whitepaper
Industrial IoT security: What you need to know
The Internet of Things (IoT) describes the ecosystem of online connected devices changing our world, from the home to the hospital to the manufacturing floor. The Global mobile Suppliers Association (GSA) estimates that there will be nearly 35 billion connected devices by 2027—compound annual growth of over 20%, or more than 136 devices per second.1
Keeping those devices and the associated data is critical for the deployment of any IoT solution.
The more connected, the less secure
The industrial IoT (IIoT) has revolutionized the way businesses operate, developing static devices into smart, connected products. By connecting assets, which can include hundreds or thousands of sensors, and enabling them to share data, IIoT has the potential to increase productivity, enhance data collection and analysis, and improve operational efficiencies and safety. At the same time, it delivers a seamless and personalized customer experience by allowing enterprises to differentiate their products and services from other IoT offerings in the marketplace.
As part of an IIoT ecosystem, devices and sensors are connected to applications hosted along the edge-to-cloud continuum, interfacing with both internal and third-party solutions. This significantly increases the attack vector. IoT malware attacks increased 400% in the first half of 2023 compared to 2022, for example. In addition, 6,000 weekly attacks are being targeted at manufacturing.2
This is an enormous challenge for the makers of all types of equipment, from medical devices to precision industrial tools. Creating a robust end-to-end security approach for these distributed systems depends on partners and customers working in harmony, with each responsible for the physical and virtual security of their part of the solution.
Safeguard connected devices
IoT threats are growing and becoming more sophisticated. Zero-day vulnerabilities and malware are now accessible for malevolent actors to purchase on the dark web at prices starting from as little as $10.3
As the evolution of connected devices advances, so will the number of ways bad actors can exploit it. Without strong security, your organization is vulnerable to attacks and data breaches that can make sensitive information public and allow it to be exploited.
This paper will help answer the critical questions you need to ask to define a robust IoT security strategy:
- How to ensure security alignment with business outcomes.
- How to keep your data safe in the cloud, on-premises, and at the edge.
- How to build IIoT solutions from the beginning with security in mind.
Securing IoT devices requires a mindset shift
Every potential IoT partner, whether they provide edge devices, integration services, or an IoT platform, has to take security seriously. The key differentiator is how do they integrate with, and support, your existing security infrastructure, and how can they meet your specific security requirements? Too often in the purchasing process, security becomes a tick list of standards. This is not to say that standards are not important, they set the bar and enable you to make rapid assessment at a high level. However, there also needs to be a focus on what you want to achieve with your security strategy.
First, remember that cybersecurity is a joint commitment across the entire ecosystem. Your security is only as strong as the weakest link.
To develop a solid security strategy, you need to develop multilayered protection from the edge of the cloud, protecting your IoT devices, their connections, and data.
Building robust defenses
To build a robust security system, while still allowing the solution to do what it needs to, there are a number of areas you need to consider, namely:
- Address the physical security of the device as the first line of defense. This is often forgotten and can result in credentials being stolen, providing unfettered access to your IIoT solution.
- Be aware of the security capabilities of the device and regularly revisit it. Knowledge of which devices can be updated to take advantage of the latest security improvements, and which cannot, provides boundaries on what can be achieved. For instance, consider tenant separation for devices that can only use out of date ciphers.
- Evaluate your authentication and authorization processes to ensure users can only access the applications and data necessary for their roles. A good way of creating a centralized authentication and authorization approach and minimize the impact on administration and users alike is to use Single Sign On. This is an excellent way of centrally managing users and, when coupled with Role Based Access Control, provides a high degree of flexibility.
- Understand how you secure the networks, including at the edge, and how the constant data flow is secured. Look at how you are securing applications along the edge-to-cloud continuum. Wherever possible, ensure the applications are only available to authenticated users and that accounts with elevated rights and wide-ranging access are not accessible from the internet.
Questions for your ecosystem partners
As the number of devices involved in a deployment scale upwards and the volume of data grows exponentially, the complexity of maintaining security in IoT grows.
When you are working with a partner, whether they provide a Device Management platform, analytics applications, or cloud storage, you are relying on somebody else to provide security capabilities.
Given this dependence upon others for end-to-end security, what can you do as an individual or an organization to help ensure you are getting the best possible security while simultaneously addressing business outcomes?
Consider the following:
Device Connectivity
As previously stated, devices can be one of the weaker points in the end-to-end security approach. A good way of reducing the attack vector on the device connection is to ensure that it is the device that initiates the connection with the Cloud. In this way you reduce the ability of a bad actor to discover your device and attempt to hack it.
Device Updates
Be aware of the security capability of the devices you use. Over time, you will end up with a mixture of old and new, so understanding if and how your devices can be updated is paramount. Remote software and/or firmware updates are pivotal to managing the device’s security and overarching IoT solution.
Platform Security
The first thing to mention here is always to change default passwords, even if you do not believe you are using them, as this is an open door into your system. You also need to make sure that you understand the default configuration of the security settings and what can and cannot be changed at the device, tenant, or solution level. Understanding this will provide the information you need to create the end-to-end security configuration that secures your solution whilst supporting your business needs.
Identity Access Management
If your organization has invested in centralizing security administration using an Identity Access Manager (IAM and/or a Public Key Infrastructure (PKI) Manager), you will want your IoT solution to integrate with them as well. This will save time figuring out how to manage your users and devices and ensure that your IoT solution complies with your corporate standards. The IoT solution should provide roles-based access control which can be configured in conjunction with your IAM; allowing you to leverage centralized authentication control with the IoT solution authorization capabilities.
Taking note of standards
Several high-level standards, such as IOS27001, 17,18, and SOC2, govern how the IoT platform is run. There are also vertical-specific standards such as HIPAA and STIG. It is highly unlikely you will find a platform that provides all the standards you need, so look for a platform that supports the generic standards with the flexibility to support the industry vertical compliance you need.
APIs and Microservices
All IoT platforms will allow you to extend and enhance the user interface so you can provide your own unique value-add for your users specific to your industry. This is where your responsibilities are the highest. Whether you use a web interface or deploy your microservices, you must ensure that the APIs are used appropriately, or you will come up against issues down the road, such as privilege escalation. It is worth mentioning that these interfaces and microservices need to be re-visited regularly to ensure they use the latest updates to keep them secure. Remember, software libraries are constantly updated in order to mitigate against the latest threats.
Cumulocity platform: Created with security baked in
Security has been at the epicenter of the Cumulocity architecture since 2010, when it was designed to meet carrier-grade requirements based on Nokia’s security hardening guidelines. It has continued to be pivotal to our developments.
Our commitment to security is validated and independently audited annually by external security experts . Many of our customers are in highly regulated industries, including Deutsche Telekom AG, Utonomy Ltd., and AiFlux Limited., and demand the ultimate IoT security.
Our customers have gained STIG and HIPPA compliance using Cumulocity solutions. They have met such disparate mandatory security requirements thanks to the flexibility of Cumulocity layering authentication, authorization, and configuration capabilities.
Support device security
The most recent addition to the Cumulocity family is the ThinEdge, an open-source, cloud-agnostic framework designed for resource-constrained edge devices.
From a security perspective, the ThinEdge framework provides device-side lifecycle handling and management of x.509 certificates. This makes it much easier for the device to leverage best practices for secure device authentication.
There is no direct access to the internal code and functions of Cumulocity. All interactions occur through a set of secure public-facing APIs, which expose every platform function in a way that can be used with your applications or devices.
Compliance Standards
Our Cloud Information Security Management System has attained SOC2, ISO 27001, ISO 27017, and ISO 27018 Information Security Management standards.
This certifies that our software development processes and management controls are sound and support the development of secure products. Cumulocity continuously invests in achieving new standards relevant to our sector.
All data is transported using TLS, with versions 1.1 through to 1.3 supported, meaning that devices of all ages can connect to the platform using the highest-grade cipher they can support. The platform is graded A+, the highest possible, by respected security firm SSL Labs.
Security throughout the product lifecycle
Our mantra is one of continuous enhancement. Our IoT platform is continually enhanced. At the same time, we ensure every stage of the software development lifecycle meets the highest security standards:
- Everything we do related to security is driven by a security program based on the OpenSAMM (Open Software Assurance Maturity Model) framework. This model allows us to define and measure all security-related activities for the development, verification, and deployment stages of Cumulocity. This ensures good governance and continuous improvement.
- We strongly support security policies and technical standards for our product security compliance that align with SaaS best practices.
- We work closely with security researchers and third-party vendors to understand emerging threats. Our experts are trained to ensure these threats can be mitigated. The same parties also independently test Cumulocity.
Our robust approach means Cumulocity supports security standards and protocols that ensure secure communication with its APIs, and data cannot be compromised while stored or in transit. Our platform integrates seamlessly with a range of security frameworks, which means it can easily conform to the standards, roles, and access privileges already defined in your organization.
Maintaining the security of Cumulocity
Cumulocity is designed for highly secure IoT solutions without compromising performance in live production environments, where operation areas such as device management, storage, and data ingestion could be severely impacted by poor security.
The security framework in Cumulocity allows enterprises to extend their solution, either through configuration or solution specifics, in order to meet the security, governance, and regulatory requirements of their markets (for example, STIG, HIPAA, PCI-DSS, or safety-critical standards such as NERCCIP and NIST).
The flexibility of the security in Cumulocity makes implementing the stringent controls straightforward.
Native multi-tenancy
Cumulocity has native multi-tenancy, meaning a single instance of Cumulocity can securely serve multiple enterprise customers without compromising any data.
We achieve this by segregating data on at least two levels. Using role-based access controls, data can be segregated within a tenant which complements the physical data segregation provided by the inbuilt multi-tenancy. For example, an industrial machine manufacturer would have its data fully isolated from its competitors and offer 100% segregation between the factories that use its machines for different customers.
All data on Cumulocity is isolated and protected, ensuring the privacy of all tenants and their customers.
Physical security
In IoT solutions, physical security includes unauthorized access to IoT devices to redirect or manipulate data, read credentials, or change a device’s configuration.
We work with customers to provide best practices and guidance on protecting devices. The Cumulocity architecture can also monitor and report security incidents, such as deactivating tampered devices.
Our cloud hosting partners also ensure servers, storage, and network devices are physically secure.
Network security
All data stays confidential and cannot be tampered with. How? Cumulocity includes an end-to-end implementation of HTTPS from devices to applications and is transmitted using the strongest ciphers your devices can support, up to TLS 1.3 encryption technology that has been independently rated A+ by SSL Labs.
Cumulocity is designed not to require specific ports or services from your infrastructure to be exposed to the public Internet, which can be a severe security risk. Additionally, all communication with Cumulocity requires individual authentication and authorization, whether a device, application, or user.
Application security
Cumulocity follows standard practices for application-level hardening, such as ensuring that only correctly upgraded operating systems and web servers are in use.
All Cumulocity functionality is implemented with the same set of publicly documented, stateless REST APIs. This means that none of the popular “session stealing” techniques will work with Cumulocity.
Cumulocity does not use a SQL database for IoT data storage and is not based on a scripting language. This means that so-called “injection attacks” cannot be made on Cumulocity.
Devices are treated like any client application connecting to the platform via HTTP or MQTT secured by TLS; this negates prevalent device attacks. Devices are individually connected and authenticated with Cumulocity’s device registration feature. If a device is stolen or tampered with, it can be quickly and easily disconnected from Cumulocity.
Access control
Cumulocity uses a standard authentication and authorization process based on realms, users, user groups, and authorities. A new realm is created for each tenant to store the users of that tenant in.
This realm is isolated from other tenants, and administrators are appointed to assign permissions through their own administration application. Permissions and roles for devices and groups of devices can also be created at very granular levels, and custom configurations defined to meet your organization’s needs.
When a security event occurs, whether at an application level or on the network, Cumulocity enables applications and agents to write audit logs, which are persistently stored and cannot be externally modified after being written.
Cumulocity also writes its own audit records related to login and device control operations. Administrators are alerted to security events as they occur so remedial action can be taken.
Single Sign-On integration is fully supported by Cumulocity, allowing your security team to manage Cumulocity users in the same way they manage any other application in the infrastructure. In addition to user access management, the security model in Cumulocity can be extended by third parties, offering additional capabilities such as full public key infrastructure, intrusion detection, and prevention solutions.
Cloud partners: Working together to provide the best security solution for customers
Ensuring Cumulocity is secure doesn’t simply stop at software design and development. Our cloud hosting partners also play a critical role. They help ensure the resilience and performance of Cumulocity meets the expectations of any mission-critical system and that all servers, storage, and network devices are physically secure.
Cumulocity Tenant accounts are hosted on AWS or Microsoft Azure; both of which have been certified according to ISO 27001 and PCI DSS as well as other security standards, feature extensive physical security measures, and are independently audited. As a preferred partner with both cloud providers, our close relationship allows us to ensure secure integration as we continue to innovate together.
Cumulocity on Microsoft Azure: The combination of Cumulocity and Azure empowers enterprises to simplify the process of connecting and managing devices using open plug and play standards, harvest immediate insights from IoT data to achieve business goals, and apply machine learning and advanced data science from the edge to the cloud.
Cumulocity on AWS: The combination of Cumulocity and Amazon Web Services (AWS) provides the tools to create robust IoT solutions that deliver value fast, scale easily, and allow you to evolve your solution with the market.
Whichever cloud provider you prefer, Cumulocity will give you fast visibility and control over your remote assets via a secure, resilient, and highly sustainable IoT solution.
References
1. GSA, September 2022 forecast
2. Zscaler Enterprise It and OT threat report 2023 https://info.zscaler.com/resources-industry-reports-threatlabz-2023-enterprise-ioT-ot-threat-report
3. New Statesman https://www.newstatesman.com/spotlight/2022/07/malware-on-sale-price-pint-dark-web