There are a wide variety of approaches for ecosystem how to identify devices, and also how devices authenticate into services. Ultimately the mechanisms your organization chooses to employ will be and should be driven from more top level strategy and perspective. IoT strategy revolves around two central factors. It will be rare for an organization to implement an IoT product just for the sake of technology, so first and foremost, organizations need to articulate high level ideas like how, where, and why they want to leverage IoT concepts to generate new value for their business.

IoT

Answers to these questions will then drive the product capabilities, connectivity and integrations required to achieve the strategic vision. Another critical factor requiring analysis, but unfortunately often addressed too late in the development cycle, is the risk assessment and selection of risk mitigation technologies in the IoT solution.

 

This risk profiling helps to look at all the potential threats to safety, privacy, fraud, and other potentially negative areas. The risk magnitude or concern associated with each area is very dependent on a huge range of factors including but not limited to, the company’s general risk threshold, industry of operation, and legislative constraints. When peeling back the IoT ecosystem profile, there are a number of general areas that organizations will need to be concerned with in order to appropriately mitigate risks associated with their IoT solution.

Define and Assess the Risks and Attack Vectors

First, let’s consider a sampling of potential risks / attack vectors against an IoT ecosystem. Many of the attacks in IoT mirror traditional cyber-attacks like: Thing in the Middle, Denial of Sleep, Eavesdropping or Snooping, or a replay attack.  The impact of each of these attacks will vary significantly based on the details of the ecosystem and device environment, as well as the aforementioned business risk concerns. However, we can generalize a bit to dive into the details and mitigation of some of these. If we take the Thing in the Middle concept, we can imagine a scenario where a malicious party may want to fake temperature data from a monitoring device in order to force a piece of machinery to overheat and therefore bringing physical and financial damage to the operating organization. There are a number of technical components that could be employed to mitigate this risk. Ultimately though, what we’re looking at is how does the relying service trust the data sent from the device? Trust is a very interesting concept in these IoT ecosystems, as it depends not only on the definition of the term, but the assurance needs of the relying parties, as well as the technical capabilities of the endpoints in the ecosystem. A core related topic to trust, is the concept of identity. So, how can the service receiving and making decisions from the device sensor data, trust both who is sending the data as well as the data itself that it is receiving? First the service needs to establish trust with the source of the data – this is authentication, and second it needs to be assured that the data has not been modified since it was sent over the network – this is integrity.

We’ll focus most of this discussion on the authentication side of the equation. There are a couple areas to this question, but first we’d need to look at how the device authenticates and proves to the services that it is an entity the service trusts. This authentication can be done numerous ways, with device name/password, shared secrets, API keys, symmetric keys, or certificate based with PKI. Each of these solutions have tradeoffs between security, assurance, ease of use, scalability, feasibility and cost to implement.  In the assurance area, we could look at a specific question of how the relying services can be assured that the device is who it says it is?

Related:- 4 Time Tracking Issues and How to Resolve Them

Assessing Assurance

If we look at the device name & password scenario in comparison to a scenario leveraging digital certificates & PKI, the assurance level will look at questions along the lines of the following:

  • How were the credentials generated?
  • How were they provisioned to the device?
  • How are they stored on the device?
  • Were the credentials sent in clear text at any point where a 3rd party could have intercepted them?
  • Were the credentials updated after provisioning, and if so where they done securely?

Strong Identity and Authentication Mechanisms

Within this framework, I’ll speak towards a ‘best practice’ implementation of PKI and compare it to a more traditional device name/password scenario, demonstrating how to build a higher assurance model, which enables greater risk reduction and less likelihood of falling to victim to a thing in the middle attack while addressing some of the questions raised above.

One of the benefits of PKI in our device context, is that it can be implemented without the relying service knowing any part of the device’s secret. PKI relies on two parts, a public key – often bound to an identity certificate – which can be exposed publicly, and private keys, which should remain just that, private. In a device environment, the best practice here is to leverage secure hardware, like a Trusted Platform Module or equivalent, for generation and storage of the private keys. These hardware containers provide very strong assurance that the private keys have not been and will not be exposed. By starting with these secure hardware components to secure keys, you have a great basis for building trusted identity. Leveraging the assurance of the key storage, in a certificate based PKI deployment, you will want to issue a digital certificate which binds some notion of identity information to the public key corresponding to the private key. This process is often done with devices on the manufacturing line. This digital certificate can now be used in a number of scenarios, to securely authenticate the device, and also bootstrap communication privacy negotiation with the relying services, all without the secrecy of the private keys being at risk. Comparing this approach to a standard username and password, there are numerous points where the assurance starts to degrade. The generation of username and password must be done somewhere. Maybe that can be done on the device, but often that will fall to another service, and the sent to the device during provisioning. In this device name/password example, there are numerous areas where the credentials have the potential to leak out or be intercepted.

Let’s then move to the usage of these credentials for authentication to services. Ideally the transport mechanism for the exchange of credentials is done in an encrypted channel, so that they can’t be intercepted. The interception of the device name/password credentials is a significant risk, where as in the PKI scenario interception of the credentials is a minor point, as the exchange really only revolves around the public key and certificate, which can’t be used in any useful way without the possession of the corresponding private keys which are protected on the device’s storage. Within the PKI scenario, we also have the opportunity to get a multiple benefit by leveraging authentication approach such as Mutual TLS, which will both authenticate each party, but at the end of the handshakes, also have established a secure channel between the points. Within the device name/password scenario, the secure channel establishment is likely going to be a separate activity.

Finally, looking at the lifecycle of the devices, we often need to consider the mechanisms employed to update the devices while in the field. It’s undoubtable not a trivial task, but should be feasible in each case. Leveraging PKI, the device with secure hardware should have the capability to generate new keys if needed, and send updated certificate signing requests to the services. In this scenario, again, the private components stay private. Whereas in a device name / password scenario, the update and sharing of new credentials reinstates the questions about the security of mechanisms used on the device to generate new credentials, the storage of those credentials, and the transport of the credentials to the service.

Related:- Tips for Transitioning to a Servitization Model

Just the Tip of the Iceberg

By now, it’s apparent that this discussion can go much deeper into the analysis of risks and the consumption of specific technologies to mitigate the risks. Identity is a huge concept, which when addressed holistically, can help to architecture your ecosystem in a safe and secure manner. When building IoT solutions operators and devices manufacturers are very well served finding partners with background and expertise securing communications over attempting to implement an in-house or custom solution. Security will not be a bolt on feature, and requires organizations to perform deep analysis, into the goals and risks profiles the organization is willing to accept. If you have a specific use case or scenario, and are tackling these problems, we’d love to work with you to help build a practical and cost effective solution to secure your IoT vision.

If you’re like Lancen LaChance, GlobalSign’s VP of Product Management for the Internet of Things (IoT), you spend your nights thinking about the unprecedented value and opportunity the IoT presents, while also worrying about how to secure it all. As more IoT systems move from the drawing board to production phases, it’s more important than ever to keep security top of mind.

Internet

We sat down with Lancen and spoke to him about some of the challenges and opportunities that are surrounding IoT security and what we can do to increase adoption, while still maintaining a safe environment.

What Does the Term “Internet of Things” Mean to You?

The Internet of Things is an extension of connectivity into a broader range of our environment which enables greater data insights, analytics and control capabilities of our world.

From our perspective, we like to think about the Internet of Everything (IoE). This is because while the ‘things’ in the equation are the key driver in some of the new components of this internet evolution, there are still the critical existing components of the Internet (servers, applications, users, organizations and more), with which all these ‘things’ need to interface and interact.

What Are Some Real World Applications of IoT Technology? Where Do You See It Adding the Most Value?

The demand for connected devices spans multiple industries, including energy, automotive, consumer devices, healthcare and more. Ultimately the potential in solving real-world problems is only limited by your imagination and time horizon to consider.

However, if we limit that to the next three to five years, there are some key areas we could address. From a business perspective, I see two basic areas an IoT solution can impact the bottom line – optimization and enhanced features. The first is the ability to enable improved efficiency and thus improve the cost drivers in a business environment. The second is the ability to add new features into a product or service which aid in competitive differentiation, adding additional value to the buyers of the product/service and allowing the provider to collect additional revenues.

From our perspective, we see tremendous value and interest in applying these technologies to improve efficiencies within more industrial and manufacturing sectors. Improving efficiencies and reducing waste in these environments by even a couple percentage points has great impact on the bottom line. In the medical space, connected healthcare is not only improving the efficiencies of healthcare provider operations, but the integration of health data with machine learning, analytics and remote response capabilities, resulting in healthier patients.

I think the biggest opportunities lie outside some of the “flashy” consumer-level devices like wearables, thermometers and smart refrigerators. Don’t get me wrong; they are important, but breaches in these systems don’t necessarily create emergency situations like they would in the industrial sector.

The Industrial IoT includes critical machines and sensors in high-stakes industries like defense, automotive, aerospace, energy and healthcare. The industrial sectors will see tremendous benefit from the IoT.  Government and municipalities also have incredible opportunity to reduce costs by improving efficiencies. And of course, technology vendors with IoT-specific solutions that are responsive to these new markets will have a huge opportunity.

We’re very interested in IoT in the industrial and manufacturing environments, automotive and in the networking space. These areas are specifically interesting to us due to both the potential business value IoT presents, as well as the security requirements of those environments. Security in these systems is paramount and must be adaptive and scalable.

Related:-You The Leader (Book Review)

What Are Some Technical Considerations for Implementing an IoT Solution?

At a basic level, the solution looks at the means you choose for gaining data from sensors on a device/platform, getting that data to the decision making entities in the system and potentially getting control commands back to the device from a decision making entity – doing this, while also being efficient and secure.

The Internet contains a range of existing technologies to enable this, both in specific protocols and software stacks, but also in architectural models. However, as additional constraints of hardware, connectivity, power and volume of data are introduced into the systems, novel approaches and technical solutions are being applied. In this area, we see trends such as Low Power networks, adoption of lighter weight cryptography like ECC, mesh and gateway-based networks all being implemented to arrive at these solutions.

What Kind of Skills, Technologies, and Systems Are Needed to Develop IoT Systems or Applications?

IoT is ultimately going to force deep experience in a range of technologies in both hardware and software. We will see some of the most complex systems in human history built over the next decade and therefore there is also a meta-layer of systems engineering that will be essential to the success of these environments.

The range of hardware environments is exploding. The device lifecycle becomes increasingly important. Ideally, I’d hope that the implementations stand on the shoulders of technology giants and leverage proven and widely deployed approaches as much as possible.

What Are the Most Widely-Used IoT Technologies So Far?

In the first iterations, we definitely see IoT solutions being like smaller versions of existing Internet, leveraging TCP/IP and Wi-Fi. In security technology, we see tremendous interest and application of PKI, as devices are able to handle cryptography quite well. It scales to billions of devices and provides a means toward a range of information security principles.

Related:-The No Nonsense Fat Melting System Review

What Barriers to IoT Adoption or Development Do You See?

Brownfield deployments will certainly be a factor – where legacy equipment and technologies are being retrofitted, or upgraded with new capabilities.

Appropriately assessing the information security risk and applying architectural and technological solutions to mitigate will be difficult. We see trends where organizations who have excellent operational capabilities in manufacturing physical products/equipment, but are now looking to fold in new connected IoT type capabilities and they have not fully brought in the appropriated software development and information security mindset into their organization.

In some cases, the organization is just honestly ignorant of the risks. In other cases, they’ve made faulty decisions to postpone or not address appropriate information security practices based on assumptions that they can build it in later or even that a potential compromise impact will be small.

How Do You Propose Meeting Some of These Challenges?

The Internet of Things is a natural extension to the capabilities the Internet of today provides. GlobalSign has worked in a number of IoT related security implementations over the past few years and is keenly in tune with the evolutions and nuances at building trust models and applying proven technologies into this new dimension of the Internet.

PKI is a tried and true standard that has been securing connections between servers, machines and devices for decades. It provides key information security capabilities, including authentication, encryption and data integrity and with GlobalSign’s high volume services and agile certificate profiles, it can be adapted to meet the velocity, variety and volume needs of the IoT. And our IAM infrastructure enables the complex relationship management (e.g. hierarchies, delegation, self- or automated enrollment) needed to support the scale and heterogeneity of IoT ecosystems.

Most importantly, we believe components of an IoT environment must be flexible, functional and easy to use, thus not compromising the user experience. And to meet these qualifications, there is no question that security must be designed into IoT systems from the beginning.