By Michael Fauscette
Business use and adoption of the Internet of Things (IoT)—already high in the industrial, asset intensive industries—is exploding with analyst firm estimates ranging from six to 17 billion devices deployed through the end of last year and growing in double digits for the foreseeable future. There are many use cases and nearly all of them are compelling, offering high return on investments and solving some difficult business issues.
With the proliferation and growth of any new technology, there is a darker side that also needs to be addressed. IoT systems are a connection between the physical and digital worlds, which leads to a great deal of security complexity. The security risks are high and many businesses are not prepared to defend against a host of emerging threats. In addition, there is a shortage of IoT experts—particularly in IoT security—that makes hiring difficult for many businesses. What can businesses do to protect themselves while still taking advantage of the benefits of IoT technology?
Defending IoT Networks
To understand how to defend IoT networks it’s useful to first look at how they are generally deployed and used. In a very simplified form, an IoT system consists of four layers, IoT devices and sensors, data connectivity from/to IoT devices, IoT data processing, analysis and management, and business user interface (UI).
The layers usually operate in this sequence. However, a growing number of networks reverse some or all of two and three by moving the data processing and analysis out to the IoT devices. This is sometimes referred to as “edge computing.” Inside of each layer there are a range of devices and varying levels of complexity. IoT sensors are the smallest building blocks of the systems and are often combined into a device that enables monitoring and also some level of interaction in a process. Devices can then have a level of processing before passing the data into the analytics system either directly or through cloud gateways. On the front end the UI can exist inside a number of management systems and often include a mobile component. All of these levels, sub elements, and layers of processing add to the complexity of securing the system against exploitation.
IoT security must address a host of issues including identity for devices, sensors and users, authentication and authorization, and security for data at rest and in motion. In addition, the layers exist in a distributed architecture that is connected through a variety of standards and protocols. The system has all the vulnerabilities of any other network, but those vulnerabilities are plentiful and can be dispersed over large areas. Several existing technologies are used to increase the security of the IoT system.
Security for IoT
Here we describe a few types of security that can be used with IoT systems, including data encryption, authentication, API security, and security monitoring and analytics.
Data Encryption
This is a fundamental security method that every IoT system should incorporate. The data should be encrypted using standard cryptographic algorithms both at rest and in motion on the network traveling from sensors to backend processing. The process must also include lifecycle management of all encryption keys. This can be complicated somewhat by the diversity of sensors, protocols, and devices.
Authentication
Several types of identity that are essential to security of the IoT system. You should authenticate the identity of individuals who interact with the system, although this likely falls inside of the exiting corporate identity management system, which can use everything from simple passwords to multi-factor authentication to risk based identity management. The system must be capable of authenticating IoT devices and sensors to system users and also to other machines on the system. This machine-to-machine authentication mostly uses PKI/digital certificates but the shear number of diversity of devices makes that a very complex problem to manage.
API Security
As the data travels between sensors, devices, applications (apps), and systems many REST-based APIs will be involved. These integrations can be weak points in the network, so it must be a part of the authentication strategy to ensure the integrity of the data to devices, apps, and the developers of those apps.
Security Monitoring and Analytics
A key part of the security system is the ability to collect, aggregate, and monitor the sensor and device data. Protecting the perimeter, the end points, and the data require actionable alerts and notifications if anything falls outside of defined parameters. As threats become more sophisticated these monitoring systems must also evolve. Many monitoring systems incorporate artificial intelligence technologies to automate the continuous monitoring and activating the necessary defenses in the face of an attack. Intelligent security is a rapidly evolving area of technology for both white and black hats.
Proceed with Care
The growing capabilities of IoT-enabled systems offer many business advantages. As with most technologies, risks are involved, particularly in an age when “bad actors” are more likely to try to penetrate systems. Providing a secure environment for systems that are very distributed, comprised of sensors with diverse standards and protocols, and generate massive amounts of data that must be protected at rest and in motion is challenging. It requires the rigorous application of existing capabilities while quickly developing more sophisticated technologies to meet modern threats.
Nov2017, Software Magazine
