As IoT deployments accelerate, an area of growing concern is security. The likelihood of billions of additional connections and the proliferation of endpoint devices in the form of IoT modules, sensors and other equipment is radically increasing the threat surface that organisations need to defend, writes Dr Mihai Voicu
The security news is continually glum as incidences of cybercrime proliferate and criminals utilise new technologies to spread their malicious acts across the connected landscape. The issue is well-known and organisations are investing heavily in technologies to combat the threats and enable them to cope better when the almost inevitable attack happens.
IoT, with its enormous footprint, is under particular threat and all stakeholders are paying attention to how to secure this huge market place. Gartner expects worldwide spending on IoT security to reach $348 million in 2016, a 23.7% increase from 2015 but it believes IoT security market spending will increase at a faster rate after 2020 as improved skills, organisational change and more scalable service options improve execution.
By that point, the analyst firm predicts that more than 25% of identified attacks in enterprises will involve IoT. It warns that IoT will continue to account for less than 10% of IT security budgets in spite of this. Organisations that deploy IoT solutions therefore will have to be clever with their security investment and, for that reason in part, Gartner predicts that more than half of all IoT implementations will use some form of cloudbased security service by 2020.
It’s clear the stakes are becoming ever greater. We’re now in a world in which a tyre pressure sensor on a vehicle can be hacked, enabling cyber criminals to gain control of other vehicle systems with malicious intent. However, it’s important not get swept away by a wave of paranoia even while recognising threats are real and therefore they need to be prevented and controlled.
We’re at a stage now where organisations are acknowledging that security attacks are a fact of life and breach occurrences are a case of when not if. As a consequence of this, knowing how to handle an attack is growing in importance over learning how to prevent attacks themselves. The cure, alarmingly, is becoming more significant than the prevention.
Concern about the security of early IoT deployments has emerged as the leading impediment to new IoT projects, with 46.2% of 533 respondents to a 451 Research survey expressing concern.
What is different about IoT security?
IoT security is little more than an extension of traditional internet security. The fundamentals are that endpoint devices exist which need to be secure, the network itself needs to be secure and the servers and IT architecture at the other end must also be secure. That’s easily said and, regrettably, sometimes easy for criminals to hack.
There are two core aspects to security in IoT: securing the endpoint devices and securing the control plane of IoT solutions. A key aspect of the security focus is on how to secure the data from sensors and the collection of information that is relevant to a particular customer. At the same time, equal or greater focus is devoted to the security of the control plane of IoT solutions.
The majority of insights into IoT vulnerabilities today that are publicly available are related to how the criminals got to the data. The issues do not concern how they actually gained control of the data because just getting to the data today means that you have the ability to utilise it. It’s therefore important that IoT security addresses how to prevent criminals getting to the data as a priority. If they can’t get to it, they can’t steal it. Prevention may be better than the cure after all.
Secure the endpoint devices
One of the most relevant aspects of IoT security is the multiplicity of endpoint devices and the strength of their security. The majority of security penetrations are coming from vulnerabilities that result in compromised devices. This is partly because of the price point of endpoint devices is becoming that of a novelty item and therefore the pricing does not support inclusion of security.
However, it’s important to consider that hacking an endpoint doesn’t offer much value to a criminal. When you look at an endpoint device, it may be easy to get into but what can you do once you have access to it? The device therefore may be just an entry point and organisations may feel they can maintain security utilising secure technologies in the operations and control plane of the IoT platform, but they should be aware that these too can be compromised at the device level. Such back end security technologies are robust but, if the correct policies and processes are not put in place by the enterprise, criminals can get round them by hacking devices and fooling the back end into believing that they have not been taken over and remain legitimate.
Endpoint devices present a huge attack surface for cybercriminals to exploit but in themselves are not valuable for a criminal to hack. Nevertheless, Telit has been working with the GSMA to create security guidelines for endpoint devices. Efforts have focused first on what is put on the endpoint device, which is the interface with the cloud or network. A secure boot capability, which ensures that when an endpoint device’s communications module is booted a trusted, secure environment is created, has been developed by Telit to ensure a secure anchor into an endpoint device exists.
This secure anchor means that as soon as the chip fires up and the firmware initiates, every single line of code is assured to be from a trusted source. Firmware has many different inputs including those from cellular operators, from chip developers and from module providers. Telit’s secure boot capability ensures that these, plus the customer firmware, are trusted. This comes together to assemble a series of firmware that users know is trusted and has no possibility of allowing or enabling any malicious code to be injected. Secure boot capability helps strengthen the endpoint device and is available today.
Once this trusted firmware environment exists it becomes less important whether an endpoint device is a high- or low-end product. High-end endpoint devices have a lot of maturity when it comes to security and a lot of security can therefore be applied to them. However, the majority of endpoint devices in deployment are low-end devices without operating systems that might include a microcontroller. It’s not uncommon to see a module that has the capability to support a microcontroller and that opens up security threats.
Secure the aggregation points
Beyond the module and the network, the next points of security weakness are the aggregation points at which data from modules are brought into the systems of an enterprise. First comes the gateway but the major aggregation point is the IoT platform which makes the connection into the enterprise. This point of aggregation is where all the gateways connect and, from there, multiple ways of getting data out exist.
The data itself is coming in from a multitude of inputs, including:
An asset gateway which provides access from a hardware perspective into the cloud. At the same time, Telit offers an agent in specific gateways that creates a secure bridge into IoT cloud so the enterprise can receive information in a secure way.
An enterprise gateway has a similar agent that securely connects into the cloud so, once the data is aggregated in the cloud, an enterprise will want to extract it and deploy it into enterprise systems such as ERP. The gateway can enable a secure bridge from the cloud into the interfaces of each enterprise systems.
In essence, data can be encrypted by agents in an asset gateway and decrypted by agents in an enterprise gateway ensuring data is secure in the cloud.