5 minute read
5.11 Security Monitoring and Analytics
– Gateways reduce the number of sensors/devices connected to the internet by “multiplexing” the devices together. This makes gateways the first line of defence against hackers, but also prime targets. Therefore, security needs to be a priority for any gateway.
Highly secured gateways can provide trust anchors within the network. For example, Germany’s BSI269 has standardised the Smart Meter Gateway as an interoperable and secure communication platform270 with a dedicated Common Criteria profile271 .
Gateways are also considered as solutions to secure legacy hardware such as industrial control systems. For older or proprietary hardware that doesn’t support modern networks or security standards, the Trusted Network Connect architecture272 includes a specification (IF-MAP Metadata for ICS Security) that organises legacy or constraint devices into local enclaves that connect to a trusted network using security gateways. The gateways that link these networks provide encrypted communications and security to the interconnected enclaves, and automatically apply access control policies from a centralised provisioning system.
5.10.2 Key Findings – The networking and interoperability challenge has seen extensive work as well as significant standardisation; however, an in-depth review is required of the security of these communication solutions and the security and privacy requirements on each level of the communication stack in the IoT ecosystem. – Good practices are lacking regarding the technical feasibility of security controls running on resourceconstrained devices. Security reference architectures are required. – Secure gateways can provide high-security deployments even with low-cost IoT devices.
5.11 SECURITY MONITORING AND ANALYTICS History shows that vulnerabilities are invariably found after a product is deployed – and often exploited in “zero-day” attacks. It is vital to be able to detect unforeseen vulnerabilities, anomalies and threats in live IoT deployments, and to respond quickly, recover and remediate. In performing these tasks intelligently and automatically, it is important to devise new paradigms of IoT security monitoring, incident management and recovery.
Since IoT is by definition vulnerable, we need to monitor and analyse dataflows for advanced attacks, exceptions and other deviant behaviour. Furthermore, we should learn from discovered incidents, preferably in real-time, in order to define relevant anomalies and improve protection and detection. No matter how well defence measures are implemented, some threats will still get past even the best defences. Detecting such threats requires strong understanding of what the systems “should” be doing. Machine learning may help to find threats hiding in the noise of trillions of events generated every month.
5.11.1 Current Landscape and Recent Developments State-of-the-art security analytics are developed by the Industrial Internet Consortium under the Industrial Internet of Things Analytics Framework273, which is intended for system architects, technology leaders and business leaders looking to successfully deploy industrial analytics systems. Although this framework has a business focus and not a security focus, it addresses the required building blocks for security monitoring and analytics.
269 https://www.commoncriteriaportal.org/files/ppfiles/pp0073b_pdf.pdf 270 BSI Presentation by Joachim Weber, during SICW IoT Security roundtable, 2017. 271 Smart Meter Gateway PP, https://www.commoncriteriaportal.org/files/ppfiles/ pp0073b_pdf.pdf 272 https://trustedcomputinggroup.org/work-groups/trusted-networkcommunications/tnc-resources/ 273 http://www.iiconsortium.org/pdf/IIC_Industrial_Analytics_Framework_ Oct_2017.pdf
Schonwalder274 proposed and investigated a distributed passive monitoring architecture for IoT. The architecture relies on the Routing Protocol for Low-Power and Lossy Networks (RPL), which was discussed in the previous section, to monitor the network in a lightweight manner. Higher-order monitoring nodes can passively listen to the network while participating in its operation. Monitored nodes do not require to be instrumented, nor do they need to dedicate resources to the monitoring tasks which are operated by the cloud.
Coordinated Vulnerability Disclosure As ISO identifies275, inappropriate disclosure of a vulnerability could not only delay the deployment of the vulnerability resolution but also give attackers hints to exploit it. Vulnerability disclosure is a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution. The goals of vulnerability disclosure include the following: a) ensuring that identified vulnerabilities are addressed; b) minimising the risk from vulnerabilities; c) providing users with sufficient information to evaluate risks from vulnerabilities to their systems; d) setting expectations to promote positive communication and coordination among involved parties.
A strategy to deal with discovered threats and vulnerabilities includes a Coordinated Vulnerability Disclosure (CVD) program that balances security with the interests of manufacturers and stakeholders, as well as a clear understanding of liability. As discussed276 by US-CERT, CVD practices commonly lead to a strategy for Vulnerability Management (VM), which is the common term for tasks such as vulnerability scanning, patch testing, and deployment. VM practices focus on the positive action of identifying specific systems affected by known (postdisclosure) vulnerabilities and reducing the risks they pose through the application of mitigations or remediation such as patches or configuration changes. This is also discussed in the previous section on product lifecycles.
Data Classification Combining the computing power available within the cloud with the vast volumes of data that can be generated by IoT, it should be possible to segregate bad actors, limit access to malicious parties, and integrate easily with third party logging and intrusion detection and prevention systems. Data will be collected within the cloud from a variety of data components in the IoT ecosystem. Some data might be highly sensitive, while other data might be relatively benign; a security monitoring framework should provide capabilities to classify data and to protect data based on its classification. Interface controls should limit access and exposure of sensitive data on the basis of classification.
Honeypots A honeypot is a computer security mechanism that appears to be a legitimate device containing information of value but is actually isolated and monitored. A honeypot resource is never meant for legitimate use; therefore, any access to the honeypot resource is suspicious, and either accidental or hostile in nature. The attack strategies are recorded by the honeypot, and may include network traffic, payload, malware samples, and the toolkit used by the attacker. Some honeypots that are specifically geared towards IoT include IoTPOT278, Dionaea279, and ZigBee Honeypot. DutchSec's HoneyTrap offers an advanced system for running and managing honeypots.280
274 http://ieeexplore.ieee.org/document/7502833/, Schonwalder, 2015. 275 Information technology — Security techniques — Vulnerability disclosure, ISO/ IEC 29147 276 The CERT® Guide to Coordinated Vulnerability Disclosure, August 2017 277 http://www.symantec.com/content/en/us/enterprise/other_resources/ building-security-into-cars-iot_en-us.pdf 278 https://github.com/IoTPOT/IoTPOT 279 https://github.com/DinoTools/dionaea 280 https://github.com/honeytrap/honeytrap 79
