What is Security Implications & Tutorial? Defined, Explained, & Explored

Last updated on 08th Jul 2020, Blog, Tutorials

• Another thing to consider are the security implications of high availability clusters. For technical or political reasons, it may be necessary for certain virtual machines to never run on the same host system. This could be due to security policies, for example, the HR resource must be isolated from other systems, or for technical reasons, such as not running all of your domain controllers on one host server since a failure could cause the entire domain to become inaccessible.

• In the case of a failure, the high availability cluster could potentially bring virtual machines online on hosts they otherwise should not be running on. Some vendors can mitigate this by utilizing affinity and anti-affinity rules when making a high availability decision. Affinity rules define which virtual machines can be run together on the same virtualization host and in some cases may even require that the virtual machines be located together as a group. Anti-affinity rules are just the opposite; they define groups of virtual machines which should never run together on the same host. For example, you may be able to configure the domain controller virtual machines with an anti-affinity rule so that you never have the domain controllers running on the same virtualization host. While this may meet your security requirements, there is a delicate balancing act that must be performed. If you have an anti-affinity rule in place and the only place that a virtual machine can be recovered to run is on a virtualization host that the anti-affinity rule prevents from occurring, rather than bringing the virtual machine online it will stay offline in order to adhere to the anti-affinity rule.

• The ultimate question that needs to be asked is whether it is more important for a virtual machine to remain isolated or to be brought online in less than ideal circumstances. If the answer is that security is the most important aspect, then your high availability implementation may not provide the protection you expect in certain circumstances. If it is more important that the virtual machine be running, then high availability can accomplish the goal, but you will want to make sure that the virtual machine is migrated to a host in order to provide the required separation at the earliest available time.

• High availability is also frequently used to provide protection for virtual machines and resources by ensuring that the virtual machine remains operational as much as possible. While high availability can certainly help the overall security posture of an organization, it shouldn’t be viewed as something to replace other defensive methods. If a virtual machine is compromised, all that high availability ensures is that the compromised virtual machine stays online and operational. You still need to implement traditional security and defensive mechanisms such as anti-virus and malware protection, intrusion detection/prevention, and firewalls.

Implications of IoT Security in Construction

• The security of IoT implementations continues to be the leading impediment to deploying IoT initiatives in the construction industry. In addition to a reliance on mobile devices such as smartphones and laptops, the construction industry is increasingly adopting new technologies like IoT to improve productivity, efficiency and safety. IoT sensors are useful because they provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. Additionally, IoT sensors can be used to access data, the causes of physical malfunction of physical infrastructure, building information modeling (BIM), digital twins and geographic information systems (GIS).

• Integrated project delivery through IoT technologies opens a world of safety, training and efficiency opportunities, but also increases vulnerabilities of attacks from malicious actors. The characteristics of the construction industry make it a challenging environment to implement ubiquitous technologies like IoT. First, the construction industry’s workforce is fluid; many construction industry employees work in the field — using laptops, smartphones, and tablets — rather than traditional office environments. Second, reliance on subcontractors can present unique challenges, including training. Finally, the completion of any project typically involves dozens of companies the sharing of vast quantities of confidential data including bids, blueprints, employee records and financial information.

• Forward-looking construction companies now rely heavily on cloud infrastructure to manage project blueprints and sensitive customer data needed for multi-million-dollar projects across wide geographical areas. As the adoption of IoT technology continues to grow rapidly, security teams have to consider new approaches to detect stealthy insiders and respond to sophisticated threats across a dispersed digital infrastructure. In addition to the worksite challenges faced by construction companies, additional hurdles include the lack of adequately skilled staff, inadequate budgets and change management issues. In particular, top management in the sector underestimates the threats and risks that arise because of IoT deployments. They lack guidance on particulars and scope to enable them to assess threats and manage risk.

IoT devices aren’t standardized

Unlike, say, Microsoft – which provides a standardized and consistent environment – IoT devices run on a variety of different Linux kernels, each of which are purpose-built and have limited storage space, memory size and computing power. This makes it difficult to install security software or an endpoint monitoring agent.

IoT devices reside on customized firmware

IoT device manufacturers customize their firmware to their own specification, often outsourcing firmware development to a third party. This means that any monitoring agent would have be passed on to the third party for integration into the firmware, which might also cause instability issues within the IoT device itself. This is again down to the wide gamut of Linux kernel usage – different kernels will have different quirks and feature support, and many IoT devices are not designed with firmware upgrades in mind.

The road to securing IoT

There are many ways in which future IoT devices can be made more secure. Designing them with security in mind, having the compatible hardware specifications, and using a suitable operating system kernel that is compatible with an endpoint agent would be a start. Even better, they could be designed to perform automated integrity checks and record the status to a server.

However, while many larger technology manufacturers are currently sharing plans for how to secure future IoT devices, at the time of publication no one has yet made a public commitment. So, how can companies provide security for devices that are inherently insecure?

Considerations when adding IoT devices to your network

In the absence of direct monitoring, there are a number of actions that organizations can take to manage IoT device security.

 1.     Always change the password

It’s so simple, and yet so often overlooked. But most IoT devices are compromised through default credentials – or lack of authorization completely.

2.  Know which devices are on your network

The age of BYOD (bring your own device) creates better convenience for employees, but – in many enterprises – can put thousands of unregistered devices on your corporate network. Doing an audit of personal devices or creating a separate WiFi network for non-corporate devices is one way around this.

3.  Deploy threat hunters for log and network analysis

At its core, threat hunting is the process of actively seeking out potentially malicious activity on an IT estate. It relies on the intuition and savvy of experienced people who channel the attacker mindset in order to predict and prevent an attacker’s next movements. Threat hunters can be deployed to monitor the IoT doors through which a threat actor might enter, including logs, network data, cloud servers, and more.

4.  Have a tried-and-tested incident response plan

It is widely accepted that, for most organizations, being compromised by threat actors is not a case of if, but when. Having a plan for how to respond to all eventualities regarding a breach – including isolation, investigation, and remediation – is essential to mitigating the damage an attack can cause.

IoT Risk Management and Best Practices

The first step in managing cyber risk is to identify sources of potential risk. Construction companies should conduct audits that gauge employee access to and use of critical and sensitive data, including personally identifiable information and proprietary corporate assets. This audit should determine who has access to such information and critical systems and take stock of existing capabilities for monitoring inappropriate system access and potential security events.

Once completed, businesses should develop formal, written policies regarding the use of corporate networks, and ensure that access to sensitive data is restricted only to parties that require it. While IoT security practices are still evolving, a set of best practices is emerging:

1. Security From Start to Finish

Make IoT security inherent in the IoT process from the start. Use hardware that incorporates security features beyond encryption or physically secure critical technologies. Laptops, smartphones, tablets and portable media devices — along with emerging technologies that are often present on construction sites, such as wearable devices — can present significant data security threats if lost, stolen or hacked.

2. Prioritize Security Across Teams

Make security a priority for everybody involved with the organization. Educate, share and discuss IoT security best practices. Stay abreast of developments in IoT security and regularly update employees, partners and vendors on how to identify, avoid and report potentially malicious activity on corporate networks. The most effective way to handle IoT security is to treat it as a journey; be smart and proactive when it comes to IoT risks. Make security a top priority for everybody in the organization as well as outside partners and vendors. Don’t be naive and appreciate that there are many reasons somebody would hack your IoT solution ranging from thrill, political statements, an act of war or terror, expectations of financial gain by stealing data or trade secrets for competitive advantage, hobble you as a competitor, disrupt your business strategy or an employee attempting to exact revenge.

You should reward users who find and report bugs especially defects likely to expose zero-day exploits. The construction industry is heavily decentralized and involves several stakeholders. Without thorough and regular training and buy-in from all personnel, even the most robust cyber risk management plans can be rendered ineffective. Businesses should also implement strong internal controls, including the resetting of passwords every 90 days, multi-factor authentication and randomized default passwords.

3. Monitor and Upgrade Your Infrastructure

Use the most current operating system and libraries with updated firewalls and security patches. Despite the added expense, investing in a robust set of firewalls that require user authentication can be beneficial. Businesses should also institute secure file sharing, advanced email and web filtering and separate WiFi networks for subcontractors, architects and engineers. Use automatic updates to fix and patch bugs and vulnerabilities in field devices.

4. Continually Evaluate Your Vendors’ Vulnerabilities

Closely monitor third-party risk. Assess the cybersecurity processes of any third parties that access or retain critical data. Seek to build favorable hold harmless agreements into contracts with third-party vendors. Also, establish procedures to evaluate any third-party service providers (if applicable) and, as discussed, review their agreements, limiting as much liability to your company as possible, and assess their cybersecurity processes.

5. Have a Contingency Plan

Develop detailed data breach response plans. Planning can enable an organization to act swiftly, decisively and effectively to minimize damage from a breach and any resulting claims or regulatory actions.

6. Cyber Insurance is a Real Thing

Purchase cyber insurance. A cybersecurity breach is not a matter of if but when. Having insurance coverage against cyberattacks makes business sense. Understand that IoT doesn’t have a security silver bullet. The scope and variety of IoT solutions effectively prevent the emergence of faultless security defense. IoT technology is fluid, the solutions are continually evolving and so too are the threats and attack vectors. IoT solutions are constantly evolving and so should your IoT defense strategy. While cyber insurance policies have historically been most often associated with data and privacy breaches, today’s cyber policies cover the failure of technology and the resulting interruption or loss of revenue.

7. Implement Consistent Authentication Schemes

Be smart and practice good cyber hygiene practices: use secure passwords from password generators and implement multi-factor authentication among other standard security measures. Most security breaches take advantage of well-known vulnerabilities that haven’t been addressed despite ample alerts and most attackers are known to you: employees, contractors or partners.

8. Systems Are Only Secure if Their Security Is End-to-End

Deploy end to end security, from the device to the cloud. Collaborate with partners and vendors as a security strategy. Choose the best partners and build security into your IoT ecosystem from the start e.g. Darktrace, Intertrust, Device Authority, Sectigo, Rubicon Labs, Kudelski IoT Security, Patreon, Ockam and Blackridge Technology are IoT security-focused companies among others. IoT security isn’t something you should tackle alone. Find and collaborate with partners inside and outside your organization. Extend IT security architecture to OT and then augment it with specific security needs, issues and concerns in mind.

9. Learn From the Industry

Go to IoT security conferences, especially events where your peers showcase practical implementations being deployed and share best practices.

10. Use Security Standards Across the Stack

Adopt industry-supported standards everywhere they’re available. Treat proprietary solutions with caution. Be guided by standards bodies and trade associations. E.g. IEEE, ITU Study Group 20, oneM2M Consortium, IIC, Open Connectivity Foundation, Open Fog Consortium, etc. The IoT industry is increasingly coming together to drive common security standards and best practices.

11. Trust Security Veterans

Seek top management support for security initiatives. Make them aware that IoT security is another business-critical challenge they need to consider.

12. Automate Security

Automate and monitor IoT security end to end. Manual efforts cannot keep pace with the volume of events in an IoT ecosystem. Co-create solutions with IT vendors to expand software capabilities to handle IoT security vulnerabilities.

How does the IoT influence security?

Threats to IoT systems and devices translate to bigger security risks because of certain characteristics that the underlying technology possesses. These characteristics make IoT environments functional and efficient, but they are likely to be abused by threat actors.

These characteristics include:

• Gathering of abundant data. IoT sensors and devices gather highly detailed data from their environments and users. This data is necessary for the IoT environments to function properly. However, this data could mean several cascading negative effects if not secured or if stolen or otherwise compromised.
• Connection of virtual and physical environments. Many IoT devices are capable of functioning on the data they receive from their respective environments. This ability shortens the distance between virtual and physical systems. But while convenient for users, it can allow cyberthreats to translate to physical consequences more quickly, thereby generating a greater impact.
• Creation of complex environments. Complex IoT environments can now be created thanks to the growing availability and diversity of devices. “Complex” in the context of the IoT means that enough devices are working in a single IoT environment that dynamic interactions between its devices are possible. This complexity expands the capabilities of an IoT environment, but at the cost of a wider attack surface.
• Centralization of architecture. Applying a traditional centralized architecture to IoT systems can have a detrimental effect on security. A centralized architecture means that the data gathered by each device and sensor will be communicated to a base station. In an enterprise, the main database could be the very same one used by thousands of devices that gather an astonishing amount of data. This may be less costly than separate databases, but it comes at the risk of a wider attack surface that is intricately connected to a single root.

What are the attack surface areas of the IoT?

As part of its Internet of Things Project, the Open Web Application Security Project (OWASP) has published a detailed draft list of IoT attack surface areas, or areas in IoT systems and applications where threats and vulnerabilities may exist. Below is a summarization of the IoT attack surface areas:

• Devices. Devices can be the primary means by which attacks are initiated. Parts of a device where vulnerabilities can come from are its memory, firmware, physical interface, web interface, and network services. Attackers can also take advantage of unsecure default settings, outdated components, and unsecure update mechanisms, among others.
• Communication channels. Attacks can originate from the channels that connect IoT components with one another. Protocols used in IoT systems can have security issues that can affect the entire systems. IoT systems are also susceptible to known network attacks such as denial of service (DoS) and spoofing.
• Applications and software. Vulnerabilities in web applications and related software for IoT devices can lead to compromised systems. Web applications can, for example, be exploited to steal user credentials or push malicious firmware updates.

How can the IoT be secured?

As can be inferred from the aforementioned IoT attack surface areas, all of the major components of IoT systems can be exploited. Security should therefore be a priority in building and maintaining IoT systems. Regardless of the scale or the type of environment an IoT system is built into, security should be considered from the design phase to better integrate it in every aspect of the system — it should not be a mere accessory. In this way, the IoT system, from its individual devices to its overall configuration, can be tailored to be both functional and secure.

Here are some other security guidelines to consider:

• All data being gathered and information being stored should be accounted for. Every single piece of data and information circulated within an IoT system should be mapped accordingly. This does not only refer to what is gathered by the sensors and devices deployed in the environment, but it also refers to any possible credentials in automation servers or other IoT applications.
• Each device being connected to the network should be configured with security in mind. Secure settings should be ensured before connecting a device to the network. This includes using strong username and password combinations, multifactor authentication, and encryption.
• The organization’s security strategy should be built on the assumption of compromise. Although avoiding breach and compromise is important, acknowledging that there is no perfect defense against evolving threats can help in creating mitigation protocols that can significantly contain and reduce the effects of a successful attack.
• Each device should be physically secured. It is important to also take into account the physical accessibility of IoT devices. If an IoT device itself has no physical safeguards against tampering, it should be kept in a restricted place or secured with the appropriate locks or other tools. IP cameras, for example, can be tampered with directly if a cybercriminal reaches them. They could be implanted with malicious hardware or software that could cause system failures or spread malware.

Conclusion

Like all businesses, construction companies must adopt a robust cybersecurity risk management strategy and take the time to understand the exposures associated with IoT deployments. IoT technology can be a source of strength, but any breach or technology interruption that disrupts critical workflows and operations can lead to project delays and substantial losses for the business and other project stakeholders. However, security is not a technology issue. Deploying IoT means your organization is becoming a digital enterprise which needs an integrated, companywide security strategy and risk management plan that involves employees at every level. More emphasis has to be placed on security policies, best practices and tools that autonomously prioritize, contain and defeat attacks based on sound risk management as part of everything the company does.

Separation of systems or staying offline as a security strategy is no longer imaginable and neither is it the most effective approach of operating a modern business. Without seamless interoperability and integration, there is little improvement in business outcomes and hence no reason for IoT.