Strong but adaptable IoT security built on M2M foundations

key

In discussions on the future of the Internet of Things (IoT) there has been a lot of justifiably intense attention paid recently to security vulnerabilities and the potential loss of control of personal privacy.

Despite all the experience available in implementation of security solutions for M2M, however, the options for action discussed are often limited to a reaction of panic or to finding ways to bolt extra security capabilities onto existing IoT architectures, according to Haydn Povey and Jon Howes of Beecham Research Ltd. The latter can seem to offer a way to a more
secure future, but looking more closely at the threats and the realities of the IoT leads us towards very different conclusions where systems must be made adaptable in the face of rapidly evolving attacks.

The challenge we face is that we have to change the way that we think about IoT security as an industry where solution specifications are not as clear and fixable as for M2M. Far too often security is something which product developers try to bolt on later on, and you can do it in some ways with Secure Elements and SIMs that have also been used for carefully architected M2M
systems. You can solder them into products, or you can have subscriber modules in trays, as we do on phones and you can depend on the past M2M experience of leaders like Gemalto and Giesecke & Devrient.

But fundamentally we need to get security in at the ground up if we are going to create an environment where the Internet of Things is actually going to function as needed.

Threats emerging and increasing

Threats are emerging in the many different use cases of IoT and in the changes of style that are complicating the security issues, decisions, and architectures of the past M2M scene.

example-1
Source: Beecham
Research Ltd

We can look back at StuxNet, which was very clever, and allegedly made by the best experts inside the security services. But here the very attack technologies used to protect us are being refarmed and retargeted by those who threaten our IoT systems. This greatly increases the number, strength and capabilities of attacks.

As the IoT increases in sophistication the threats are not limited to targeting a single type of connectivity. The new IoT capabilities relate to many connectivity types, and the interactions and the mix of those connectivity types in multiple networks.

Massive vulnerability

Heartbleed also showed that we are massively fallible to the complexity of modern systems. While this specifically impacted the world of IT, it’s a fundamental issue at the heart of all protection technologies. In that case larger appliances got fixed, but a lot of ‘things’, the routers, were just binned. But you can’t bin stuff that becomes part of your infrastructure, embedded deeply in everything you are doing, and that’s where the IoT is heading.

Little impact, so far

The impacts of those attacks affect us all differently. Traditionally, IT attacks have very little impact on our daily lives. They are down at the lower levels of Maslow’s hierarchy of needs. It’s food. It’s warmth. But it’s still liveable with, you can get away with it.

However the IoT has the ability to impact every level of needs throughout our lives – and to do that extremely rapidly. It’s far more costly, disruptive, and it can be practically immediate. So the food in your fridge, or the supermarket shutdown, disruption of the food chain, these things can be rapidly affected and denied to you, and they really matter.

With ‘9 meals’ being described widely as the length of the food supply chain, any disruption by a successful attack could leave us close to anarchy. And that is true for warmth and shelter, too.

Securing our IoT future

So the industry really requires some form of holistic approach. We need to extend beyond the essential encryptions of data at rest and in flight that people are realising are necessary. We need to make sure we have interoperability of identity, of authentication, and of authorisation. In taking that holistic approach we need to work with all stakeholders in the brave new world of IoT.

Source: Beecham Research Ltd
Source: Beecham
Research Ltd

We also need to really go deep though. We need to have a deep root of trust, and secure foundations built around that.

The long term lifecycle of IoT systems is also key. These things are going to go into place and stay there for 10 years.

As well as remote monitoring for anti-malware, we need to presume that all systems will suffer successful exploits as a result of prolonged and sophisticated attacks.

IoT security needs to be about low-cost architectures, right down from the secure nodes, avoiding the use of random microcontrollers which can’t protect themselves. We must work to embed a deep root of trust that can be relied upon out to the top levels of the cloud.

In truth all of these requirements are simply implementations or extensions of the best practices identified in the 20 Critical Security Controls by the Council on Cybersecurity, the global NGO tasked with leadership in the IT domain. However, as we all know, there is a massive gap between best practice and real implementation.

Reacting to exploits: The need for remediation

We have to assume in the future that devices will become compromised. They will fail to deny attacks. Although we do need to deny the attacks as strongly as possible, we also need to plan for failure. And we need to make sure we have methods for reset and remediation of those failures when attacks succeed, enabling us to regain control and then build our defences higher. These will be technology requirements for the next generation of silicon, for the next generation of devices.

So, we have to be able to reset the IoT devices, we have to regain control, and we have to remediate. That has real cost issues down at the silicon level. It means that you have to have very strong identification alongside very strong cryptography.

You then have to take an encrypted update package, you have to decrypt it on-the-fly. So you have to have enough memory to do that. You have to have all of the necessary cryptography capability. And then you have to have a multi stage boot with a very strong root of trust to instantiate that.

All of these things have a real cost impact on devices. But it is incredibly valuable from an IoT security perspective to have that, and allows a new set of services to be put in place.

We have to deal with these security issues in the Internet of Things. And we have to deal with them now, before it’s too late. Change is needed before many of these IoT systems are implemented and out in the field without the right levels of security.

RECENT ARTICLES

Scality and HPE GreenLake accelerate on-prem cloud services to keep data sovereign

Posted on: May 24, 2022

London, UK. 24 May 2022 – Scality has announced the availability of its Scality S3 Object Storage on the HPE GreenLake Cloud Services platform to accelerate on-prem cloud services for customers who want to retain their data sovereignty, scale easily and manage costs. The two companies are committed to solving the greatest data challenges across the

Read more

Welbilt KitchenConnect launches the smart restaurant ecosystem for the foodservice industry

Posted on: May 24, 2022

Welbilt, Inc., a provider of commercial equipment and cloud device management for the foodservice industry, is proud to announce the launch of the Smart Restaurant Ecosystem. The ecosystem is powered by the digital companies in the Internet of Things (IoT) space that will empower its homegrown cloud platform for connected restaurant equipment, KitchenConnect.

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more