The rapid advent and growth of the Internet of the Things (IoT) technologies are missing, in many cases, the implementation of effective security measures behind. Networks of thousands of devices are connecting critical infrastructures of cities, and devices with highly restricted computational power (normally already overused with the tasks they are specifically designed to perform) have no margin to deploy security procedures that are at best basic or even nonexistent.

Settled this baseline, the attacks to which these devices are exposed to are potentially endless. Here, we present one of the most common: the botnets. A botnet is defined as a logical collection of Internet-connected devices whose security has been breached, and their control is ceded to a third party.

Once those units are compromised, they receive instructions from a central computing system that will coordinate the attacks. The problem that we face here is higher than it might seem at first glance: not only all our devices (including those deployed on clients’ premises) will stop working to perform the attackers’ tasks, but also our IP addresses will be the only information that the victims will presumably see with consequent damage to our public image. Botnet-based-attacks consequently endanger the reputation of the companies.

IoT solutions should then embrace security from the very beginning conception and design phase to avoid undesired scenarios. Security architects have to be involved in the definition of the project to identify potential security breaches in the system and then keep the collaboration and the information flowing internally until the end of the development process. Actually, this approach is summarized by the Privacy by Design concept enshrined in the GDPR, and it is considered a best practice that all IoT actors should follow from now on, even if no personal data are processed.

The approach of the security architect at this point must be minimalistic, meaning that this figure will reduce as much as possible the complexity of the system to guarantee a clear view of all the elements and minimize the risk level associated to each of them. On top of this, access control will provide the last layer for a proper hardening. In fact, in-depth analysis to effectively manage the requested accesses to the specific assets, blocking undesired connection attempts, becomes a must. Having a narrow range of permitted connections drastically reduces the attack surface and resources are then properly allocated in the identified inevitable fissures.

SMESEC aims to identify what are the needs from the SME perspective and translate them into requirements for a unified framework, created by the joint of the different solutions and expertise areas of the partners. The products can cover a wide range of security market segments, and it is expected that the unification will bring even higher added value to the products and the Framework.

Olmo Rayón
Cybersecurity Manager at Worldsensing