Developing IoT strategies with a security-by-design framework is essential for creating robust IoT solutions able to respond to a growing and changing security threat landscape. Approaches to that can differ and there is no one-size-fits-all solution. The different use cases drive the choices in terms of security features. Robin Duke-Woolley, the chief executive of Beecham Research, discusses this with Cristina de Lera, the head of Infrastructure and Device Security at Infineon Technologies. Infineon proposes a hardware-based approach to capitalise in full on IoT opportunities as strong, tamperresistant protection is needed, which cannot be provided by software alone.
Robin Duke-Woolley (RDW): Why is security such an important element in the development of an IoT strategy? What are the challenges in including security in IoT strategy development?
Cristina de Lera (CdL): IoT is here now and it will add significant value to the global economy. According to a study conducted by the World Economic Forum and Accenture, the Industrial IoT is forecast to add US$14 trillion to the global economy by 2030, according to a joint World Economic Forum and Accenture study, titled ‘Digital Transformation of Industries: Telecommunications, 2016’. That means IoT will impact all areas of economies and society. The benefits are potentially enormous, but the security threats increase exponentially. An IoT solution is an integration of components, from devices to applications going through platforms, all subject to potential breaches. Therefore, it becomes essential to develop an IoT strategy with a security framework firmly in mind. However, each IoT strategy is defined by its own applications, business objectives, financial constraints and security requirements. In addition, different market sectors face a different balance of risks, industry-specific security needs, and level of trust requirements. This means that there is no single approach to design, develop and implement security in all IoT applications. Security must be thought of at the beginning of a project and supported by a security-by-design approach.
RDW: To what extent do IoT devices have such specific and diverse characteristics that security solutions should be optimised to each IoT use case?
CdL: At Infineon, we believe that IoT devices usually have four unique characteristics that warrant security solutions being specially designed and optimised for their use cases. First, many IoT devices are simple objects such as sensors with one or a handful of functions. In these simple devices, the microcontroller (MCU) usually has a limited computing capability and physical space. These constraints in turn restrict the security support that the MCU can offer. Secondly, many IoT devices operate powered by batteries. In this case power management functions are tremendously important to assure not to shrink the effective lifespan of the IoT device and thus failing to maximise the benefits of using IoT technologies. Thirdly, security solutions optimised for IoT devices must be able to support embedded Linux, MCU RTOS and bare metal operation without an OS running on top of it. Finally, IoT devices vary in feature sets; from simple movement sensors to sophisticated ones like an autonomous car. This requires a security solution suited for an IoT device’s purpose to avoid adding unnecessary performance burdens and costs.
RDW: How do you see a hardware-based security solution helping companies overcome the challenges they are facing around security?
CdL: Implementing strong security is not trivial. By using dedicated, protected hardware, there is less potential for faulty implementations. This concept is called hardware-based security. It aims to separate security sensitive data and functions from the rest of the system. Typically, these hardware-based solutions are built on certified security hardware and thus create trust based on independent evaluations. In addition, hardwarebased security offers a reduced total cost of ownership (TCO) of security based on faster time to market, easier logistics and lower maintenance costs.
RDW: What should companies do differently about security in IoT?
CdL: The first thing companies should understand is that there are no valuable and functional IoT solutions without the right security arrangements. This means that security considerations must already be included in their overall IoT strategy. In addition, companies must match the right security solution to the IoT use case, considering the types and purposes of IoT devices and, most importantly, the overall strategic aim of the IoT investment in the first place.
RDW: What do you consider to be a right security solution?
CdL: The right security solution is one that is aligned to a company’s IoT strategy that in turn assigns an associated business value to the applications. For example, if a manufacturer aims to rely on IoT to improve its production operations and reduce operating expenditure, it must be able to trust the data received and sent by IoT sensors. This means that an essential feature of any IoT solution must include secured devices.
RDW: How do you recommend companies should design the right security solution for secured IoT devices?
CdL: In our many engagements, the most common challenge is that companies struggle to build the business case to include security investments. As a first step, we recommend that companies should determine their strategic goal of investing in IoT technologies. They can then identify the necessary technology structures that support those aims. This means that the traditional risk/reward equation should now also include the opportunity cost of not securing IoT. Consider the business case for a factory owner and a consumer electronics manufacturer. The former aims to run a more efficient assembly line by relying on movement sensors to predict machine maintenance schedules. The cost of not securing those sensors and the entire project may be limited to the financial cost of scheduling maintenance at the wrong time. The consumer electronics manufacturer, on the other hand, aims to expand its revenue stream by also selling after-care services. The cost of not securing those consumer electronics devices may not only be the potential loss of a customer, but also the possible resultant loss of reputation, potential lawsuits and penalties and ultimately potential closure of the business. These two examples have a different business case equation that suggests different types of security solution being required.
RDW: What other challenges do companies face in developing the right security solution for secured IoT devices?
CdL: The next most common challenge is that companies themselves do not have the level of security expertise to drive the security agenda within their IoT deployments. There is already a general shortage of security skills and experience. ISC2 for example predicts that the global shortfall of cybersecurity workers will increase 20% to reach 1.8million by 2022. The availability of security know-how among companies is even lower. The factory owner or the consumer electronics manufacturer may be very good at what they do in their own markets but most likely lack a dedicated security expertise to drive the security agenda within their organisations.
RDW: How can Infineon support companies to design the right security solutions for secure devices?
CdL: Infineon offers the OPTIGA Trust portfolio to help companies drive business value from their IoT deployments. It is optimised for IoT devices, which means companies match the right security solution to their unique use cases. Using the factory owner example, it may have started to deploy robots in a new factory location. By using OPTIGA Trust X, the factory owner can authenticate the robots and thus trust the resultant data and insights. In turn, it can trust that the predictive maintenance schedule can be triggered without disrupting operations. On the other hand, if the consumer electronics manufacturer wishes to supply remote maintenance services to its customers, OPTIGA Trust X only allows authorised access to those gadgets so that no one else but them can access those gadgets. The resultant data is also securely stored, thus demonstrating good security practice to its customers.
RDW: How does OPTIGA Trust X address the specific characteristics of IoT device security and trust needs?
CdL: Infineon has a long history of security expertise. The OPTIGA Trust X is the result of designing security solutions specifically for IoT devices. It is a turnkey solution in the form of hardware, operating system, applications already running in the chip and the host code that can be downloaded to the MCU that in turn communicates with Trust X. It is certified, easy to integrate and ready to use in any type of IoT devices that need to be connected to the internet. These are applicable to consumer use in smart homes, to industrial mission critical environments such as factories and building automation, and to multi-domain applications such as intelligent transport systems and traffic management.
RDW: As a final question, what are your three key messages for companies interested in securing their IoT strategies?
CdL: First, securing your IoT solution/strategy is a vital necessity. Security must become a number one priority and be integrated from the beginning. Secondly, building trust between IoT devices is the first step in a holistic strategy. IoT devices need strong, tamper-resistant protection. This degree of protection cannot be provided by software alone – it needs hardwarebased security. Finally, we recommend a security solution which is optimised for IoT devices and use cases and helps to overcome typical business and operational challenges – like the OPTIGA Trust X.