Testing, testing: Securing the IoT

The IoT is set to have significant impact on the way we do things today; either at home, at work, while shopping, even in manufacturing and medicine. To prepare for numerous networks of devices, sensors and actuators communicating in short and medium range protocols – security must be a paramount consideration. Not least because the increased number of decentralised entry points will be more vulnerable and each point of information entry needs to be made secure. As the device and sensor population grows exponentially there will be several manufacturers competing to offer solutions, which may compromise security effectiveness. Regulatory standards and governance must be made clear and transparent to every user who brings in risk, especially if they opt to use cheaper and potentially unsecure devices. Even if a device network is in a physically compromised location, there should be stringent monitoring to sense intrusions.

Testing is key to security
From the security testing point of view, the work starts here. Security testers must validate the design, the quality of sensors, the devices and the applicable standards. This kind of static inspection must be made mandatory at the very outset of any project consideration. Sensor networks, real-time data collection applications, middleware, interfaces and M2M protocols are just a few variables that could bring in more injectable points and new security threats. Security test at the device and protocol level is one of the important areas where issues can be detected at the source. If we consider the population of these components, it may call for different kinds of tests for various protocols and the pattern of data being sent.

No matter how great these security threats might be, they are in no way going to stop the growth of IoT. Implementation standards, however, will become stringent, as increasing security at all layers will be a huge, yet mandatory investment. Security threats, though a formidable task, are manageable with the right approach. Lest we forget that not too many years ago mobile apps were considered too insecure and now we use them for a whole host of critical transactions. This was made possible only by testing the systems for security at all layers, and there are various tools in use today to make these tests easy and automated.

Test Driven Development
End-to-end testing plays a major role in establishing security in IoT by simulating vulnerabilities at all possible entry points. The test strategy needs to be very clear from the beginning and adopting “Test Driven Development” (TDD) would be the preferable approach. This will help to define vulnerable scenarios early on by examining the architecture. A vulnerability map should be developed during the design stage, the device selection and the ‘gates’ can therefore be made strong, according to areas of vulnerability on the map. Those designing and implementing IoT solutions need to simultaneously wear the testers cap, to really define and identify vulnerabilities as they build the solutions, to reduce the chances of any kind of rework and/or damages.

Securing_IOT

Considering the above data flow across layers, there are two additional layers being added to the existing systems where we have a fair amount of maturity in terms of security. The additional layers are typically the devices layer and data collection layer where a potential security breach could happen – given they may be easily accessible to the public.

In such conditions, we can prevent malicious data from entering the system through real-time data validation that looks for specific patterns before it could reach the database. Penetration tests and data injection tests are very important when we use these short range protocols to form a network, and real-time data pattern monitors can be deployed to test the data passing through and raise alarms if there is a breach.

Considering a huge network of devices spread across many geographical locations, the data feed in real-time from the devices finally need to flow through few common points. If the data quality can be ensured at these points, it becomes immaterial to handle any IoT implementation of any size. There will not be any issues in terms of security even if we scale up multifold and keep adding multiple locations. If the data verification standard is established as above, there is no need to bother about installing the devices and actuators in any place. In addition to the above, we also require the closed loop monitors doing the job of comparing the real-time changes in the final output against the value sent to the actuators. There could be a situation where the output data could be overwritten by a hacker to damage the system. So there needs to be a constant real-time check deployed between the data exit point to the actuator verses the real output out of the actuator action.

Challenges in addressing the security threats:

  1. Establishing standards for various devices and protocols
  2. Defining the data patterns as an output for various devices
  3. Training the designers and users on security standards
  4. Creating real-time monitors for various activities
  5. Controlling the audit expenditure and overall project cost
  6. Maintaining the performance of the real-time systems with all security controls

Security as standard
A reliable and secure network will help us standardise the backbone of these systems that will enable the IoT. It’s important to remember though, that network performance cannot be sacrificed for the sake of security, as we are dealing with real-time updates right across the network and managing huge data sets. Performance therefore, is still critical. In order to achieve this, a strategic approach to planning the working of the system is needed. There must be a real-time monitoring system in place to detect and prevent anomalies right at the time they occur. Overall, to succeed with the implementation of the IoT, standards and best practices need to be put in place early on, and supported with a very robust auditing process. If done properly, there can be very good progress in this space while achieving the objectives of IoT implementations.

Suresh Srinivasan

Director - QA, Virtusa. Suresh is an electrical engineer and holds a masters degree in business administration, with 24+ years of experience in software testing and development. He has worked in different industry domains including manufacturing, Telecom, Insurance, Banking and Logistics. Suresh started his career in testing from the industrial automation and industrial robotics programming and also specialized in business system software testing in multiple domains like Banking, Finance, Logistics, Healthcare, Telecom etc. Currently, at Virtusa he is playing the role of QA practice head for the company's various technology centers in India. He is also a hands-on player on specialized testing and heads some of the activities in this area. During his more than two decades career, Suresh has traveled worldwide to implement various testing projects, covering test automation, SOA testing and performance testing, for global enterprises. Suresh has experience in implementing testing methodologies and concepts from ATLM, TPI, TMAP and TMM. He is also working closely with tool vendors like Rational, HP and iTKO. Leveraging his experience, Suresh has also developed process frameworks for executing testing projects end-to-end which reduces the cycle time while improving the test coverage. He has presented papers on testing solutions at various international testing conferences. Apart from working closely with different educational institutions, Suresh conducts seminars related to software testing so as to bring provide and showcase the practical view to students.

More Posts