The vast amounts of data created and transmitted within our modern Internet of Things are perceived as weightless, as they are transmitted over the air and from server to server within milliseconds.
However, most conversations about security within the enterprise revolve around software-centric solutions to protect data stored on servers in data centers from cyber threats. Powerful firewalls and security solutions are deployed on endpoints that access the network, as well as on servers in data centers and in cloud environments. A large portion of the focus is on the virtual world that serves these data centers and the cloud.
Despite this, there exists a massive blind spot – the physical machines that process, transmit, and store this weightless data. Security for IoT hardware must be implemented in the physical space where the hardware resides. If physical machines that process, store, and transmit data for a cloud-based network are left unsecured, then the entire cloud network is at risk.
The Internet of Things is uniquely vulnerable due to its physical distribution. Most enterprise servers today sit within data centers that have excellent climate control, round-the-clock security guards, video monitoring, and a single entry point requiring a badge to gain access. In contrast, IoT systems are widely distributed and can easily be left unsecured in many situations, residing on factory floors, in homes, or in public spaces.
This physical distribution means that IoT systems are easily compromised by unauthorized personnel and, often, by third parties who provide services within a facility, or by individuals who work in facilities where such devices have been deployed. A single device can pose a serious threat to an organization's security if it is physically accessible to the public or to vendors that service the organization.
The realities of hardware tampering pose a significant threat to IoT security. Asset theft poses merely a financial risk, but the often silent attacks on intellectual property through manipulated firmware or large-scale data mining and the subsequent misuse of the harvested information can have devastating consequences.
Open ports and physical interfaces, such as USB and serial ports, on industrial hardware are another serious concern and should be disabled. Physical protection of industrial hardware is also critical. A tamper-resistant enclosure, along with tamper sensing and a corresponding action, such as a cryptographic wipe of the device's data, can go a long way toward preventing serious damage from physical compromise of industrial hardware.
Legacy systems that have reached the end of life can still pose a risk to an organization's security. Companies must create a physical security strategy that spans three areas of an organization's operations: the physical device, the physical device's chain of custody, and the device's physical lifecycle.
To secure distributed physical hardware, companies must harden the physical device, secure the chain of custody, and ensure responsible lifecycle management. This includes physically destroying outdated hardware to ensure that any residual data is permanently unrecoverable.
A holistic framework for IoT resiliency requires integrating physical security with the security program for distributed hardware systems. Regular physical security audits and monitoring of physical security anomalies are also necessary to ensure the security of IoT systems.
As IoT continues to proliferate and reach the scale of billions of endpoints across the globe, securing the data flowing through these endpoints will be a challenge unlike anything seen before. Securing the network these endpoints connect to will require securing the machinery that runs it.