Best Practices for Compliance in IoT: The Role of Live Patching
The Industrial Internet of Things (IIoT or “IoT” for short) consists of billions of devices deployed across industrial facilities and public infrastructure. While a boon to productivity and data-driven business, the IoT creates cybersecurity risks. The technology is itself vulnerable, but IoT devices also offer hackers an easy point of entry into corporate networks. Indeed, according to a 2019 Ponemon Institute study, unsecured connected devices accounted for 26% of security incidents, up from 15% the year before. Since the beginning of 2020, the Verzion has analysed 157,525 incidents of data breaches, 72% of which involved large business victims. Being a part of this statistics is a bleak perspective for corporations and industries that do not practice the best IoT compliance frameworks.
Understanding IoT Vulnerabilities
IoT devices and infrastructure are vulnerable in part because they almost always sit outside of the main network. Out in the open, they are easy prey for hackers. Nor are the devices typically manufactured with security in mind. More than three quarters of IoT devices are running Linux gateways and edge nodes. They run ARM microprocesses that use embedded Linux, a favorite hacker target.
In this environment, the following IoT vulnerabilities result in risk exposure:
- Operating Systems—Each OS open port and available protocol comprises an attack surface area. The code on IoT microcontroller units (MCUs) runs on a “bare metal” basis, with no supporting operating system. They may have many ports open by default.
- Applications—An IoT System on a Chip (SOC) may be running multiple apps programs, each with the potential for exploitable vulnerabilities.
- Dependencies—Apps and OS’s in IoT devices may have external dependencies and libraries.
- Communication—The IoT is vulnerable to communications-based attacks such as the “man-in-the-middle” and “replay attacks.”
- Cloud hosting—The IoT’s supporting cloud infrastructure, with its connected servers, is also an attack surface.
- User access—Access to devices is a major point of vulnerability, especially if attackers can impersonate users without having to go through the corporate network.
Best Practices for IoT Compliance
It is possible to achieve a high level of security and compliance for IoT. Best practices embody five essential steps:
1. Schedule context-aware updates—IoT upgrades, critical for security, have always meant downtime and delay. Waiting for an update window lets insecure IoT devices remain in service. KernelCare live-patching offers a solution by automating the update and applying it to a running kernel.
2. Set up encrypted communication channels—Communications between the IoT admins and the devices in the field needs to be encrypted. While this may sound like an obvious countermeasure, it is actually common for IoT admin and security work to be conducted in the clear.
3. Develop an adaptable IoT network—All elements of the IoT network must scale as a whole. Automation is critical to attaining this goal. The networks must be able to adapt automatically and efficiently. Otherwise, it will start to break down, causing IoT services to slow down or fail altogether.
4. Use firewalls—Although IoT networks are usually outside the main corporate network, organizations should still set up firewalls to protect sensitive segments of the IoT network. KernelCare subscribers who require a dedicated patch server inside a secure, firewalled environment can receive help in setting up our ePortal to administer it.
5. Anticipate consumers’ roles and use cases—An organization’s customers may use IoT devices differently from the way they were originally planned. For example, a user might install Wi-Fi components on the device, leading to an incompatibility with the device updating process.
The IoT needs to be kept secure, for its own sake as well as to protect the organization’s digital assets. The challenge is to install much-needed patches to IoT devices without interruptions and downtime associated with rebooting. KernelCare enables admins to use live-patching systems to patch Linux kernels in IoT devices without interruption of ongoing processes of embedded devices.