David Whitelegg | Updated September 4, 2017 - Published September 30, 2015
Innovation, efficiency, and cost-savings are driving the rapid emergence of the Internet of Things (IoT). Away from the media limelight of smart home appliances and wearable gadgets, IoT is revolutionizing business operations within every industry sector and is a proven game changer within logistics, warehousing, production lines, pipeline transportation, and traffic management. The networking and remote control of connected devices is providing new levels of productivity and information management and capabilities.
For example, Continental Tires previously relied upon hand written notes to find carts of rubber within its large tire production plants; the system meant staff often found it troublesome to locate the carts, which translated costly production delays for the business. The problem was solved with IoT technology, which allowed the carts to be directly integrated and connected with the business inventory management system over a wireless network. Staff using a mobile device app, could locate any of the carts in the large plant in real-time, while the plant management team could know each cart’s contents and the time involved in moving carts from their current locations to the production lines, allowing management to improve the efficiency of plant production exponentially.
Another example is the Kenya Pipeline Company, which upgraded its pipeline infrastructure with connected IoT devices that could sense oil pressure levels, temperatures, and flow speeds. These simple networked devices not only provided real-time metrics and alerts to the operational management team, but also sensed and automatically reacted by shutting down the pipeline when oil leaks were detected. Whether the leaks were caused by accident or by oil thieves, the fast detection and response saved the company millions of dollars and limited the environmental impact caused by any leaks by instantly closing oil flows to compromised pipes.
This new age of IoT connectivity, data collection, and management of physical world objects introduces new security risks, from sophisticated automated cyber attacks to hackers who are hell-bent on stealing data and causing havoc. The security of IoT devices is heavily dependent on the software and applications that are used to manage them, which puts software developers on the cyber front-line and which requires that they know how to develop secure IoT applications.
This article outlines the best practices for secure coding techniques and security functions that will help development teams to produce resilient IoT applications that mitigate IoT security risks.
IoT devices, like all networked computers, are attackable, either directly over the network to which they are connected to or indirectly through the applications that control them. Hackers target IoT devices for several reasons. Cyber criminals seek to profit by gaining control of IoT devices to steal data, blackmail the business, or use the IoT devices to perform massive Distributed Denial of Service (DDoS) attacks on behalf paying customers. Nation-states are known to target IoT devices involved with critical national infrastructure and for espionage. Some hackers just enjoy causing chaos for community kudos and self-worth. Even cyber terrorists are taking an interest in attacking IoT devices, because it is more than perceivable that some IoT cyber attacks could cause real world damage, including injury and death. Consider these examples of IoT cyber threats:
What can we learn from these IoT cyber threats? The application layer of an IoT device provides the largest attack surface for hackers. The application layer includes any application that has connectivity with the IoT device, which can include local web applications, cloud-based applications, and smartphone or tablet apps. Therefore, application security must be an intrinsic part of the software development lifecycle (SDLC) for all IoT applications, particularly within the design, development (code writing), and testing stages.
Within the planning or design stage of an IoT application, there must be a formal “top to bottom” assessment of the planned application’s security and privacy requirements. IoT application development requires a “Security by Design” approach. This approach means considering the security requirements of all the IoT application functions as part of the design stage, rather than assuming and applying security features later in the development process. Like any other bug or issue, it is more expensive and takes longer to correct security issues in later development stages. Therefore, at the application design phase, it is imperative to consider and plan for all the possible security requirements for the IoT application.
Within the design stage, review the security requirements for your IoT application by completing a security requirements review.
Where IoT applications collect, store, and process personal data, they need to do so in compliance with the data protection and privacy laws that apply. Data privacy laws can have various degrees of stringent requirements depending on which country the citizen’s data belongs to. A privacy impact assessment is required to ensure the applicable laws are adhered by the application and IoT device, including any cloud and third party storage or processing of personal data.
View a sideshow on Open Web Application Security Project (OWASP) Internet of Things Top Ten
Many different application types can control and manage IoT devices, such as cloud-based and local web applications, mobile applications, and the software that runs on the IoT device itself. The Open Web Application Security Project (OWASP) is an organization that focuses on how to improve the security of software. This organization has an Internet of Things Project, which brings together the unique aspects for IoT security. They are currently drafting IoT Security Guidance for manufacturers, developers, and consumers.
Web applications are commonly used to manage IoT devices. Whether the web application is intended to be hosted directly from the IoT device, from an internal network server, or in the cloud, the development (coding) of those web applications must adhere to web application security development best practices, such as the OWASP Top Ten, which the approved 2013 list is currently under review with a planned update for late in 2017.
A common mistake with IoT web application development is to not diligently secure private-network web applications to the same degree as public-facing web apps. Internal networks can be compromised, however, and become untrusted environments. Therefore internal-facing web application vulnerabilities can be exploited by hackers and malware.
Consider these secure coding tips for IoT web applications:
incorrect user password
Mobile IoT applications, specifically smartphone and tablet apps, are actively targeted by hackers. The same secure coding techniques that are used with web applications are also required when you develop mobile IoT apps. However, additional application security considerations, such as mobile device authentication, telecom and SMS data communications, and further privacy risks, do exist.
Consider these secure coding tips for IoT mobile device applications:
In addition to the secure application techniques already covered, you have a few additional considerations in the development of software that will operate on IoT devices, such as firmware usage and access control of physical interfaces.
Consider these secure coding tips for IoT device software:
Code reviews might appear to be a costly and time-consuming addition to the SDLC, but they can pay big dividends in avoiding costly retesting, avoiding post-release security patches, and avoiding damage to your reputation by having an insecure IoT application compromised. In addition to code reviews in the development stage, the test stage of SDLC must include intensive security testing, which needs to be specific for each IoT application type.
Performing vulnerability scans and penetration tests to detect software security flaws is a vital final step to take before you release IoT applications. Testing the application code prevents common application vulnerabilities such as SQL injection, cross-site scripting, cross-site request forgery, and buffer overflow attacks.
Consider these security testing tips for IoT web applications
Use a specialized mobile application vulnerability scanning tool, such as IBM Application Security on Cloud, which is specifically designed to security test mobile applications. IBM Application Security not only detects mobile device application vulnerabilities, but it shows in detail the vulnerability to developers, along with the level of risk and solutions to address the vulnerability.
IoT device software must be subjected to testing by security professionals and companies that specialize in finding vulnerabilities in IoT device software.
The development of secure IoT applications can push development teams outside their traditional comfort zone. Taking the time to analyze security functions and privacy requirements in the planning or design stage pays big dividends in developing a secure IoT application over the long term. By performing a code review with IBM Security AppScan Source in the development stage, developers can detect and correct code vulnerabilities early in development, which is more efficient than detecting and correcting vulnerabilities at the testing stage. While in the testing stage, development teams need to replicate the application layer attacks that hackers perform by using tools like IBM Security AppScan and IBM Application Security on Cloud. AppScan includes helpful video tutorials, explanations of vulnerabilities, and secure coding examples that all educate developers to improve their secure coding techniques and their confidence in writing secure IoT applications.
These development techniques benefit development teams by reducing overall development time and cost and by significantly reducing the likelihood of IoT application vulnerabilities. Application vulnerabilities that are discovered in IoT applications after their release, especially when discovered by a hacker, tend to be costly to resolve, and might even prove damaging to both the business and to the development team’s reputation.
The articles in this series describe a solution-based approach to minimizing security risks in IoT applications by using services that…
Back to top