Cybersecurity Awareness in IoT Threats

By: Mehrdad Sharbaf, Professor, Innovative Strategic & Visionary Consultant, IEEE CLAS Computer Society Chair, and Past IEEE CLAS Chair
 

Internet of Things (IoT) or Internet of Intelligent Things is one of the most buzzing and discussed topic in business and research field today. The Internet of Things (IoT) refers to systems that involve computation, sensing, communication, and it involves the connection between humans, non-human physical objects, enabling monitoring, automation, and decision making within organization. The Internet of Things (IoT) is a network of ‘smart’ devices that connect and communicate via the Internet. The global environment, and consumer market are entering a new business model era where everything will be communicating with each other by means of IoT. These “things” exemplify such as routers, security cameras, smart TVs, home assistants like Amazon Echo or Google Assistant, doorbells like Google Nest, energy management (e.g. Smart Grid), to healthcare management (e.g. medical devices like heart monitors) and urban life (e.g. Smart City). and smart refrigerator that can send alerts to your mobile phone(Figure 1-NIST). Even cars that send diagnostic information to your email or phone are part of the internet of things. By 2020, at least 50 billion more devices will be-come smart via embedded processors. The impact of such Internet of Things (IoT) on our society will be extraordinary. The only thing certain about that number is growth exponentially. However, more connections appear to generate more vulnerabilities. Cyber criminals are always looking for ways to gain access to the systems from exploiting vulnerabilities. Because of lack of awareness within the public about devices, lack of standardization for devices, and characteristics of IoT are highly dynamic, and continuously change because of mobility , for that reasons IoT alleviates concerns about security. It is imperative that these smart devices in our homes and businesses have cyber security provisions that defend and resist against potential threats and malicious cyber activity.

 

In this article discussion is about cybersecurity awareness in IoT threats within public, and what are some ways to make the public more aware of cybersecurity threats related to IoT.

 

Figure 1-NIST-IoT publication

 

To make a beneficial development of the IoT into society will require cybersecurity awareness and training for supported users. For that reason we need to inform and educate the public about how can consumers minimize the risks in IoT environment? In August 2020 The Australian government has published, and released The Code of Practice: Securing the Internet of Things for Consumers The code of practice-securing the internet of things for consumers, and The voluntary code of practice is based on 13 principles. These principles are listed as follow: No duplicated default or weak passwords, Implement a vulnerability disclosure policy, Keep software securely updated, Securely store credentials, Ensure that personal data is protected, Minimize exposed attack surfaces, Ensure communication security, Ensure software integrity, Make systems resilient to outages, Monitor system telemetry data, Make it easy for consumers to delete personal data, Make installation and maintenance of devices easy, and Validate input data. In United Kingdoms also published The Code of Practice for Consumer IoT Security which brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. The Canadian government released the understanding of internet of things, and how to protect consumers in IoT environment Internet of Things Security for Small and Medium Organizations . The points of awareness in their report is about secure your wireless network, Change device default usernames and passwords, and use strong passwords, Keep networks with sensitive information isolated. Consider using separate networks for IoT devices, Ensure the device has system reset capability in order to permanently eliminate sensitive configuration information, control who can access your network and from where, encrypt data, commands and communications, both at rest and in transit, and where possible, set operating system, software, and firmware to update automatically, and also establish periodic manual updates as required. One of the key issues in IoT security to understand your IoT devices. FBI released “Be Vigilant with Your Internet of Things (IoT) Devices” report, and assembled how can consumers minimize these risks in IoT devices. As the report recommends, many devices come with default passwords or open Wi-Fi connections, so change to a strong password and only allow the device to operate on a network with a secured Wi-Fi router. Manage and protect your Wi-Fi networks, for example set up firewalls and use strong, complex passwords, and consider using media access control address filtering to limit the devices able to access your network. Establish layer of defense with your place, many routers give you that option to set up more than one network if your router has that capability, separate your computing devices from your IoT devices and direct them throughout several different networks. That way, if cyber criminals break into one network, the damage they do will only be limited to the devices on that one network. Disable the Universal Plug and Play protocol (UPnP) on your router, UPnP can be exploited to access many IoT devices. Research devices before you purchase. Read reviews and get recommendations; research their security capabilities, and purchase IoT devices from manufacturers with a track record of providing secure devices, and set your devices for automatic updates when available.

 

Also in US passed a law related to IoT devices, to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices. From European Union perspective, there are two studies related to IoT, and first report is prepared by the ENISA(The European Union Agency for Network and Information Security ENISA ) Advisory Group’s Working Group on a cybersecurity consumer perspective, released a study report related to the Good Practices for Security of Internet of Things. The aim of the study is to serve as a reference point to promote collaboration on Industry 4.0 and Industrial IoT security across the European Union and raise awareness of the relevant threats and risks with a focus on “security for safety”. The second report is prepared by ESTI. ETSI is a European Standards Organization (ESO). The study report is related to CYBER; Cyber Security for Consumer Internet of Things. The study report brings together widely considered good practice in security for internet-connected consumer devices in a set of high-level outcome-focused provisions. The cyber security provisions for consumer IoT are architected on, No universal default passwords, Implement a means to manage reports of vulnerabilities, Keep software updated, Securely store sensitive security parameters, Communicate securely, Minimize exposed attack surfaces, Ensure software integrity, Ensure that personal data is secure, Make systems resilient to outages, Examine system telemetry data, Make it easy for users to delete user data, Make installation and maintenance of devices easy, and Validate input data .

 

Today’s digital world is changing quickly, and effecting our lives, and our dependency and reliance on the internet is ever expanding, and exponentially increasing. It’s imperative that consumers understand they can help to fight against cyber attacks, by ensuring their devices are updated and patched, which helps mitigate risks from the latest threats, and vulnerabilities.


References

 

ETSI(European Telecommunications Standards Institute).

https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf

Australian Government- Code of Practice-Securing the Internet of Things for Consumers.

https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf

Canadian Government for IoT.

https://cyber.gc.ca/en/guidance/internet-things-security-small-and-medium-organizations-itsap00012

FBI

https://www.fbi.gov/news/stories/cyber-tip-be-vigilant-with-your-internet-of-things-iot-devices

ENISA(The European Union Agency for Network and Information Security).

https://www.enisa.europa.eu/about-enisa/structure-organization/advisory-group/ag-publications/final-opinion-enisa-ag-consumer-iot-perspective-09.2019

NIST -IoT.

https://csrc.nist.gov/publications/detail/nistir/8259/archive/2020-01-07

Marcel Medwed, IoT Security Challenges and Ways Forward

ACM ISBN 978-1-4503-4567-5/16/10., DOI: http://dx.doi.org/10.1145/2995289.2995298

Elisa Bertino, Research Challenges and Opportunities in IoT Security,

ACM. ISBN 978-1-4503-5393-9/17/10…. DOI: https://doi.org/10.1145/3139531.3139535

Internet of Things (IoT) Cybersecurity Improvement Act of 2019-Law.

https://www.scribd.com/document/401616402/Internet-of-Things-IoT-Cybersecurity-Improvement-Act-of-2019