Securing the IoT: 3 Tight Security Guidelines Everyone should Follow when Building any IoT Solution
Ever since Kevin Ashton introduced the term in 1999, the Internet of Things has evolved from an intriguing concept into an increasingly sophisticated network of machines, sensors and devices. Gartner estimates that there are 6.4 billion devices connected to the internet today and predict this number to grow to more than 20.8 billion devices in 2020. The McKinsey Global Institute recently estimated that the Internet of Things could generate $4 trillion to $11 trillion in value globally in 2025.
With the number of connected intelligent devices rapidly growing every day, complexity, and there with the impact on securing these devices and data generate is rapidly growing as well. Even though the Internet of Things (IoT) is already starting to give rise to real-world applications, from connected homes and cars to health monitoring, energy management, traffic jam reductions and smart utility meters, many companies are still hesitating to implement any IoT solution out fear of being exposed to different security and identity risks. And these risks are not without foundation. Huge amounts of data are being transferred from the edge to the cloud in order to be processed, analyzed and used by different applications. These applications as well as operating systems they reside on, communicate with physical devices through device drivers and firmware.
Attackers can exploit these special classes of software to subvert and compromise hardware. With this, to some, the Internet of Things has become the Internet of Threats. Every single device and sensor in the IoT represents a potential risk. Significant numbers of IoT devices are not being used with security in mind. Many are publically located or easily available for physical access. This makes them targets for capable attackers seeking to steal a single unit to physically analyze their components; facilitating advanced, compound hacks spanning both the physical and cyber environments. Access to a device enables skilled attackers to strip down and reverse engineer components, allowing them to expand their attack surface to firmware and logic circuits, providing multiple attack vectors for exploitation.
This is why it is extremely important to follow tight security guidelines when building any IoT solution:
- Implement security to every element of the IoT solution during design and development phase,
- Reduce risk and complexity by data minimization
- Implement hardware based security
1.) Implement security to every element of the IoT solution during design and development phase
The data security aspects have to be embedded in all elements of the IoT ecosystem—the device, the network, the data itself, and the cloud platform. Computing platforms should have enough memory and compute resources to support complete and evolving security algorithms. Device, protocol and network diversity within a single IoT solution may require different authentication methods. Data must be securely available to multiple data collectors; this requires strong authentication and data protection at all levels. Evaluate risks.
2.) Reduce risk and complexity by data minimization
Limit data collection. The less data you store the less exposure to vulnerability. Data that cannot be collected or has already been destroyed cannot be misused by criminals. Leverage the edge computing model as this model minimizes the transmission of raw data such as video feeds, still images; MAC addresses etc. to the cloud and therewith minimizes the opportunity for cyber criminals to get access to this data. In an edge computing model, an application will leverage data on the edge, perform the analytics and trigger different actions directly on the edge immediately deleting all the unnecessary data. In this way, security is improved when encrypted data moves toward the network core. The data is checked as it passes through protected firewalls and other security points making it difficult for viruses and active hackers to perform any malicious code.
3.) Implement hardware based security
As said before it is vital to include security aspects in every element of the IoT solution from early on. This is specifically important from the hardware point of view as traditionally devices or “things” being a part of the IoT solution have not been designed with security in mind. In addition, very often, the edge device, or the “thing” has to be light, movable, have a small size and therefore limited processing power which makes it difficult to embrace encryption and other robust security measures. There are four major hardware attacks performed: micro probing, software attacks, eavesdropping and fault generation. Typically, in a micro probing attack, a potential attacker will try to recover security algorithm and crypto key stored in microcontroller. In order to do so, they often need to get physical access to a device.
At Kontron, we do take security very seriously. Our devices are secured by design. We partner with some of the leading security vendors, like Wibu-Systems, to protect our hardware and software that is running on it. In case of malicious device replacement, the device will be blocked and isolated from the rest of environment; in case of software manipulation the malicious code will be recognized and blocked from the execution. With our secure chips it is impossible to insert foreign memory chips and manipulate the rest of infrastructure. The data is securely transferred from the edge to the cloud.
Take into account the probable impact it may have on human lives…
In the world of connected everything, it is essential to build secure architecture that would enable protection of every layer of the solution, including hardware, network, data transport, as well as cloud used for data analysis and applications. Here we are talking of systems whose infiltration could lead to loss of lives or cause massive disruption to the society. This is why it is not only imperative to take a holistic approach to risk assessment and mitigation but also take into account the probable impact it may have on human lives. Security must be seen as an enabler for a business to be conducted in a secure manner which is transparent and works behind the scenes.