infection and inhibit attacker progress.
A modular, layered approach to architectural design allows for separation of concerns, catering for high availability during cyber-attacks. The following diagram shows an IoT solution architecture involving multiple layers.
Diagram 1: IoT solution architecture — based on “Security By Design” approach
2. Modular architecture
Modularity is a design concept for assuring high availability at each part of the solution. Every module is security hardened and has a backup instance to replace it, should the primary instance be compromised.
3. Payload security
Securing in-flight IoT data prevents injection of malware into and tampering with IP information of data payloads. A VPN (Virtual Private Network) implementation encrypts such data while support its transfer over various IoT messaging protocols, like XMPP, DDS, CoAP, MQTT and AMQP.
All client connections to message queues on the IoT gateway have to be secured by TLS and user authenticated. Endpoint security with activation of TLS connectivity encrypts the payload.
Edge processing is the processing of data at the network boundary, and it can reduce the volume of sensitive IoT data that is sent over the network. With less sensitive data sent, the risk exposure during cyber-attacks are reduced.
4. Cloud services security
Back end services of IoT solutions are gradually becoming cloud-based. Examples of such services include analytics, management and logging. Such services are computing-power intensive and are also susceptible to failure due to power, network or server outages.
Therefore, they are suitable candidates for containerization, which means hosting these services in virtual machines known as containers. A popular container platform technology called Kubernetes by adopted to form the Platform As A Service (PaaS) environment which host a great population of container-based services.
Containers enable the back end services to be secured, as the container interface serves as an additional proxy layer on top of these services. This abstraction of services helps to hide the technical vulnerabilities that could compromised in an attack. In addition, the container platform provides the resource and security management capabilities that restarts back end service in container format, in the event of a process death, and also provide timely notifications to administrators on the temporary service outage. The container platform serves as a central management system for all IoT solution back end services.
5. Connection security
An IoT device gateway manages and monitors data transfers, providing a layer of abstraction, aggregation as well as security. The design of an architecture must include a DMZ where the IoT device gateways reside.
Communication to IoT devices made through the Internet can only be made through a proxy, like the device gateways. Direct communication is not allowed for security reasons, and the gateways serve to filter and authenticate the content bound for the devices, to prevent harmful attack code or malware from reaching them.
All connections made end-to-end in the IoT solution use case, should be encrypted using TLS. And all user initiated connections have to be authenticated using Multi-Factor Authentication.
6. API security
Functionality of software components that form the IoT solutions can be integrated using web services.
A good example of this is Eclipse Kura, which is an open-source IoT gateway platform built on Java. It exposes business operations functionality through open-standards API (Application Programming Interface) and devices invoke SOAP or REST protocol calls to web services. The APIs are publicly documented and secured access is optional.
Implementation of authentication and authorization policies help to secure APIs. A popular user authentication mechanism for web services (called OAuth) involve the use of security access tokens (SAML) that are obtained from a separate token-issuer as part of the user login process. With each web service request made to an API, the payload must contain such a token and have the token be passed as parameters in the HTTP operation, in order for the web service client to be able to successfully connect to the API.
To facilitate the high volume of API calls, an API Management platform and gateway should be adopted as part of the IoT solution. This platform provides traffic analysis, filtering, throttling, metering, as well as managing privileged user access to specific API operations. Routes between clients and web services that provide API access can be setup and monitored in real-time.
The API gateway component enforces security policies to recognize and stop DoS attacks targeting the API services of the IoT solution.
7. Operating environment security
The choice of operating systems for IoT device gateways and back end services should be Linux, which is bundled with a security mechanism like SELinux. Administrators can use SELinux to set and enforce mandatory role-based access controls on system and application processes. These processes must be granted the appropriate access rights in order to manipulate objects in the operating system environment, for instance: sockets, threads and files.
SELinux enforce policies that either allow or deny the execution of application services, preventing malware from running in the environment. The configuration files for the IoT solution can be secured through Linux filesystem encryption (using the dm-crypt tool), which prevents unauthorized access. Administrators must create policies that govern the download, import and export of code packages and software patches, in order to prevent malicious attack code from entering the operating environment.
Regular backups of operating environment filesystem and their contents as part of a business continuity plan, will allow recovery of these assets after a cyber-attack.
8. IoT device security
IoT devices can be secured using chip-based authentication, where user credentials are stored on a chip called a Trusted Platform Module (TPM). Having credentials stored locally on a TPM safeguards against theft of user identity, which could otherwise compromise the use of IoT device.
9. Firewall security
Firewalls have to be setup to separate the various zones defined in the architecture. All ports in the firewalls are closed, with the exception of a small group of ports used by devices, cloud-based back end services and gateways. Ingress and egress filtering should be activated to filter the authorized traffic.
10. Password security
All passwords used in the IoT solution must be hashed using SHA256 algorithm, with a salt that is at least 32-bit long. In addition, the strength of the passwords has to be checked with an algorithm, which mandates each password to contain a mixture of symbols, alphanumeric characters and no keywords or names.
11. Vulnerability scanners and intrusion detection systems (IDS)
Software vulnerability scanners that perform rootkit malware detection of firmware in IoT devices should be used, and regular scans should be scheduled. These scans detect any vulnerabilities due to malware infections, which can affect IoT device firmware. Custom developed software must be regularly scanned for vulnerabilities (like susceptibility to SQL injections and user session hijacking) using code assurance software.
Intrusion detection systems (IDS) should be installed to safeguard unauthorized access through the various access points to the IoT solution, including hardware devices, cloud-based back end services and administrative consoles. Upon detection of a cyber-attack, the IDS will send notifications to system administrators for intervention.
12. Logging and auditing
Real-time monitoring and management of IoT data flows help in flagging suspicious payloads. Audit and logging of IoT data traffic should be done in real-time on the IoT gateway, devices and container platform. Trigger notifications of security incidents are delivered to system administrators for their intervention.
13. User identity and authentication
All user authentication processes should involve the use of a Multi-Factor Authentication (MFA) tool or token, which adds an additional element of security to the login process. User access to administrative consoles and analytical dashboards that monitor the data logs of the IoT solution are best secured using MFA. SSL digital certificates should be used in the identification and authentication of users in order to mitigate the risk of Man-In-The-Middle attacks.
14. Patch updates
Firmware vulnerabilities can exist in any IoT solution, especially evident when the remote device firmware update process is unsecured and open to tampering by cyber-attackers. Device firmware updates should be secured either when performed locally or remotely. The network traffic for remote updates should be encrypted using TLS and update initiation task has to authenticated using MFA. Likewise, patch updates for IoT device gateways as well as back end services have to be secured.
15. Implementation frameworks
Adoption of Open Source community-supported frameworks for IoT, like Eclipse Kapua and Eclipse Kura, can help to provide the latest security support in an IoT solution. With bug-fixes, updates and support provided through the Open Source community, any new security issue that emerges will be addressed swiftly by technology experts situated globally.
When developing custom software as part of an IoT solution, practice DevSecOps methodology and the techniques detailed in the Open Web Application Security Project (OWASP). Such a development process will reduce the number of security vulnerabilities produced in a build project.
e) Summary
Security should be a priority design factor for IoT solution architectures. Adopting multiple layered design in the solution addresses various types of threat factors, reducing the risk of cyber-attack on the solution significantly.
f) Appendix — References
1) Role of web service in Internet of Things
URL: https://ieeexplore.ieee.org/iel7/8376942/8389095/08389146.pdf
2) Architecting an enterprise API management strategy
3) How to put configurable security in effect for an IoT gateway
URL: https://www.theserverside.com/tip/How-to-put-configurable-security-in-effect-for-an-IoT-gateway
4) The art of layered security
URL: https://blog.eccouncil.org/the-art-of-layered-security
5) What are some good examples of layered security?
URL: https://www.quora.com/What-are-some-good-examples-of-layered-security
