As the focus turns to securing the Internet of Things (IoT), Michele Mackenzie, an analyst for Analysys Mason’s IoT and M2M Solutions research programme, interviewed Andreas Haegele, the senior vice president of IoT at Gemalto, to explore the issues organisations face and how Gemalto is addressing the IoT security challenge
Michele Mackenzie: What are the main challenges for IoT security and how does it or should it differ from more traditional cybersecurity?
Andreas Haegele: Traditional cybersecurity has been implemented for multiple decades and makes use of processes in controlled environments. When you look at IoT applications, mainly industrial ones, you find devices out in the field, located in unprotected environments for years. They are potentially susceptible to attackers. In addition, devices today comprise of a variety of individual components, operating systems and applications, resulting in highly fragmented attack zones, all prone to vulnerabilities. On the back-end side, the data typically travels through a complex combination of servers and networks which all represent new points of vulnerabilities, if not well protected.
MM: How do Gemalto’s technologies address each component of the IoT value chain?
AH: Gemalto proposes a three-step approach to ensure an IoT infrastructure is protected from the edge to the core for the lifetime of the IoT project.
As a first step, we always recommend conducting an end-to-end risk assessment of your IoT infrastructure, whether it is already in place or about to be deployed. As there is no one-fits-all recipe for security we address our customers’ specific requirements. Our goal is to ensure the right level of security for an IoT infrastructure, depending on the anticipated threats. We run penetration testing to assess effectiveness of the right security scope, mechanisms and processes.
Secondly, we recommend security and privacy by design. This is the golden approach for our customers when it comes to enabling trust between actors in IoT ecosystems. You need to mitigate risks at every level of the IoT value chain by building a foundation of trust – protecting what matters, where it matters and when it matters most. We help our customers to integrate security solutions at the project development level, to ensure the data is secured both at rest and in motion, in devices and in the cloud. To support strong access control and encryption layers, our portfolio enables different levels of security, ranging from highly secure tamper-resistant hardware to state of the art software-based security solutions embedded in devices.
Finally, we facilitate long-term lifecycle management. Many IoT devices are in the field for years, so it’s necessary to ensure that the security protection can evolve at the same pace as new threats. Our solutions and platforms ensure that security can be remotely managed and updated over time, eliminating potential new threats as they arise. A single intrusion point during the lifecycle of an application might allow the threat to penetrate the entire ecosystem; hence IoT security infrastructure must evolve over the lifetime of the application.
MM: What are the key challenges in providing IoT security in terms of sector specific security requests?
AH: Security is a universal need in the IoT and there are plenty of similarities in security requirements, when it comes to device integrity, privacy protection, in the device, in transit or in the cloud. Nevertheless, each vertical has its own specific needs, regulatory requirements and security approaches.
If we look at the energy market, we see numerous use cases that are exposed to cybersecurity challenges causing risks to our infrastructures. Not only utilities but also government bodies are analysing the security implications of planned IoT deployments such as smart metering roll-outs. Key players in the sector are very aware of malicious motivations that put the energy system at risk. In addition to the ubiquitous cyber security risks, the nature of somehow imposed consumer data retention, specifically in smart metering, requires clear and compliant rules to maintain citizens’ rights to privacy. We are supporting the harmonisation of both privacy and security requirements to provide standardised and scalable solutions because we expect IoT to become the key driver of the energy transition. Gemalto is also involved in regulatory developments at the European level, and in the smart grid implementation in Germany, under the strong influence of the Federal Office for Information Security (BSI).
With increasing penetration of connected vehicles, the automotive industry is facing a huge challenge in terms of security and safety. The car has become a central point of interest to hackers so original equipment manufacturers (OEMs) urgently need to protect their brands. Therefore, we are actively working with OEMs to strengthen the security design of their vehicles. This includes helping them to secure in-car and back-end architectures, identifying the most critical threat points and protecting their users as well as their own data and software. Our solutions combine strong authentication of the various electronic devices inside a vehicle, identification of the users, secure storage in the car and in the cloud as well as encryption mechanisms for the data transiting within the car and from or to the back-end. Ultimately, the goal for the automotive OEMs is to build a trusted ecosystem they can utilise to enrich their service offers or to monetise as new mobility service providers.
Connected healthcare, on the other hand, is centred on the human being and thus comes with specific advanced security needs to make sure that citizen data privacy is protected, while making data accessible to the parties who should have access such as doctors, nurses or hospitals.
MM: What in your view is the best practice model for the provisioning of security services for the IoT?
AH: As-as-service business models are a very strong trend in IoT, where we see a conversion from a classic one-time sale to setting up recurring revenue streams with a higher degree of customer intimacy. This however comes with a new kind of responsibility to companies offering as-a-service, mainly the responsibility for the health of the device or application over the entire lifecycle.
Health in this context can refer to different aspects. There is the brand reputation in the case of the automotive industry, there is the need for the utilities to remain in control of and manage demand and supply in smart energy or to enable secure multi-tenant architectures for new emerging ecosystems like smart agriculture or healthcare.
While the applications usually are very much verticalised, they do have horizontal requirements in common for an initial provisioning of the relevant security credential – no matter what the connectivity is – and then a lifecycle management for the time the solutions stay in the field.
LoRa is a very good example for such a scenario, where it is used to complement traditional, mostly cellular, connectivity. Only an established robust security solution like Gemalto’s trusted key management system will allow a variety of stakeholders to collaborate and trust they only have access to the data they need.
MM: IoT solutions often consist of more than one networking technology. Do you focus mainly on securing cellular technologies?
AH: It is true that Gemalto has strong expertise in cellular security – as well as in government, banking and enterprise security where solutions are often based on other technologies. This expertise is now being applied to new domains such as LPWAN security. As an active member of the LoRa alliance, for instance, we develop new solutions adapted to new market constraints including cost and technological capabilities. They include trusted key management services and solutions adapted to individual market requirements.
MM: What is the cost of deploying an IoT security solution?
AH: Security is only costly if the need is underestimated or even completely overlooked at the time of application design. The golden rule is really security by design, that means conducting a security analysis and risk assessment to put the appropriate security solution in place when the application is created.
Unfortunately, security is too often overlooked in the initial project scope or return on investment evaluation. However, it is becoming a crucial differentiation point among players and regulatory requirements, like data privacy rules, also make it now impossible to ignore.
At first glance it might seem to comprise a significant cost but device manufacturers should consider the deployment of a robust, upgradeable IoT security framework as an insurance for the future of their solutions. The result of a cyber-attack on a weak security infrastructure can have harmful consequences, including brand reputation damage, device recalls or costs incurred by system downtime. Let’s not forget the recent examples in the automotive industry which caused car recalls and costs that exceeded one billion dollars.
On the other hand, security should also be seen as a business enabler. With a solid security framework in place, businesses can take advantage of new revenue opportunities through software monetisation models.
MM: Can any security company claim to offer end-to-end security? Is that a realistic objective?
AH: End-to-end security can only be guaranteed when considering the essential first step of scoping and evaluating the end-toend threats. By completing this exercise, one can achieve a uniform level of end-to-end security with necessary countermeasures deployed on the devices, the gateway, the back-end and monitoring systems. We have plenty of experts with rich experience in penetration testing that can support such analysis and recommend the right medication.
MM: Who should be responsible for end-toend IoT security?
AH: It can only be the one offering the service, meaning our customers. We are more than happy to support them on this difficult journey, but it is their responsibility to make sure that all the partners inter-working in their ecosystem were perfectly screened and part of an initial risk assessment.
A single security loophole can open the door to a complete ecosystem so our customers need to consider the weakest link in their security chain.
Besides the deployed technology, the way people use it is also crucial. If operators don’t follow practical guidelines such as changing passwords or two-factor authentication the risk landscape changes. Anyone who is part of the value chain needs to be trained to use the technology appropriately and shares the responsibility for end-to-end IoT security.
MM: Considering the recent distributed denial of service (DDoS) attacks, do you believe that regulation has a role to play in securing the IoT?
AH: Definitely. Regulation is already in motion for some sectors and more governments are looking for wider IoT regulation, such as in Germany. Regulators play a key role in ensuring that regulations are effectively put in place and infringements are addressed accordingly.
However – referring to the previous point – the certification of an end-to-end solution will always require a macroscopic evaluation and deep end-to-end expertise.
We believe that the more industries work together in jointly developing security best practices the better we will be in approaching a secure Internet of Things. Therefore, industries will need to set up institutions together with public bodies that manage the labelling or certification frameworks. Gemalto supports, amongst others, the EU initiative of establishing a cyber-security public private partnership (cPPP), aiming for a coherent approach to security in IoT. Our ultimate target is to build trust in an increasingly connected world.
Key rules to ensure a secure IoT infrastructure:
- Focus on security by design by incorporating security needs from the beginning
- Assign unique device identity in factory or via over-the-air (OTA) provisioning. Avoid default access keys or passwords that remain unchanged in the field
- Provide the ability to manage device software and credentials over entire lifecycle. This should include secure boot, software updates and signature verification
- Encrypt data at rest and data in motion, and secure the cloud
- Enforce strong authentication of people and systems accessing the data