IoT: Three Types of Security
IoT security will never be confused with Fort Knox. It is very important that IoT to be secure in a way that is both technically and economically appropriate. But an IoT strategy that does not incorporate active security measures is not a strategy, but something more akin to hope.
A recent ZDNet article called attention to LoRaWAN security vulnerabilities. Another article suggests premature deaths will occur in healthcare due to the fact, “The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities.”
Continued unabated IoT security issues will likely challenge public trust and draw legislative attention slowing adoption. Here are some thoughts to keep in mind before we lay out three types and components of any IoT security strategy and the role of standards:
- Devices are often remote, constrained, and isolated making them inherently vulnerable and expensive to service;
- Organizations must pragmatically adopt security in a way that does not adversely affect solution performance and/or operational costs;
- Organizations are good at calculating front-end solution development costs but bad at calculating back-end operational costs of poor IoT implementations;
- Poor security practices will, at a minimum slow IoT adoption with more disastrous consequences (ransomware, industrial espionage, DDoS attacks, etc.) not unimaginable;
- Increasingly, companies will face regulations like those seen in California, Japan, and the UK.
Technology: The Checklist
Any solution you adopt should have at a minimum the following checklist of security capabilities:
- Secure onboarding (bootstrap server)
- Device authentication
- Device authorization
- Data encryption
- Strong keys or certificates management plan for all levels
- Remote over-the-air firmware/software updates (quickly apply security fixes)
- Internal and external secured APIs (platform side)
Nice to haves:
- Secure element to store, encrypt, and decipher
- Predictive security (device and platform-side)
Unfortunately, many IoT devices are left unsecured for the simplest of reasons: people don’t use the security available to them. California, Japan, and the UK require default passwords to be changed when the devices are turned on because so many devices were just being left on their default settings.
For most organizations, the potential costs are just too high for this to be permitted.
Once you’ve established a checklist, your organization must apply those procedures or risk the consequences.
You may wish to consider periodic audits to ensure nothing is left to chance, and minimum standards are being met.
Behavior: A Smarter Mousetrap
Each solution has a specific behavioral topography. The devices tend to send the same data, in similarly sized data packets, over the same networks, at similar intervals. Much like traffic entering and leaving a city during rush hour.
All solution behavior not defined and/or habitual, may be considered atypical, and thus suspect. Device management solutions should have sufficient technical depth to comprehend non-typical behavior and address it via standardized security practices, like quarantining and/or rebooting.
Anything less than this, is not acceptable.
The Role of Standards
All this can seem rather daunting. Especially to organizations seeking to deploy their first IoT solutions. And frankly, it is hard to get organizations to prioritize security practices because they do not, in of themselves, create value, instead being perceived as cost centers.
Starting with a foundation of rich device services based on an industrial standard, like Lightweight M2M, assures you have the right mix of security functionality and supported processes out-of-the-box. Letting you focus more resources on creating business value.
Further Reading: Securing Industrial IoT: There is no simple answer
This article was written by Jacques Bourhis. He is CTO of IoTerop, an award-winning leader of IoT device management solutions and an important contributor to open-standards. Our Lightweight M2M compliant framework of rich device services enables companies to build future-proof industrial Internet-of-Things solutions quickly. Customers include Itron, Traxens, and Elvaco.