That first article included a series of recommendations that should be standard elements of the planning, design and testing process for any IoT product, including:
- Making security planning a much earlier part of the product design process
- Performing formal threat modeling for every IoT device
- Factoring cloud infrastructure into the security strategy for every product and implementation
- Paying close attention to how firmware updates are designed and carried out in a secure way
- And conducting robust security testing before any IoT device is sent to market, including fuzz testing, penetration testing, and more.
In this follow up- article, I will do a deeper dive into key steps you should take as you plan and perform threat modeling. I will also walk through best practices for selecting and working with third parties who have expertise in IoT security, since your team will likely have to bring in their help with certain aspects of the process.
Learn the Language of Threat Modeling
The security world is a lot like a foreign country. They speak a different language. They have their own customs. And navigating is an adventure because the rules of the road seem to be utterly different. But just like taking a trip overseas, knowing a bit of the language so you can be conversant is a huge advantage as you move forward with IoT security initiatives. As I mentioned in Part 1, you don’t need to be “fluent” in security. You don’t need to start a second career as a cyber-security expert on top of your current engineering and product development role. But a bit of homework will help prepare you for critical steps involving risk assessments, development of a security strategy, collaborating with third-party security firms, and more.
Cyber-security can be a rabbit hole, though, so the most important thing is to learn the basics – the equivalent of going to Italy and being able to order in a restaurant, ask where the bathroom is, and get to the train station. One of the best resources I have come across that provides that kind of introduction to the language of security is the Open Web Application Security Project (OWASP), which is an organization focused on improving the security of software. There are other great resources for becoming conversant in security, but I am partial to the educational resources that OWASP provides, which not only teach you the “language” but also help you start thinking ahead to your security planning process because of the practical guidance those resources provide. Another great security resource is Microsoft’s Threat Modeling Tool, their STRIDE approach, and their “The Seven Properties of Highly Secure Devices” document. As background, Microsoft published an article on threat modeling in 2006 titled “Uncover Security Design Flaws Using the STRIDE Approach,” and it has become a foundational methodology for helping professionals who are not security gurus utilize best practices for more secure projects. STRIDE is an acronym for the types of threats to be considered when creating the threat model: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. When following the STRIDE framework, each component of the IoT system is examined for its susceptibility to each of these types of threats, and mitigations are made for those identified.
Start Mapping out Your Security Strategy…Early
One of the ways that resources like OWASP and Microsoft’s Threat Modeling Tool are most helpful is in helping non-experts in security to begin mapping out a plan for how to conduct an effective risk assessment for a project and formulate mitigating actions with the right elements for the given project. This is particularly important for IoT projects because there is so much “surface exposure” for a wireless device that is out in the field. IoT devices aren’t always hidden behind layers of security like IT systems in a data center. These devices are often out in the open utilizing wireless signals like Wi-Fi and Bluetooth and LoRa, all of which have security protocols. But wirelessly-connected IoT devices have more potential threats to assess and mitigate because of where they are located and because they utilized wireless technology.
For a threat modeling process to be thorough, it must include:
- A full accounting of every element of the IoT system, including not only the wireless sensor, but gateways, wireless protocols, cloud connectivity, databases, web interfaces, mobile applications and other elements
- A detailed outline of how the device will be used, given that the usage pattern and type of transmissions have a significant impact on what threats are most relevant
- Accurate assumptions about how the device will be designed, where it will be deployed, and other aspects of the implementation
- A survey of the current potential threats and flexibility to adapt to emerging threats over time
- Corresponding mitigation steps that can be taken to address the current threats and respond to future ones
- And metrics for tracking and measuring implementation of the recommended mitigation steps and ongoing security
Most importantly, this should all be done at the very beginning of a development timeline for a device. Too often, this security planning and threat modeling happens late in the development cycle, which is much less effective, and which causes delays. Starting early will help you complete projects faster, lower development costs and achieve stronger security.
Include These Must-Haves in Your Threat Modeling Checklist
There isn’t a one-size-fits-all security strategy for every IoT device because the sensors vary so much from device to device and from one use caste to another. In addition, the required security level of the overall system varies depending upon how much risk the stakeholders are willing to accept. But there are must-have elements that should form the core of your threat modeling process, including:
- Creating a comprehensive architecture diagram of your device and the IoT network, including data flows within and outside of the system, data classifications (e.g. restricted to only certain internal users, private but open more broadly to internal users, or completely public), and risk levels (e.g. extreme, high, moderate, none). All data should be systematically categorized to ensure that appropriate data protection is employed, whether it is data-in-transit, or data-at-rest.
- Turning off unused or non-essential services that may be running on the platform (e.g. HTTP, FTP, SSH), and remove temporary debug code.
- Ensuring that there can be periodic verification of the software running on the device (including running services and open ports)
- Employing an automated method of obtaining and installing software updates
- Implementing a chain-of-trust (code signing), starting with the hardware at boot
That is a starter list of critical items that should be on your checklist, and organizations like OWASP also have great resources that outline must-have elements that elaborate on these recommendations while also offering other suggestions.
Get the Right Help from Third-Party Security Companies
Each of the steps above are intended to not only kickstart your threat modeling strategy but also give your team a rapid education in the most important aspects of cybersecurity for IoT devices. But the reality is that you cannot do this alone. You need the help of some people who specialize in cyber-security, and unless you work at the rare company that has an in-house security team with the bandwidth to help the engineering department, you will need to select an outside firm to collaborate with.
Selecting the right security firm is challenging, but you can do it if you look for the right things:
- First and foremost, you want to pick a firm that has experience with IoT projects, including not just final testing, but also consulting on design, development, production, maintenance and decommissioning. Simply put, they should know the security implications at every point over the entire life cycle of an IoT project.
- You will want to look closely at the experience of the team members that would work with you, examining if they collectively have the skill sets to address everything from embedded hardware and software to cloud architecture. IoT implementations have a lot of elements and therefore a large attach surface, and the security firm’s team should have skills that map to all aspects up and down the stack of your IoT ecosystem.
- Check if they are active in the industry because security trends move quickly. Companies that are actively speaking at conferences, publishing papers, posting best practices on social media, and being a thought leader are all good signs that the firm is at the forefront of the field rather than a step or two or ten behind.
- Ask for implementation experiences and even sample reports that speak directly to their experience working on IoT projects that are like your own.
- And ask for them to discuss in detail what they would need from your team to be successful. Good security firms will have very clear expectations about what you need to do to help them be successful, including access, cross-departmental collaboration with their team, and the ability for them to have a seat at the table at the very beginning of the project and throughout the development cycle.
Dedicated hackers can circumvent many security protection measures, so there is no perfect security solution. However, firms who can effectively perform threat modeling on their solutions will be better positioned to fully understand their own risk position and will be able to make better informed decisions revolving around their own cyber security initiatives and objectives.
Chris Cole is the Vice President of Technology for Laird’s Connectivity division, which provides a full range of modules and engineering services that simplify the process of using wireless technology. Laird is a global leader in wireless technologies, embedded, pre-certified wireless modules and design services that are making the next generation of connected smart products possible. As VP of Technology, Chris is responsible for overseeing development of many of Laird’s most important IoT solutions initiatives. He has more than 30 years of experience in software development, wireless technologies and microelectronics. To contact him, email [email protected].