Testing, testing – securing the IoT is vital
Suresh Srinivasan, Virtusa
The IoT is set to have significant impact on the way we do things today; at home, at work, while shopping, even in manufacturing and medicine, writes Suresh Srinivasan, the director of quality assurance for Virtusa.
To prepare for networks of devices, sensors and actuators communicating in short and medium range protocols – security must be a paramount consideration. Not least because the increased number of decentralised entry points will be more vulnerable and each point of information entry needs to be made secure.
As the device and sensor population grows there will be several manufacturers competing to offer solutions, which may compromise security effectiveness. Regulatory standards and governance must be made clear and transparent to every user who brings in risk, especially if they opt to use cheaper and potentially unsecure devices. Even if a device network is in a physically compromised location, there should be stringent monitoring to sense intrusions.
Testing is key to security
Security testers must validate the design, the quality of sensors, the devices and the applicable standards. This kind of static inspection must be made mandatory at the outset of any project consideration. Sensor networks, real-time data collection applications, middleware, interfaces and M2M protocols are just a few variables that could bring in more injectable points and new security threats. Security tests at the device and protocol level are where issues can be detected at source.
No matter how great these security threats might be, they are in no way going to stop the growth of IoT. Implementation standards however, will become stringent, as increasing security at all layers will be a huge, yet mandatory investment. Security threats, though a formidable task, are manageable with the right approach. Lest we forget that not too many years ago mobile apps were considered too insecure and now we use them for a whole host of critical transactions – this was made possible only by testing the systems for security at all layers.
Test driven development
End-to-end testing plays a major role in establishing IoT security by simulating vulnerabilities at possible entry points. The strategy of “Test Driven Development” (TDD) is the preferable approach. This will help to define vulnerable scenarios early on, by examining the architecture. A vulnerability map should be developed during the design stage, the device selection and the ‘gates’ can therefore be made strong, according to those vulnerabilities.
There are two additional layers that IoT adds to systems, typically the devices layer and data collection layer, where a potential security breach could happen – given they may be accessible easily by public. In these kind of conditions, data validation looking for specific patterns in real-time, before it could reach the database, can prevent any malicious data entering the system. Penetration tests and data injection tests are very important when we use these short range protocols to form a network, and real-time data pattern monitors can be deployed to test the data passing through and raise alarms if there is a breach.
Real-time security is essential
Considering a huge network of devices spread across many geographical locations, the data feed in real-time from the devices finally need to flow through few common points. If the data quality can be ensured at these points it becomes immaterial to handle any IoT implementation of any size. There will not be any issues in terms of security even if we scale up multifold and keep adding multiple locations. If the data verification standard is established as above, there is no need to bother about installing the devices and actuators in any place.
In addition to the above we also require the closed loop monitors doing the job of comparing the real-time changes in the final output against the value sent to the actuators. There could be a situation where the output data could be overwritten by a hacker to damage the system. So there needs to be a constant real-time check deployed between the data exit point to the actuator verses the real output out of the actuator action.
Security as standard
A reliable and secure network will help us to standardise the backbone of these systems that will enable the IoT. It’s important to remember though, that network performance cannot be sacrificed for the sake of security, as we are dealing with real-time updates right across the network and managing huge data sets. Performance therefore, is still critical. In order to achieve this, a strategic approach to planning the working of the system is needed.
There must be a real-time monitoring system in place to detect that will detect and prevent anomalies right at the time they occur. Overall, to succeed with the implementation of the IoT, standards and best practices need to be put in place early on, and supported with a very robust auditing process. If done properly, there can be very good progress in this space while achieving the objectives of IoT implementations.