What is IoT security? Also explains countermeasures, operational rules for connection, etc., and equipment.

“How should we take security measures for IoT?”

“What does IoT mean and what kind of technology is it?”

Many people are considering introducing IoT, but are concerned about security.Security in IoT refers to measures taken to protect "things" and various devices connected to the Internet from external attacks.It depends on the usage situation and system, but basically it refers to the following three actions.

• Transfer data
• system
• Equipment (device body)

Nowadays, everything connected to a network requires security measures. IoT is connected to multiple devices and networks. Therefore, unless strong security is in place, damage may extend to the entire device or even the entire system.

Therefore, in this article, we will explain in detail the definition of IoT security, the contents of IoT security guidelines, and frequently asked questions. If you would like to understand the key points when implementing IoT security measures, please refer to this article.

 What is IoT security? Definition explained

First, we will explain basic information about IoT security.

• What is the definition of IoT security?
• First of all, what is IoT?

IoTWhat is the definition of security?

IoT security means protecting various devices and networks connected to the Internet from malicious attacks and threats.``Things'' connected to the Internet are at risk of being exposed to various threats, so security measures are essential.

Examples of the threats you may be exposed to include:

In 2016, IoT devices infected with a virus called Mirai were exploited in a large-scale DDoS attack on the DNS server of a US company, resulting in numerous sites being accessed intermittently for several hours. I can no longer do it. Variants of Mirai have been confirmed, and they are still active.

Source: Metropolitan Police Department | Botnet Countermeasures (January 25, 2024)

A DDoS attack is a method of sending a large amount of data from multiple computers. The huge amount of data puts a strain on the service provider (host), and the site or server that cannot keep up with the processing will be unable to provide normal service.

When attacking such a computer, attackers may use unrelated sites as a springboard to prevent their own computer from being identified. In this case, IoT devices may be targeted. IoT security is essential to avoid becoming a victim, and even an unintentional perpetrator.

First of all, what is IoT?

IoT refers to connecting various things to the Internet, and is also called the ``Internet of Things'' in Japan.Before the development of IoT, the Internet was basically only able to connect computers. Typical examples include PCs and PCs, and servers and PCs.

However, nowadays, various devices can be connected to the Internet. The term "thing/device" used in the "Internet of Things" refers to any object. Specific examples related to daily life include the following.

• TV that allows you to watch content on the Internet
• Air conditioner that can be operated from anywhere using a smartphone etc.
• Smart lock that locks the gate of your home
• Monitoring camera that remotely monitors the status of care recipients and pets

In industry and business, examples include:

• Various robots such as arms used in manufacturing factories
• Automatic production management using IoT for machine tools

Even if you don't fully understand the meaning of IoT, you may have actually used it or heard about it. IoT technology is used in many scenes.

For more information on IoT, please refer to the article below.

IoT is the Internet of Things! Explaining the mechanism, what can be achieved, and implementation examples

Main targets of security measures in IoT

There are three main areas that require countermeasures:

• Transfer data
• system
• Equipment (device body)

Transfer data

The first is the transfer data.The data measured by IoT devices may be stolen when transferred to servers, etc.

For example, industrial IoT devices monitor production data and machine status and send it to a central control system. If this data is tampered with by an attacker or stolen remotely, confidential corporate information may be leaked. In some cases, important information such as employee privacy and industrial information about customers may be leaked.

Therefore, it will be necessary to ensure the security of the communication itself and the robustness of the transfer destination storage. A common countermeasure is to encrypt the data. Please refer to the detailed countermeasures below.

system

Systems are also subject to security measures.The system referred to here mainly includes the following:

• network
• software
• application

For example, in a smart home environment, lighting, heating, security cameras, etc. are connected to the internet and controlled via software or smartphone apps. If some applications in your system are accessed illegally, it can jeopardize the security of your entire home and even compromise your privacy. The important thing here is to always keep your security system up to date. It will also be important to confirm that the systems that operate IoT have been updated appropriately.

If you are operating multiple IoT systems, you must also understand how the various systems are connected. If you investigate, you may find that an unnecessary system was connected to the Internet. If a system that you do not understand is connected to the outside world, it can become a source of attack from the outside world.

First, let's identify the system correlation diagram and the systems connected to external networks one by one.

Equipment (device body)

The third is the equipment (the device itself).If the security level of the equipment is insufficient, it may be dangerous.

A simple example is a smart car key. Relay attacks are sometimes cited as one of the troubles caused by smart keys.

A relay attack is a theft method in which the weak radio waves constantly emitted by a car's smart key are received and amplified by special equipment, and connected like a relay to unlock the car.

Source: Metropolitan Police Department | Crime prevention measures against “automobile theft and vehicle theft” (January 25, 2024)

As seen from this incident, vulnerabilities in equipment and devices can become fatal flaws. When taking security measures for IoT, it is also important to take security measures for the devices themselves that you are considering using.

The following are the main security measures to protect your devices.

• Physical Protection
• Regular firmware updates

Physical protection literally means protecting the IoT device itself. This refers to turning off the power to unused IoT devices, disconnecting them from the network, and covering the entire device in order to narrow the attack target area.

Regular firmware updates refer to updates to basic software, passwords, and security software. In particular, you need to be careful because once you change your password, you tend to use it for a long time. Changing it regularly will keep threats at bay.

Basics of risk countermeasures! IoT security guidelines

The IoT Security Guidelines are a guide that explains the security required when companies use IoT devices. Here, we will explain the IoT Security Guidelines in the following five sections:

• policy
• analysis
• design
• Build and connect
• Operation/maintenance

policy

The IoT security guidelines state that the following two points should be done first:

Key points 1. Key points for management to commit to IoT security 2. Prepare for internal improprieties and mistakes

Source: IoT Promotion Consortium, Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry | IoT Security Guidelines ver 1.0 | Page 13 (January 25, 2024)

First of all, it is said that IoT security measures should be taken by the management, not by the person in charge of IoT. In the first place, IoT security risks are closely related to "things," so it is thought that the damage to a company will be greater if a problem occurs. For example, if a car's IoT system is hijacked, it may be impossible to operate the steering wheel or brakes. If the system is stolen while driving, it could not only cause health damage to the driver and passengers, but could even be life-threatening in some cases. The bigger the problem, the more difficult it is to take responsibility. Therefore, the management of the provider must commit to providing sufficient security measures.

Additionally, IoT security risks include not only external risks but also internal fraud and mistakes. Fraud from within, who is familiar with IoT mechanisms, also tends to become a bigger problem. Therefore, it is necessary to consider countermeasures in advance, such as monitoring and managing user privileges.

analysis

The IoT Security Guidelines then proceed with the necessary analysis to recognize IoT risks. There are five key points that should be addressed:

Key points 3. Key points for identifying what needs to be protected 4. Key points for anticipating risks associated with connections 5. Key points for anticipating risks that may spread through connections 6. Key points for recognizing physical risks 7. Learning from past cases

Source: IoT Promotion Consortium Ministry of Internal Affairs and Communications Ministry of Economy, Trade and Industry | IoT Security Guidelines ver 1.0 | Page 17 (January 25, 2024)

First, identify what traditional devices need to be protected before they are connected to the IoT. Heating appliances and the like have functions that were originally equipped to protect users, such as automatically shutting down in the event of an earthquake. Such functions could be said to fall into the category of what needs to be protected. In addition, when the IoT is attacked, intellectual property such as personal information and specifications also fall into the category of what needs to be protected. In the analysis stage, first identify what needs to be protected in terms of devices and information.

Once we can identify what we need to protect, we can anticipate the risks that will spread. Think about the risks that may arise from connecting to the Internet.

Another physical risk is the possibility of fraudulent activity using stolen equipment. Even if the equipment is not taken out of the company, there is a risk that information may be stolen if the equipment is not thoroughly managed.

If you can't come up with an idea within your company, the final method is to ``Learn from past examples.'' By checking examples of attacks and countermeasures, you will be able to learn about methods that you would not have thought of within your company. We recommend that you check `` National Police Agency | Situation of Threats Surrounding Cyberspace, etc.''.

design

With IoT security guidelines, once we know what needs to be protected, we start designing.

Key Points 8. Key points for designing a system that protects both individuals and the whole 9. Key points for designing a design that does not cause trouble to the connected parties 10. Key points for ensuring consistency in design to achieve safety and security 11. Even when connected to unspecified parties Key points for designing to ensure safety and security 12. Verify and evaluate designs that ensure safety and security

Source: IoT Promotion Consortium Ministry of Internal Affairs and Communications Ministry of Economy, Trade and Industry | IoT Security Guidelines ver 1.0 | Page 27 (January 25, 2024)

In summary, IoT devices introduced into the field should be operated with the basic premise that each individual security level is high. This is because a low security level for each IoT device increases the possibility of the entire system becoming infected with a virus. Countermeasures include using higher-end models or incorporating a system that can monitor low-security devices into the system in advance.

And IoT devices are often connected to the external Internet. Considering connecting with unspecified parties, increase the security level of the IoT itself and consider the safety when connected to other functions. These countermeasures will be described later.

The final point 12 is to verify and evaluate whether the designed IoT mechanisms and connections are actually secure. Although there are verifications and evaluations published by the manufacturer, there are cases where improvements are needed due to unexpected points when operating the product in the field. Verification and evaluation is also required on the company side when introducing it to the field. If you are not sure what to check, we recommend that you consult your business operator.

Build and connect

The next step is to actually connect to the network.When considering measures on the network,IoT security guidelines:The following four points are mentioned.

Key point 13. Provide a function to understand and record the status of devices, etc. Key point 14. Make appropriate network connections according to functions and uses Key point 15. Pay attention to the initial settings Key point 16. Introduce authentication functions

Source: IoT Promotion Consortium, Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry | IoT Security Guidelines ver 1.0 | Page 38 (January 25, 2024)

The IoT Security Guidelines recommend that devices should record the state they are in when connecting to the Internet. Be sure to check whether the IoT devices you plan to introduce have such functions.

Next, connect to your network. Connect by correctly reflecting whether the connection is necessary or not. The method to check the connection destination will be explained later.

Then set a password. The initial password for your device or system may be set to a simple password. If the password is left as it is, there is a risk that it will be easily broken in the event of an external attack. You must be careful not to accidentally forget or leave anything unchanged.

Additionally, efforts are being made to apply authentication functions to prevent spoofing of legitimate IoT devices. In addition to authenticating the device itself, IoT devices with camera functions can also perform facial recognition for employees. Facial and fingerprint authentication can reduce the burden on users while providing a higher level of security.

Operation/maintenance

Finally, let's take necessary measures regarding operation and maintenance.The IoT Security Guidelines have the following key points:

Key points 17. Key points for maintaining a safe and secure state even after shipping/release 18. Key points for understanding IoT risks even after shipping/release and communicating to related parties what you want to protect 19. Making general users aware of the risks of connectivity 20. Key points to recognize the roles of stakeholders in IoT systems and services 21. Understand vulnerable devices and issue appropriate warnings

Source: IoT Promotion Consortium Ministry of Internal Affairs and Communications Ministry of Economy, Trade and Industry | IoT Security Guidelines ver 1.0 | Page 45 (January 25, 2024)

The security level must be maintained even after operation begins. Always try to keep the functionality and security up to date.

In addition to the person in charge of operations, we will also ensure that all IoT stakeholders understand the risks and the rules that must be followed. By equipping all stakeholders with security knowledge, we will be able to maintain a more secure organizational operation.

Point 19 is a necessary measure when using IoT devices to provide services to users. It is a required step if you are providing IoT services to general users. The important point here is whether the explanation is understandable to general users. Use general words as much as possible, and be sure to include annotations when using technical terms.

At the same time, the role of each person involved in actually operating and managing IoT devices must be recognized. This includes not only those who manage security, but also employees responsible for maintenance and employees who actually use IoT in their daily work. By recognizing how each person is involved in the IoT system, you can understand the security measures that should be taken. It would be a good idea to meet regularly and check.

Finally, check again to see if any of the devices used in the IoT system are highly vulnerable. As a final check before operation, check to see if there are any vulnerable devices in your system.

Points to check before sending

There are three points to check before sending data:

Is the communication (connection) destination correct?

• Is someone eavesdropping on your transmission?
• Has the transmitted data been altered?

Is the communication (connection) destination correct?

The first thing to check is whether the data destination is correct.If the connection destination is incorrect or spoofed, data may be stolen.

The best way to check whether the communication destination is correct is to check the IP address or domain name of the communication destination. You can check whether you have the correct IP address and whether the domain you are communicating with is registered and managed by a legitimate organization. In some cases, it may be a good idea to check Whois information.

Is someone eavesdropping on your transmission?

Another important checkpoint is to ensure that the data being sent is not being intercepted.Even if the destination is correct, if the transmitted data is intercepted, important company information may be stolen or personal information may be leaked. It is therefore important to thoroughly protect data in transit.

A common measure to protect transmitted data is data encryption. By encrypting your data, it is possible to prevent your data from being seen by others. It is a good idea to use an encryption protocol such as TLS (Transport Layer Security) or SSL (Secure Sockets Layer). You will need specialized knowledge in this area, so please consult with the operator.

Has the transmitted data been altered?

It is also important to check that the data you send has not been tampered with.Important decisions may be made based on incorrect information.

For example, suppose a smart home security system sends a command to turn off the security system. However, an attacker may intercept this command and modify it into a command to turn on the security system. In such a situation, the security system may be activated inadvertently, causing an alarm to sound when the situation is actually secure. Preventing modification of transmitted data is critical to ensuring system reliability, security, and overall functionality.

One way to prevent information tampering is to add digital signatures to data. As the name suggests, a digital signature is an electronic signature on data. It has a role similar to a seal or signature in the real world, and is used to prove that the target data is genuine. This will help ensure that the data has not been altered en route.

Explaining frequently asked questions about IoT security

Finally, we will explain frequently asked questions regarding IoT security.

• Where can I find other guidelines on IoT security?
• Please give me some typical examples of IoT devices.

 IoTWhere can I find other security guidelines?

The following three guidelines can be viewed on the Ministry of Internal Affairs and Communications | Cybersecurity Measures for Small and Medium-sized Enterprises page.

• Product security measures guide for small and medium-sized enterprises developing IoT devices (PDF)
• Summary version of product security measures guide for small and medium-sized enterprises developing IoT devices (PDF)
• Product Security Measures Guide for Small and Medium-Sized Enterprises Developing IoT Devices - Summary for Managers (PDF)

For example, in the ``Product Security Measures Guide for Small and Medium-sized Enterprises Developing IoT Devices (PDF),'' each piece of information is concise, but you can check surrounding information instead. Please refer to it once.

 IoTPlease give me some typical examples of equipment.

Typical examples of IoT devices include:

These IoT devices make our lives easier and more efficient, while also contributing to health management and optimizing energy usage. Of course, you need to be careful about security.

summary

We explained IoT security. IoT, which has become familiar not only in business but also in daily life, is a technology that will continue to grow in demand in the future.

And precisely because demand is increasing, security is extremely important in case of emergencies.In such cases, take measures focusing on IoT security guidelines.Security risks can be reduced to some extent.

However, IoT security is complex and needs to be updated. In some cases, it may be difficult to raise the security level on your own. In such cases, please feel free to contact us.