The Internet of Things (IoT) is fuelling a landscape of great business opportunity. From existing companies developing new product and service lines to harness this newly connected ecosystem, to brand-new start-ups developing fields like telehealth, smart manufacturing and autonomous vehicles, there is innovation and success at every turn.
But IoT success is not without its challenges. One of the most complex is security. How can you best protect your IoT product or business from malicious data theft, digital vandalism or simple human error, remaining compliant with relevant legislation and regulations, and offering peace of mind to your users?
The security challenges of the IoT
Security solutions, in an information technology context, are the multitude of ways in which organisations protect information. The data in question might require protection as a matter of legal or regulatory frameworks, such as individuals’ financial details or medical information, or it might be of particular value to the organisation, such as intellectual property.
As the tools and techniques cyber criminals deploy to target such data evolve and become more diverse and sophisticated, so the cyber security industry has to evolve to keep up. Protecting corporate infrastructures is a complex and ever-changing task – and the IoT is no different.
However, the IoT also introduces some additional challenges, making protecting it even more complex:
- Number of endpoints: Any organisation deploying the IoT vastly increases the number of connected devices within its infrastructure at a stroke – and every single one of those devices is a potential route into the organisation for malicious cybercriminals. Ensuring verification and trust for each individual IoT device is a huge management challenge, with remote capture and control of them a constant risk.
- Scale of endpoints: Many of those IoT devices are relatively small and simple in comparison with tablets and laptops. An IoT device may be a simple sensor designed to measure and transmit temperature, for example. Such is the scale and simplicity of these devices that it can be difficult to ‘bake in’ the same sophisticated protection that can be afforded to traditional computing devices.
- Volume of data:The IoT fundamentally aims to capture and harness data – which means that the volume of information being collected, transmitted and stored by organisations dramatically increases. This scale creates security and management challenges alike.
- Complex contexts:Settings such as ‘smart’ factories, where a range of different IoT devices are deployed to build up a single connected ecosystem are massively complex, with a huge number of potential attack scenarios to protect against. Deploying adequate security throughout demands a certain amount of automation, as well as a simple means of achieving visibility and control over a huge and dynamic environment.
- Vulnerable contexts: Certain applications of the IoT, such as in the fields of connected health and autonomous vehicles, create entirely new attack scenarios to protect against. In the IoT era, malicious cyber criminals can potentially intervene in the treatment of patients, or take remote control of a moving vehicle. These are whole new cyber risks, engendered by the IoT.
Securing the IoT: key considerations
Whether your organisation is developing IoT products or simply deploying them, the same general security considerations apply.
First, you need to consider the individual devices that form your IoT ecosystem. How can you ensure that every single one of those devices is registered, identifiable, verifiable and trusted? And how can you repeat that process of trust hundreds or thousands of times, as new devices are continually provisioned?
Second, you need to think about the data collected via your IoT infrastructure. How can you protect that data from malicious intervention and accidental leakage, from the point of collection through to analysis and storage?
Third, you need to think about management. How can you maintain visibility and control of your IoT environment on an ongoing basis? Clearly the scale of the IoT means that some levels of automation are necessary, but how can you balance this with a comprehensive, real-time overview of your IoT ecosystem, with instant alerts and actions for potential security incidents?
Fourth, you need to think about scalability. The elastic dynamism of the IoT can be one of its greatest strengths, enabling organisations deploying it to take advantage of it rapidly, and organisations manufacturing devices for it to quickly build up large customer bases. But security can be difficult to scale just as rapidly whilst remaining comprehensive.
Finally, you need to think about the supply chain. Your IoT ecosystem does not end at your organisation’s perimeter. A wide range of manufacturers, vendors and other suppliers are typically involved in every IoT deployment – which means that other of those third parties has a potential impact on your own organisation’s security posture.
Securing the IoT: how to action
We’ve covered the major challenges of securing your IoT product or business, and the key principles you need to consider when devising an IoT security strategy. Now let’s turn to the practical steps you need to take.
- Incorporate security at the design phase. This is both vital and often neglected, particularly by organisations developing IoT-enabled products. More than many other aspects of enterprise IT security, IoT security is far, far simpler to enable by design from the outset, rather than attempting to layer on further down the line. Thanks to the challenges already outlined, including the small scale and large volume of IoT devices in a typical setting, security by design is an enormously helpful principle.
- Securely register and provision all your connected devices. This aspect of your IoT security strategy is focused on ensuring that every connected device within your ecosystem is identified and can be trusted. There are several different possible approaches to IoT device provisioning. One strategy is to deploy a key generator – a tool which dynamically generates a cryptographic key for each individual connected device within an IoT environment. Once a device has been authenticated, a PKI certificate should be automatically provisioned, encrypted and delivered to the device. For lower power devices which cannot support dynamic key generation, an alternative approach is to use PKI+ signatures. These use asymmetric key signatures and automated authentication key rotation policies to verify the identity of each device. All device identities should be stored on a centralised registry, and the chosen system needs to be able to rapidly provision new devices and remove defunct ones automatically.
- Set policies and password protections for each device. You need both a centralised security posture for governing all of the connected devices within your IoT environment, and a means of automatically setting and managing local account passwords across those devices. There may be contexts in which only privileged individuals should be able to access to certain devices, or certain parts of the infrastructure.
- Encrypt data comprehensively. All data generated via your IoT environment – which includes both the data captured by your connected devices and the authentication and verification information outlined above – should be encrypted from the point of generation onwards. Data must be encrypted in storage and in transit, always.
- Choose an easy-to-use and comprehensive API. An oft-overlooked but essential aspect of IoT security is the API of the system you choose to manage it. This should be easy-to-use and intuitive, offering a single pane of glass view of the entire IoT infrastructure, and with the ability to provide security alerts, notifications and logs automatically. Managing security for the IoT is a huge and complex task – you need to be able to hand over the legwork to an automated platform.