The role of web application security in protecting the IoT

Key takeaways

 

• The IoT has no built-in security standards. A mishmash of vendors, products, and protocols makes protecting devices and data difficult.
• Attacks can come from many directions and involve many hardware and software components.
• A best-practice IoT security framework is multilayered and includes a focus on web API and web application security.

The Internet of Things (IoT) delivers a growing array of benefits for businesses and consumers. It connects people and objects in powerful ways, whether automating industrial systems, enabling traceability across supply chains, or making it possible to switch on lights or unlock doors with voice commands.

But there’s also a major concern with the IoT: the technology was not designed with cybersecurity in mind, and many device manufacturers treat security as an afterthought. Making matters worse is the lack of industrywide, IoT-specific security standards for devices, operating systems, authentication methods, and communication protocols.

As organizations look to build multilayered protections into an IoT framework, web application security is a key piece of the overall puzzle. That is because the IoT relies on the same Internet communications protocols that web applications use.

The story of numbers

The ever-growing number of connected devices makes IoT security especially difficult. According to Statista, more than 15 billion devices will be in use worldwide this year; by 2030, that number will nearly double. Security is further complicated by the vast array of devices – sensors, phones, wearables, and industrial machinery, to name a few – and their use in fields as varied as agriculture, manufacturing, engineering, energy, transportation, smart cities, and home automation. For bad actors, the huge variety of device types and use cases means multiple vectors for attack.

What makes IoT devices so vulnerable? A common problem is the lack of security protections on IoT devices themselves. Even when an organization applies IoT security controls across a group of its devices, the associated security risks don’t completely disappear. Because the IoT relies on IP communications just like the rest of the Internet, these risks have the potential to touch almost every corner of an enterprise – from cloud workloads and servers to databases, endpoints, or even software code repositories.

In addition, attacks on IoT are becoming more common and costly, to the tune of an average of $330k per incident, according to one industry study. Both cybersecurity researchers and cybergangs have been able to penetrate industrial systems, video networks, vehicles, and numerous consumer devices. In one well-known example, criminals hacked a web-connected thermometer at an aquarium at a casino and then gained access to the corporate network.

Common challenges of IoT security

Most IoT security risks fall into one of the following areas, which often overlap:

• Authentication. Weak or non-existent authentication methods (including the lack of multifactor authentication) and subpar access controls on devices and web applications create entry points for abuse. Ideally, users should have access to only the devices and data they require.

• Encryption. Any data that isn’t encrypted at rest and in transit is at risk of being intercepted, modified, deleted, or stolen. Yet establishing end-to-end encryption over the IoT is difficult because some devices don’t support encryption natively, often due to hardware limitations. There’s also the sheer number of devices and systems that IoT data must travel across.

• API security. IoT components span many systems and reach across networks. API security is a key consideration as organizations connect data sources and systems into modern microservice architectures. Because APIs represent gateways to various systems in the enterprise, ensuring the security of APIs exposed and accessed by IoT devices is key to blocking attacks or at least limiting their scope. 

• Programming, monitoring, and managing devices. Many security teams don’t have the tools in place to configure IoT devices and then track and manage activity across a network and client applications. Typical tools would include logs from dynamic firewalls and intrusion detection systems, but these often aren’t efficient ways to monitor entire networks of devices.

• Patching and updates. Many devices lack basic security features, but even those that include stronger safeguards will require ongoing patches, updates, and refreshes to stay secure. This is especially troublesome for embedded systems that may be physically inaccessible. In addition, new devices might introduce new requirements – and security risks.

• Code. Software used for IoT devices can include vulnerabilities that expose a device or an entire IoT device network to attackers. As an example, threat actors may be able to drop malicious code into device firmware or software to snoop on communications, perform man-in-the-middle attacks, or breach connected business systems.

Core principles of strong IoT security

IoT security addresses five core areas: authentication, encryption, port protection, and device management.

• Authentication. Device authentication typically relies on the X.509 cryptographic standard, a protocol that verifies devices, gateways, users, services, and applications. It uses self-signed or authority-signed public key certificates that validate identities over a network. Loading these certificates on IoT devices and enforcing encrypted communications makes them harder to breach.  

• Identity management. Limiting access to systems and applications through identity management and other authentication and authorization methods is vital to minimize the risk of unauthorized access.

• Encryption. While many newer IoT devices support the more advanced Wireless Protection Access 3 (WPA3) standard, many older devices continue to rely on WPA2 because of firmware or power limitations. Organizations should use the most advanced encryption possible and ensure that all communications between edge devices and other components are encrypted.

• Port protection. It’s important to disable ports that aren’t required to operate an IoT device and ensure that connected devices are protected by a firewall and segmented, or even microsegmented, appropriately. This reduces the attack surface available to attackers and also the risk of compromised IoT devices being used as stepping stones to more critical systems.

• Device management and network segmentation. The ability to configure devices, including by segmenting and microsegmenting them according to a task, process, or user group, also mitigates security risks. When possible, it’s also wise to isolate devices from the public Internet and scan those that communicate via REST APIs for vulnerabilities. Another best practice is to keep an eye on the age of devices and the current state of their BIOS, operating system, and software. Patching or wholesale replacements may be necessary.

Where IoT and web app security align

Because connected IoT devices commonly communicate over HTTP and frequently interact with web applications and connected databases, any web security strategy must address IoT and web apps holistically. Scanning RESTful APIs while deploying other security protections – including strong authentication, encryption, and port restrictions – greatly reduces the exposure surface for IoT systems.

Best practices for developing IoT security policy

Like other areas of cybersecurity, locking down the IoT requires a focused strategy, the right tools, and the right technologies. It’s essential to build a framework that approaches protection in a holistic and persistent way. As organizations adopt a multilayered approach and use ongoing security reviews along with a focus on inserting protections earlier in the development cycle, the odds of a breach or denial of service diminish. Only at that point is it possible to tilt the equation toward maximizing the benefits of the Internet of Things.

The bottom line

IoT security cannot be an afterthought – it must be integrated into an overall enterprise security strategy. As automation and smart systems become the norm, it’s essential to develop a framework for managing a hyperconnected world. A focus on authentication, encryption, port management, and device management tames the potential chaos and helps keep systems and data secure.