IoT Cybersecurity: Using Microsoft Azure to Secure Your Fleet
In recent years, cybersecurity has become an increasingly important topic within the industry, particularly within Industry 4.0. Technologies are constantly evolving. We have access to increasingly complex subjects that go deeper and deeper and to larger and larger data volumes. However, the risk involved in this entire ecosystem is also increasing. As the saying goes: “With great power comes great responsibility.” For that reason, investing heavily to combat vulnerabilities in the anti-intrusion structure is essential.
In this post, we’ll discuss cybersecurity for the Internet of Things (IoT) and how Microsoft Azure can help you build more robust protection for your ecosystem.
The essence of Azure IoT security is the ability to connect cloud security to device security. Without that, it would be impossible to promote a tool that would not allow clients in production to sleep soundly. This is why Microsoft has invested five billion dollars in the IoT over the past four years.
IoT and Cybersecurity Definitions
What Is the IoT?
We’ve all heard the term “IoT” at some point in our lives, but what exactly does it mean?
A so-called “IoT” device (for Internet of Things) is defined as a portable electronic device that can connect to the Internet and exchange data with external services. A laptop computer, a cell phone, your home Alexa device, your gaming console, your new car, and so on, are just some examples. An IoT device will collect and exchange data with external services, such as the cloud, in return for a personalized service. Typically, if we look at a cell phone, for example, it will collect and send metrics to the manufacturer so targeted updates can be provided for the phone, and they can see what the user needs… or wants.
Today, industrialists use the IoT to control and monitor their processes remotely at any time and to track changes within an existing network infrastructure. Metrics allow them to maximize production and improve the efficiency of their procedures, resulting in financial and human benefits.
These IoT systems frequently include sensors and actuators, classifying them as cyber-physical systems. Here, we’re talking about home automation, intelligent transport systems, collaborative robotic arms, etc.
According to an Organization for Economic Co-operation and Development (OECD) study published in 2015, France ranks 8th in the world with 17.6 devices online per 100 inhabitants compared with South Korea in first place with 37.9 devices online across this same segment.
Definition of Cybersecurity
To use an analogy from the art of war: great wars in medieval times pitted rivals against each other on the battlefield. However, the art of war has evolved over time, with an increasing emphasis on infiltration and striking from within at lower cost to achieve a greater impact. It was then a matter of defending the stronghold with quality, accuracy, and precision rather than force or quantity. In today’s world, cybersecurity is that stronghold: we’re constantly learning how to better protect our systems, networks, and programs against increasingly thorough, devious, and undetectable digital attacks. These attacks typically aim to gain access to sensitive information, modify, destroy, or extort resources, or disrupt a company’s operations. Hackers are becoming increasingly inventive. The importance of investing in cybersecurity is growing at an exponential rate.
The IoT community has agreed on seven properties that must be present for a device to be considered highly secure:
- Hardware-protected identity and integrity: does the device have a unique, unforgeable identity? Is the program hardware-secured?
- Multiple mitigations applied against threats. The countermeasures lessen the impact of a successful attack. Is the device still protected if a security mechanism is compromised?
- Private keys stored in a hardware-protected vault that is inaccessible by the program. The program is divided into multiple self-protecting layers. Is the device’s security program code protected from bugs in other programs on the device?
- Hardware-enforced barriers between software components prevent a breach from propagating. Is an error in one of the device components contained within that component? Can new compartments be added to address new security threats?
- Security tokens signed with an unforgeable cryptographic key prove the device’s identity and authenticity. Does the device use certificates or other tokens signed by the secure hardware component for authentication?
- A software error, such as a buffer overrun caused by a hacker, is reported to a cloud-based error analysis system. Does the device report errors for analysis to check the correctness of the device execution and identify new threats?
- Updates bring the device to a more secure state and revoke assets compromised by known vulnerabilities or security breaches. Is the device software updated automatically? Can the hardware-protected security software be updated quickly without repackaging another of the device’s security components?
Based on my own experience, here is how I address each of these properties:
|Property||Can be handled by Microsoft||
How to address it
|Hardware root of trust||No||My preferred solution, supported by IoT Edge and simple to implement, is the Trusted Platform Module (TPM), a physical module to incorporate (sometimes easy to connect) in our device to give it access to a secure hardware storage unit for all authentication and identity data. The Trusted Computing Base (TCB) benefits greatly from the use of IoT Edge.|
|Small Trusted Computing Base (TCB)|
|Defense in depth||Yes, if IoT Edge||IoT Edge separates each software module in the client program using virtual containers. For example, you can have one container to manage data sending and another to collect sensor data, and if one of them is breached, the other module and the device system itself remain protected. This is one of the main advantages of using virtual containers.|
|Dynamic compartments||Containerizing your application can also keep errors from spreading from one part of the software to the next.|
|Renewable security||The “real-time” updating feature of IoT Edge allows you to update some or all of the application modules from anywhere, at any time, with updates done on the devices within a minute (subject to a sufficiently stable Internet connection, of course) with Azure Device Update (ADU), as well as update the entire operating system (OS) or add specific files as startup scripts.|
|Certificate-based authentication||Yes||In theory, this is determined by the user. A simple password can be used on a development device with few rights and risks, but it’s critical to transition to certificate-based authentication as soon as possible, especially in production.|
|Online failure reporting||This property is primarily handled by Azure features that are implemented on IoT Hub-connected devices, but this is still much more effective with IoT Edge.|
We can also use a Zero Trust strategy. This approach, as the name implies, considers every element to be potentially dangerous and does not trust any software component. In practice, we talk about implementing enhanced security across all exchanges:
- An identity authentication management unit
- Working with strict and minimal permissions
- A unit for monitoring the device and combating threats
- Regular, automatic updates
- Threat response system
Cybersecurity: What Are the Risks for Companies?
An effective cybersecurity defense system has multiple layers of protection:
- The computers
- The networks
- The programs
- The data sent/received
These layers of protection complement one another in three ways:
- People: users who are aware of the risks and have been trained in basic data security principles, such as using strong passwords, being cautious of email attachments, and storing sensitive data in digital vaults, for example
- Processes: who should manage cyberattacks, having historical knowledge to predict potential future incidents, knowing how to identify and manage a security breach, and protecting the system
- Technology: as cyberattacks become more intelligent and sophisticated, technology must keep up in order for systems to provide companies and individuals with the appropriate tools to protect themselves
This is an issue that affects both businesses and individuals. Individuals protect themselves on a daily basis against identity theft, attempted extortion, and the loss of vital data or precious family photos. At the corporate level, it’s critical to secure the organizations our society relies on: power plants, hospitals, financial services, and so on.
We face various types of cyber threats:
- Phishing is the practice of sending fraudulent emails that look like emails from trusted sources in order to steal sensitive data, such as bank card numbers, personal information, login details, etc. This is also the most common type of cyberattack. Companies spend a significant amount of time training and/or raising awareness among their employees about information security for good reason.
- Ransomware is a type of malicious software that is used to extort money by preventing access to files or the IT system until a ransom is paid.
- Malware is malicious software that is designed to gain unauthorized access (for example, creating/modifying access to a secure building) or to harm a computer.
- Social engineering, which is more subtle, consists of tactics enticing us to reveal sensitive information (for example, pretending to be a friend or relative through social networks and then requesting money or confidential information).
According to a study published by Gartner, an American company specializing in delivering insights to information companies, worldwide expenditure on information security and risk management exceeded 150 billion dollars in 2021 (an increase of 12.4% compared with the previous year). A figure that is still rising. Despite this investment, it’s estimated that two thirds of those companies still have system breaches. Worse, some experience breaches 5 to 6 times in a year.
Source: Gartner press release
The so-called industrial Internet of Things (IIoT) refers to the use of the IoT within a specific framework of instrumentation and control of the sensors and terminals used by cloud technologies (example case study at Titan International by Oracle).
Source: Oracle – Titan International case studies
Key figure: according to Centrify’s investigational report on cloud computing, 90% of the companies surveyed are in the process of or intend to move their operations to the cloud, but 34% consider security the main challenge.
B2B cybersecurity concerns companies that are customers of one another (for example, company X rents digital platform services to company Y). This scenario presents an excellent opportunity for cyberattacks because it allows attackers to obtain login credentials and sensitive data for multiple companies (the clients) rather than just one. There are several types of breaches: cyber espionage, extortion, data and identity reselling, etc.
Let’s have a look at an example we can all relate to: social networks.
Social network X does business with company Y. It’s common practice nowadays to be able to create an account on website Y by clicking a “Log in using your X profile” button. Companies X and Y then begin exchanging information and, while there are rules requiring the express disclosure of all data exchanged between the two companies under the European General Data Protection Regulation (GDPR), it’s up to company Y to say, “I need this or that information about the user’s profile.” This information could include your name, date of birth, and email address, as well as your friends list, location, photos, and more. However, these elements are explicitly stated during registration: the user must consent to each of these transactions. At this point, though, you trust company X, which invests billions in security, but the same is not true for company Y. Imagine if company Y is the victim of a cyberattack, potentially providing the attackers with access to your data, particularly the data shared between X and Y.
Fortunately, much more sophisticated security mechanisms exist to protect users from the consequences of this type of situation between companies.
B2C cybersecurity concerns companies whose clients are individuals. These individuals may have a wide range of profiles and may be unaware of cybersecurity risks, making them particularly vulnerable.
For example, if some creation rules are not followed, the company cannot guarantee that the user will choose a highly secure password. This means the company must strengthen security in the remaining layers. This is a potentially riskier situation than B2B because the individual may have had no training in security and Internet dangers. The protection mechanisms must be even stronger. One rule that is frequently mentioned in the IT developer community is that if something stupid can be done in an application, no matter how difficult or counterintuitive it is, someone will always do it. Always plan for the worst-case scenario.
What are the IoT Breach Types?
IoT Attack Types
There are multiple IoT attack types:
- DDoS attack (Mirai): the infection of a fleet of devices (known as a botnet) in order to flood one or more servers with requests at a specific time, causing them to crash.
- Client data interception: when a device is breached, the cybercriminal gains access to all data passing through that device (client data, sensors, messages, login credentials, etc.)
- System takeover (for example, in home automation): a cybercriminal can breach our Wi-Fi network, infect all devices on the network, take control of them, and access surveillance cameras, among other things. A virus can typically infect your computer while you’re browsing the web and take control of your camera before demanding a ransom.
- Hardware breach: an IoT device is the ideal entry point for a hacker looking to gain access to the servers of the company that manages these devices. If the hacker has physical access to the device, the breach may be even easier. Among other things, any physical access to hardware that grants privileges, such as a USB port that can be used to access a terminal with administrator rights must be avoided.
- Induced failure: a cybercriminal can breach a system and cause a failure, such as unlocking security systems.
- Hardware and software damage causing data loss.
In all cases, there are four infiltration routes:
- Physical (direct access to the hardware or through an underlying device)
- Virtual (infiltration through malicious software)
- Network (interception of data in transit)
- Server (attacking devices from the server managing them)
Never forget that there is no such thing as perfect security. Cybercriminals will always find a weakness, which is why it’s critical to provide not only protection against intrusions but also monitoring and intrusion detection systems and countermeasures in the event of a breach.
The Top Five Cyber Attacks in History
There have been countless cyberattacks. However, some stand out due to their magnitude or impact:
- No. 1: WannaCry: considered the largest ransomware hack in Internet history, this massive global cyberattack in May 2017 affected over 300,000 computers in more than 150 countries by exploiting a vulnerability in the outdated Windows XP operating system and, more broadly, all versions prior to Windows 10 that did not have the most recent security updates. This vulnerability had been fixed in a Microsoft update in March 2017, but computers that had not been updated were still vulnerable. The total damage was estimated to be between 4 and 8 billion dollars. Windows no longer asks for permission to apply updates and instead installs them automatically.
The virus resurfaced in the summer of 2017 against a Honda factory in Japan, just five days before the attack ranked second in this top five list.
- No. 2: ExPetr or NotPetya: the functional principle was similar to what happened with WannaCry, but the worm targeted businesses specifically because one of the virus’s primary vectors was the MeDoc finance software. The cybercriminals had infiltrated the MeDoc update component, which allowed them to disguise the virus as an update on all the affected computers. This attack caused less damage in terms of number of devices than WannaCry, but it was still estimated at over 10 billion dollars.
- No. 3: Stuxnet: this is probably the most famous attack. It destroyed Iran’s uranium enrichment centrifuges, stalling the country’s nuclear program for years. Instead of using the Internet like the previous two attacks, this one was carried out discreetly via USB sticks. This allowed the virus to be introduced on systems not connected to the network. Its goal was not to harm the infected computers, but to take control of the computers based on Siemens programmable controllers and software, reprogram them, and increase the centrifuge rotation speed until they were destroyed.
- No. 4: DarkHotel: this well-known method involves infiltrating public hotel Wi-Fi networks to trick specific guests into installing updates that infect their computer with spyware, allowing the cybercriminal to blackmail or phish.
- No. 5: Mirai: this attack is the starting point for IoT security. In the early days of the Internet of Things, device security was not a priority for manufacturers who did not provide anti-virus systems. All of these devices became infected. The infection spread throughout the world unnoticed until, on October 21, 2016, the owner of this collection of remotely controllable infected devices (the botnet) decided to use their system to flood Dyn, a Domain Name Server (DNS) provider, with requests. This is known as a distributed denial-of-service (DDoS) attack, in which a server is bombarded with requests until it crashes.
How Can Microsoft Azure Respond to Cyber Attacks?
Azure is Microsoft’s cloud service, and it provides a wide range of services, including website hosting and the integration of Office 365 (Word, Excel, SharePoint, etc.) services to the IoT, basic data processing, and artificial intelligence.
The IoT is an important component of Microsoft’s investment in its cloud, a constantly evolving service that offers ever more powerful and secure tools. We now provide a secure IoT service that incorporates a variety of tools, including artificial intelligence, by pushing the data processing part onto the device directly. This allows us to be more responsive with services that remain connected to the cloud and managed remotely. If you want to learn more about this topic, check out Cellenza’s post on Discovering Azure’s IoT Hub.
Source: Microsoft documentation
Azure IoT Edge
Let’s consider the Azure IoT Edge use case.
We have thousands of devices deployed around the world, but our partners are concerned about the security of their devices. Would a normal individual be able to infiltrate our system? It’s a small device on which we store sensitive information. How can we ensure that data will not be compromised? Well, it’s easier than you might think.
Microsoft Azure IoT, and specifically IoT Edge, has numerous security layers that make breaking into the client’s system extremely time-consuming. A device equipped with Azure IoT Edge (in other words, a device with an embedded program that can manage the execution of sub-programs, known as modules, update them, and make sending data between modules and the cloud easier) executes its modules in Docker containers with a set of specific rights, thereby creating the first layer of security. An intruder embedded within a module will be unable to infect the layers above because of the container limitations. Add to this a Trusted Platform Module (TPM), which provides the device with secure storage space for all sensitive data for authenticating the device or using certificates instead of passwords, and we provide all of our devices with a secure way to protect and transmit our data.
Azure Key Vault Data Security
But what if you don’t have a TPM? Consider Azure Key Vault!
Azure Key Vault is Microsoft’s digital vault service. It allows Azure applications and connected devices to access a secure database of secrets (such as login strings), passwords, and certificates of all types, all with certificate-based authentication and end-to-end encryption: even if a cybercriminal manages to infiltrate the device, they will not be able to access this information.
Azure Device Update and IoT Edge Device Updates
What about updates? Depending on whether our device has IoT edge embedded or not, we want to be able to perform one to three update types remotely at any time:
- Updates to the operating system or parts of it (specific files, addition of startup/shutdown scripts, etc.): we then use Azure Device Update (ADU), which allows us to send so-called over-the-air (OTA) updates to a group of devices remotely. These updates can be for the entire operating system or just to add libraries, change system parameters, add additional files, insert new scripts, or a variety of other things.
- IoT Edge update, for example, to update the security service or module manager.
- IoT Edge module updates, to change the behavior of one part of our application without affecting the others.
There are numerous Azure-based solutions for improving IoT cybersecurity. You should look at Azure Sentinel, Azure IoT Central, and Azure Defender for IoT in particular.
Azure IoT Edge is at the heart of the best Azure-based IoT security. However, you must secure your devices at the hardware level in addition to “simply” securing the services. This is where Azure Sphere comes in.
Azure Sphere is Microsoft’s latest security innovation. According to the official documentation, “Azure Sphere is a secured, high-level application platform with built-in communication and security features for Internet-connected devices. It comprises a secured, connected, crossover microcontroller unit (MCU), a custom high-level Linux-based operating system (OS), and a cloud-based security service that provides continuous, renewable security.” Have a browse of the full product description.
This platform is a true security gem. It enables the incorporation of aspects of what was described earlier as a secure device from the outset in addition to the software components provided by Microsoft. With the Azure IoT Edge components as well as any proprietary company security layers, we can safely say that we have a secure device.
This solution consists of three components that work together to protect the devices:
- Azure Sphere-certified microcontrollers: a type of microcontroller unit (MCU) that combines application and real-time processors while incorporating Microsoft’s latest security technology, based on the company’s 20 years of experience with the Xbox in particular.
- Azure Sphere OS: unlike traditional real-time operating systems (RTOSs), this OS embeds multiple security levels by combining Windows security innovations, a security monitor, and a custom Linux kernel for in-depth defense.
- Azure Sphere Security Service: a turnkey cloud service that protects the entire system by providing a reliable communication path between the device and the cloud via automatic updates, threat detection, and online reporting.
It’s also worth noting that all of the components of Azure Sphere OS are open source (including the Yocto metas!).
Go to this Microsoft site and search for “Azure Sphere.” At the time of posting, the results are filtered in ascending order by version (scroll to the bottom).
To Learn More about Cybersecurity and the IoT
Learn more about the various attacks that have occurred throughout the history of digital technology, and if you are interested in Azure Sphere, this tool is easily accessible to individuals. At the moment, it’s available for around a hundred euros from various suppliers, complete with its development kit.
You can also find a Microsoft blog post on IoT device cybersecurity which includes links to all the Azure cybersecurity resources.
I also recommend watching this video, which clearly demonstrates how an attack works.
You can also find more information and statistics on the Gartner website.
All tutorials and documentation are still available on the dedicated Microsoft site.
And, as always, if you have any questions, please leave them in the comments section. I’d be happy to answer them! Contact Cellenza if you need help with your IT projects!