IoT Security Cheat Sheet Overview
When building out our product there were a number of things on the security side I wished we would have known upfront so we didn’t have to circle back and change a lot later during development. If only there was a master cheat sheet to work off which would both help in focusing our team on biggest impact while also helping prep us for requirements from third parties.
Planning – Threat Modeling
Planning is a good time to do threat modeling as well
Threat modeling, while not coding, ties very closely to the development architecture / build process. OWASP Threat Modeling is a great reference on this, but for brevity here are the main areas from a high level.
- Creating Use Cases for the Application
- Determine and Rank Threats
- Determine Counter Measures and Mitigation
USE CASES FOR THE APPLICATION
The easiest way to do this is to create flow diagrams around specific use cases. Keep track of data and users (internal and external). In addition to that look at the infrastructure that your system sits on or relies upon.
- How does data flow from system to system?
- How do users interact with your system?
- How do users install and maintain the physical device?
- How do you store data?
- What users share infrastructure with the service?
Your customer has a lighting system they want to install and monitor. The IoT gateway device sits on the same network as the corporate network but the network requires a login. So you are going to have a temporary application that will run to help setup the service.
This type of scenario brings up state of the device and application during setup. How does your customer trigger setup? What happens if setup is partially complete? Is the device accessible by other services such as the lighting or is it one way communication?
I would have someone build this in a google doc or with a diagram builder while your having the conversation. It will feel slower when you’re working on it, but you wont recreate work where someone takes a photo of a white board and then try’s to recreate it. Here is a sample diagram you can copy
DETERMINING AND RANKING THREATS
If it’s out there someone will mess with it.
It can be a prank by a college student to mess with your AV equipment, could be a bot net created to take down Minecraft servers. Often times many of the threats to you system will not come from super advanced hackers.
One University we spoke with had their BAS system taken down by a student who accidentally created a denial of service attack when he was scanning network traffic. The BAS system hadn’t been isolated and piggy backed on the VPN used for students.
At BuildPulse we had the case of the vanishing box. One of our devices was in a secure IT area up and disappeared. It randomly returned after a few months.
Ex. Stack Ranking
If we take the setup example again. How often does it occur, from the total lifetime of the device its very minimal. So probability of security issues in this stage are low as most attackers need more time with a system.
If you want an example list you can use this one for an example of stack ranking security threats in your IoT Instance
Separating core services make it easier to control this. Separate API, FrontEnd, Device Management, and Devices into their own sections. No need to get crazy with a million micro-services, but separating these will save you scaling and security problems down the road.
DETERMINE COUNTER MEASURES AND MITIGATION
Start by assuming your systems will be compromised.
Things that make rapid development and deployment simple also make security difficult. An open system anyone can use vs. a very restricted system that requires hurdles to jump through.
- If one physical device is compromised what happens?
- If your API is compromised?
- What if a users password is compromised?
- What happens if your developers system is compromised?
Compartments are not enough, the Titanic had 16 and still went down. Part of that was the speed at which they were traveling knowing there were icebergs.
Customers appreciate rapid response. For example, if a device is hacked, how can you isolate it and get a new device to the customer as quickly as possible?
Whats next, as more topics below this are flushed out I will update this page to link into them. I am going to break examples out into three areas.
- Device Security
- API Security
- FrontEnd / User Management Security