Internet-of-Things (IoT) means all those technologies that enable the use of intelligent objects, i.e. sensors and actuators that, connected to the internet, can be programmed or used remotely through, for example, an application from a mobile phone or a program from the computer of an operations center. This is the case of sensors which, for example, serve the cameras with which pets are monitored when they are away from home, or the municipal speed camera that automatically transmits photos of car plates to the local police, rather than the meter. pressure of a nuclear reactor that sends an alarm to the control center; and this is the case, so to speak, of the intelligent relay that turns on the irrigation system of the home garden, or the servo-means of opening the doors of an automatic subway, or the control system of the overflow gate valve of a dam overlooking a mountain village.
These intelligent objects will increasingly improve the quality of life of people, the effectiveness and profitability of industrial processes, the safety of nations. But it is a fact that today they introduce new risks, whose probability of occurrence is generally higher than the corresponding security risks to which computers, tablets and smartphones are subjected.
And the reason for this is simple: while governments, academia and the computer and software industry have many decades of information technology cybersecurity research and development behind them, the manufacturers of smart objects and developers of industrial control systems - be they newly developed devices, rather than adapted versions of traditional models - they have no experience with the wealth of cyber protection knowledge acquired and developed in the IT world.
Furthermore, the push to insert low-cost "intelligence", which results in the use of systems with reduced computational capacity, and limited energy consumption to avoid the use of high-capacity batteries, makes the solutions developed for servers unusable in many cases. PCs and smartphones, objects for which there is no cost barrier.
The result is that today IoT devices - unlike what happens in a systematic way for the supply chain leaders IT devices and software - generally they are not produced incorporating the necessary cybersecurity features to help mitigate the related risks, nor are there broadly similar capabilities capable of supporting users in the installation and operation phase.
And as a predisposing risk factor, consider also that these sensors and actuators, which are conceived internet ready, they often have functionality as well plug & play, that is, they connect to the network and start working without the need for preliminary installation and configuration activities, nor by their nature do they have the functionality - typical in the IT world - of blocking the session after a period of inactivity. A very recent study has shown how, during the lockdown, in the silence of offices closed to the public, IoTs continued to operate uncontrolled, exposing corporate networks and facilities.
This gap must be bridged as soon as possible and the scientific world is developing, together with the industry and the control and regulation agencies, a series of requirements and recommendations that - following the example of what is already in place in the IT sector - push to consider specific risk assumptions and aim to oversee distinct areas of mitigation.
There are basically three risk assumptions to be taken into consideration. First of all that intelligent objects will be increasingly exploited to conduct coordinated attacks with tangible effects, as well as participation in DDoS attacks (Distributed Denial of Service: for the layman, it is an attack on a server aimed at "flooding it" to prevent it from delivering the service) against other organizations, the interception of network traffic or the compromise of other devices on the same network segment. The event of 21 October 2016 applies as an example to all when, following the creation of one of the largest botnet formed by IoT, i.e. a clandestine network of intelligent objects secretly controlled without the knowledge of their legitimate owners, DDoS were created on DNS service (Domain Name System: for newbies it is a bit like the telephone directory or the street directory that the Internet uses to associate the numerical address with the names of websites or e-mail domains). This attack prevented users from accessing the largest web resources in the United States, including Twitter, Spotify, and PayPal.
The other two assessments concern the fact that: IoT devices that contain data will be targeted by CIA attacks (Confidentiality, Integrity, Availability) to steal, compromise or make unavailable the information stored there or transmitted for them; and that attacks on the Internet-of-Things can be launched to compromise the privacy of individuals.
Hence the need to ensure the physical protection of the devices, the logical security of the data and, in cases where personal data are processed, the protection of the right to privacy.
From this point of view, manufacturers will have to ensure technological control in five mitigation areas consisting of: maintaining an updated and timely inventory of all IoT devices and their relevant characteristics (Asset Management); identify and mitigate known vulnerabilities in device software, for example by installing patches and modifying and configuration settings (Vulnerability Management); avoid unauthorized and improper physical and logical access (Access Management); prevent access and tampering with data saved in the device or in transit that could expose sensitive information or allow the manipulation or interruption of device operations (Data Protection); and finally the Incident Detection activities with which to monitor and analyze the activity of the IoT device to highlight indicators of compromise of the devices and data.
The question is very serious and not secondary. So much so that the president of the United States signed a few days ago on "Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems" with which he launches thePresidential initiative for the cybersecurity of industrial control systems (OT). And systemically invests all of the supply chain leaders of IoT technologies: manufacturers and installers will have to face it throughout the life cycle of the technology, starting from the research, development and pre-sales production phase, with the correct technical activities aimed at ensuring the characteristics and functionalities of cybersecurity. It will also be necessary that they continue with the information and post-sales support activities in order to guarantee the necessary technical assistance to end users, also with reference to the use of cloud platforms already proposed today by supply chain leaders IT for the encryption of communications between intelligent objects.
Lastly, it should not be overlooked that all this will inevitably result in an increase in both production costs and the resources necessary to ensure operation, maintenance and quality of service: these recurring costs could make IoT devices no longer attractive in many contexts.
Orazio Danilo Russo, Giorgio Giacinto, Alessandro Rugolo
To learn more:
https://blog.osservatori.net/it_it/iot-sicurezza-privacy
https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259B-draft.pdf
https://www.securityweek.com/life-lockdown-offices-are-empty-people-full-risky-iot-devices
