Recent movements on IoT Security About protection of customer information of Newsletter

IoT security that attracts attention again

IoT data collection and utilization are progressing, and the market is expanding.By collecting and analyzing information using sensors and cameras, for example, to understand the slight problem of factory equipment, predict failure, or understand the congestion status and human movements in the city to use it.Is attracting attention.It is expected that a large number of simultaneous connections will be realized by 5G, and more and more IoT devices will use more information.On the other hand, there are also security issues unique to IoT, and the problems are growing.In this paper, I would like to introduce recent trends and issues in IoT security, efforts of each country, and trends in services and technology.

Security issues in IoT

Unlike PCs and smartphones, devices used in IoT systems have restrictions on security measures.This has led to a security issue unique to IoT.

The first is the restriction of equipment capabilities.Compared to conventional devices such as PCs and smartphones with IoT devices, PCs and smartphones have relatively large capacity and processing capacity of devices, added software with virus measures and firewall functions with security functions at OS levels.It is possible to introduce it.If a vulnerability is found in a form like a Windows Update, it can be updated later.On the other hand, IoT devices such as sensors and cameras may have relatively small equipment capacity and processing capacity, and may not have a security function or software update function.

Second, the difference in the life cycle is also an issue.PCs and smartphones have a relatively short life cycle.This means that vulnerabilities and software are unlikely to be left forever, and can be naturally replaced with new devices and software.The opposite of IoT devices, the life cycle of the device and software tends to be relatively long, that is, it may continue to be connected to the network with vulnerabilities.As a third task related to this, PCs and smartphones can expect shutdowns and restarts at various timings, but IoT equipment is likely to be used at all times, and there is a problem.There is also a possibility that it will be used as it is.

In addition, the fourth is that it is difficult to notice when abnormal occurrence is also an issue.Many IoT devices do not have a screen that displays the situation or informing the operating status, and it may take some time to notice problems such as errors and slow movements.

Another issue is the increase in terminals and the complexity of the system.Against the backdrop of the expectation of IoT utilization, the number of IoT terminals connected to the network has increased rapidly, and Gartner, a research company, has 2020 million terminals connected to the network, in 2021.It has announced that it will exceed 25 billion units.There is a concern that these are vulnerabilities and are used to steal cyber attacks and information.With the increase in the number of terminals, the system has become more complicated, which leads to an increase in the possibility of invading.

Recently, the risks of "shadow IoT", which are not "Shadow IT", that is, the risk of untrained IoT has been pointed out.In "RSA CONFERENCE 2019" held in San FranCisco in March 2019, a survey on IT administrators responded that more than 1,000 "shadow IoT" equipment was connected to a corporate network.It was introduced.

Increase the number of attacks and targets, sophisticated attacks

With the increase in vulnerable terminals and the complexity of the system, the number of attacks and sophistication are increasing.

According to the National R & D Corporation Information and Communications Research Organization (NICT), the cyber attack -related communication observed in 2018 was about 1 compared to 2017..It is four times, and the rate of increase is increasing compared to last year.Above all, the number of attacks aimed at vulnerabilities in IoT devices is increasing, and about half of the total is considered to be an attack aimed at the vulnerabilities of services and devices that operate with IoT devices.

FIG. 1 (Fig. 1] Number of annual observation packets perIP address (Source: NICT Cyber Security Research Institute "NICTER Observation Report 2018" (February 2019))

FIG. 2 (IoT devices are included in OTHER as well as 23, 80, 22, etc.) (Source: NICT Cyber Security Research Institute "NICTER Observation Report 2018" (2019 2, 2019 (2019 29) Moon))

The advancement of the attack is also progressing.In the latter half of 2016, a big attack caused by the malware "MIRAI" became a global problem, but recently, "login attacks using default ID/password" and "large using vulnerabilities of IoT equipment".In addition to "scale attack", it is used as a stepping stone by attacking to repeat permanently and long -term infection (it does not disappear even if the equipment is turned off), and other devices behind the IoT device.The attack is becoming more advanced and powerful, such as attacking.

In addition, there is a tendency to be targeted for attack targets and those that are more affected when they are more damaged.Not only IT, but also an OT using IT (operational Technology (control / operation technology for optimal movement of products, facilities, and systems required for social infrastructure) and threats to important infrastructure using OT has become an issue.ing.In the case of an OT, if an attack causes a failure, for example, a system or a serious physical damage to the human body, such as power generation or railway operation, may occur.Under such circumstances, the use of IOT (IIOT: Industrial IoT) in OT is progressing.Attacks with vulnerable IoT devices inside and outside could lead to serious problems.

Overseas response

In efforts in each country for such problems.

In the United States, on March 11, 2019, IoT Cybersecurity IMPROVEMENT Act was submitted to the upper and lower homes.The content regulates the federal Fivevernment to procure non -secure equipment, including the ban on vulnerabilities and hard coding.

At the state level, in California, a state law on IoT security (also called the "Password Law") was established in September 2018, and will be enforced in 2020.This is also dealt with the issues caused by the password of IoT devices, prohibited from providing a common default password, and requires users to seek new password settings.However, the effectiveness is unknown because the target is limited to devices produced in the state.

In Europe, ENISA (EUROPEAN UNION AGENCY FOR CYBERSECURITY) is promoting a security policy on IoT.In September 2018, a short paper entitled "For secure fusion of cloud and IoT*[1]" was issued, and the security issues and important things that the providers of IoT devices and cloud services should consider.Presenting points.Furthermore, in May 2019, "Industry 4.Publish 0 - issues and recommendations in cyber security*[2] ".He describes security measures and recommendations in 0 and Industrial IoT.Also, in June 2019, the EU CyberseCurity Act came into effect.This is one of the purposes of establishing a cyber security authentication scheme, and its scope contains IoT.In the same law, it has been pointed out that IoT is more likely to be used, but that "there is no consistent comprehensive approach to horizontal cyber security issues in the field of IoT".。

The UK is also actively taking measures. The UK Digital, Culture, Media and Sports Ministry (DCMS) summarizes 13 guidelines that can be practiced by manufacturers to ensure safety at the development, manufacturing and sales stage of IoT products for end users. , It was announced in October 2018. Its features are that we emphasize that we do not take over excessive responsibilities to reduce the burden on the security of IoT users. David Rogers, a DCMS advisor who spoke on the RSA Conference 2019, explained that it is not the user's responsibility to manage port 23. This guideline is made with emphasis on international cooperation and harmonization, is also based on GDPR, and is also characterized by the provision of Japanese language versions (including Japanese) (Fig. 3).

【図3】UK’s Code of Practice for Consumer IoT Security（出典：David Rogers Mobile Technology, Cyber Security & Standards Adviser, Department for Digital, Culture, Media & Sport (DCMS), UK“Changing the World with the UK’s Code of Practice for Consumer IoT Security”(RSA Conference 2019, San FranCisco, CA, Mar 4-Mar 8, 2019））

Japan's support "Notice"

The response is being promoted in Japan.In October 2017, the Ministry of Internal Affairs and Communications published the "IoT Security Measures" and in May 2019, a "Progress Report," summarizing its progress and future initiatives.The Ministry of Economy, Trade and Industry also includes measures against IoT devices in improving supply chain cyber security measures.

"IoT security measures" is five pillars ((1) development of systems related to vulnerabilities countermeasures, (2) promotion of research and development, (3) promotion of security measures in private companies, etc., (4) strengthening human resource development.(5) Promotion of international cooperation).Investigating devices that may be abused by cyber attacks, which are being promoted as "developing systems for vulnerability measures", and alerts users through telecommunications carriers.The initiative is "Notice"*[3].

This has been conducted by NICT since February 20, 2019 based on the revised Information and Communications Research Organization, and is specifically implemented as follows.

Fig. 4 (Source: Ministry of Internal Affairs and Communications, NICT presentation material "IoT equipment survey and alerts to alert users" HTTPS: // www.soumu.Five.JP/Menu_news/S-NEWS/01CYBER01_02000001_00011.html)

The target device is an IoT device that can be accessed from the outside on the Internet by the global IP address (IPv4), and is specifically referred to as routers, web cameras, and sensors.Generally, it is said that the survey is not subject to a smartphone used in a mobile phone line or a PC that is connected to a wireless LAN router, except for some exceptions.

According to the site of "Notice", 34 companies*[4], including NTT DOCOMO, etc., as as of July 5, 2019,*[4].

[Table 1] Example of ID/password to be entered in Notice (Source: "Notice" site FAQ page https: // Notice.Five.JP/FAQ)

In 2019, this initiative was controversial as the implementation approached.NHK reports in a strict tone, such as "indiscriminate invasion", "an unprecedented survey in the world", and "an act that is virtually the same as unauthorized access to unauthorized access", and shows concerns about conflicts on the "communication secrets" set by the Constitution.It is due to the fact that the comment was introduced*[5].The Ministry of Internal Affairs and Communications states that there is no such problem*[6].

In addition, this initiative was attracting attention as an aggressive response in RSA Conference 2019.When I asked more than one speaker, it was said that "it is Fiveod for service providers to respond in cooperation with" "I am paying attention to the results, but I can not do this in my own country."There was a comment.

The Ministry of Internal Affairs and Communications, NICT and ICT-ISAC, reported the status of "Notice" on June 28, 2019.According to this, 147 cases are ultimately alerted.

[Table 2] Initiatives*[7].soumu.Five.JP/Menu_news/S-NEWS/01CYBER01_02000001_00033.html)

According to the Ministry of Internal Affairs and Communications, the number of IoT devices that have been found to have set IDs and passwords that are easily estimated at this time or have already been infected with malware, are considered to be small, but in the future. Since it is expected that malware infection activities to IoT equipment will continue, it is important for users to continue to set up appropriate ID and password settings and update to the latest firmware. " It has said.

In the future, I would like to continue watching how much improvement will be made by this measure, but it can be said that the issues in this kind of measure have been revealed.

measures

From a viewpoint of countermeasures, IoT security is considered to be roughly divided into three layers of endpoints (devices), networks, and applications.There is a method of direct measures at the level of the device as described above at the level of the device, but there are also methods to stop unauthorized access in the network, and to control the application (cloud) side (Fig. 5).)

FIG. 5 (Source: IoT Cybersecurity Alliance, “Demystify Iot CyberseCurity” (2017), etc. (2017), etc.)

As a direct countermeasure for the device, it is a prerequisite to use a high -tamper -resistant (tough) system, but in addition, a mechanism that can update the software of the device after installation is necessary, and the mechanism must be secure.There is.As an example, CSA (Cloud Security Alliance) offers the following recommendations for the IoT firmware update*[8].

1. アップデート前に現行版をバックアップすることが必要
2. ロールバックがサポートされるべき。ただしベンダーの許可なく行われてはならない
3. アップデートのスケジューリングが可能であることが必要
4. 自動アップデート時、システム管理者の設定を可能とすることが必要
5. 1つのコンポーネントが複数のマイクロコントローラーのアップデートを管理できることが必要
6. アップデート時のデータサイズは帯域の制約に適合していることが必要
7. アップデートはエンドtoエンドで認証され保護される必要がある
8. 認証鍵のストレージがセキュアである必要がある
9. アップデート失敗時のリカバリ手順が提供される必要がある
10. ベンダーからの長期のサポートが保証される必要がある

However, as mentioned above, the number of target measures may be enormous for devices, and functions may be restricted. In addition, the update mechanism may not be continuously provided because vendors have a deadline for updating software or stop the business. It has also been pointed out that even after the disposal of the device, it may be taken out of security information (passwords to connected networks, private keys, etc.). Even if the terminals have a password change and update mechanism for the terminals due to regulations in each country, it is difficult to prevent equipment that has been distributed to the market so far, and equipment produced outside the target country. (Even though harmonization is progressing, it will be difficult to stay in all countries). There is also a problem with resistance as described in the "Notice" section above, and it is difficult to take measures from the outside.

On the other hand, if protection at the network level is performed, it is possible to cover all terminals that perform communication. The basic concept is to pass a specific checkpoint in the traffic and check if there is no problem. It can prevent external threats, and even if an infected terminal is connected inside, it can prevent external attacks and information leaks. As an example, Cisco provides "Umbrella". In addition to this, Symantec has provided a solution that applies the concept of "ZERO Trust", which examines all traffic and acquire logs assuming that you do not trust. The idea of ​​inspecting behavior regardless of whether you are in a trusted network is considered to be an approach that is suitable for IoT devices that are easy to have vulnerabilities (Fig. 6, 7).

[Fig. 6] An example of a protection service in the network (Cisco Umbrella) (Source: https: // www.Cisco.com/c/en/us/produsts/secret/rooter-security/umbrella -branch.html)

FIG. 7] Symantec use case (Source: nico Popp, SR. VP of Information Protection, Symantec, “How to Apply a Zero-Trust Model to Cloud, Data and Identity” (RSA Conference 2019, San FranCisco, CA, Mar 4-Mar 8, 2019））

In addition, measures at the application (cloud) level are also progressing.For example, if you look at AWS and Microsoft Azure, a major IAAS service giant, both companies provide security services with three points: the cloud side, connection, and device management.However, this measure is limited to the application (cloud).Keep in mind that all communications can be ended in the cloud, but may not be able to deal with problems in other places (eg, botted devices attack third parties).Should be.

Endpoints (devices), networks, applications (clouds) can be countermeasures, and it is necessary to combine each countermeasure, but the approach to a comprehensive network service is not effective. I wonder

summary

As the IoT spreads, IoT security has become a major challenge on the backdrop of the increase in IoT terminals, the sophistication of threats, and the progress of IoT services and technology utilization in OT.On the other hand, various countries are implementing various measures.Japan's "Notice" is attracting attention as an aggressive effort for vulnerable IoT devices by the government.In addition, various services are proposed by each company and organization.

It is natural that we need to raise users (the owners of systems and equipment) and voluntarily take measures (such as purchasing safe terminals, thoroughly managing and updating), in anticipation of IoT security measures.However, it is a reality that enlightenment alone has a limit.Users do not always have high skills, and there are cost problems.It is difficult to overturn it if the user determines that it is not worth the cost -effectiveness.

The beneficiary of security measures is not necessarily the only user.In order to protect the security throughout the Internet while promoting the use of IoT, there may be further examining the burden and system in addition to improving services and technology.