The Internet of Things is changing the way we live and work. It’s not just industry that will benefit: the IoT is already transforming the way all of us interact with objects in our daily lives. But, the approach to IoT security is currently highly fragmented and in certain instances, non-existent.
There is a need for common standards to ensure the IoT is provided with baseline security.Consideration should be given to identity-based public key cryptography, which, due to its characteristics, can provide a sector-agnostic baseline security, from smart homes through to industrial IoT, says Roderick Hodgson, director, Secure Chorus.
This was the theme of a recent talk I delivered to the European Telecommunications Standards Institute (ETSI) Security Week held at ETSI’s headquarters in Sofia Antipolis, France. I was speaking as director with special responsibility for technical oversight of Secure Chorus, a not-for-profit organisation that provides thought leadership, common standards and tangible capabilities for the cyber security industry.
I also reported that industry as a whole is currently seeing a 600% annual increase in IoT cyber-attacks, with commercial and industrial electronics, utilities, medical, automotive and transportation, being most at risk by virtue of being at the forefront of IoT adoption.
The IoT is not a device or technology, but a framework for embedding connectivity and intelligence through a range of devices. Collecting and reacting to data in real-time is the key capability brought to life through the IoT. Data can be collected on a range of devices and can be accessed and interpreted through new computing technologies.
Cloud computing, analytics engines and big data solutions, bring about tremendous innovation when combined with the IoT. State-sponsored attacks, massive economic shutdown, and attempts to cause widespread chaos are all plausible risks in a world where IoT systems are bigger than the sum of their parts.
While the IoT is not a new phenomenon, increasing numbers of devices are being connected and becoming smarter. This trend is occurring across sectors including some considered to be critical national infrastructure (CNI), making cyber security a leading concern. Catastrophic failures in nuclear, aviation and essential services need to be considered by manufacturers, adopters of industrial IoT, nation states and regulators.
The IoT deployments face critical cyber security risks:
- The number of devices that need to be secured is far greater than in the traditional business and industry IT environments;
- Devices and systems found in the IoT are highly varied. While some solutions rely on low-power and low data bandwidth, others are dedicated to performing far more computation over high-speed networks;
- IoT devices are being used across a wide range of environments, each presenting challenges caused by differences in processing capabilities, use cases, network capabilities and physical locations; and
- IoT devices are becoming component parts of systems that directly affect health and safety.
The issue of simultaneously addressing authentication and security challenges in IoT systems can be met with the use of ‘identity-based public-key cryptography’, in which the cryptographic keys are directly tied to the identity of an IoT device or sensor.
The added use of Key Management Servers (KMS) simplifies key management, providing scaling to number and compatibility with the wide variety of devices and sensors, while at the same time ensuring that trust can be provided between parties for the devices they control, beyond the perimeter of a single system or organisation.
Secure Chorus has enabled the development of an ecosystem of Secure Chorus Compliant Products (SCCP) ensuring the following:
- Data security – This is achieved with end-to-end encryption to ensure that any data processing activity can be undertaken without compromising data security.
- Data ownership – This type of cryptography includes a Key Management Server (KMS), giving the system owner full control of system security.
- Identity based public key cryptography does not require expensive and complex supporting infrastructure for distributing credentials, allowing for at-scale implementation. This represents substantial innovation in the field of cryptography.
One of the biggest challenges in securing IoT is to find a solution that works for low-power devices, while being secure enough for critical infrastructure systems. Data Security, authentication and trust are best achieved in an IoT environment through the use of the identity-based public-key cryptography protocol.
MIKEY-SAKKE is one such identity-based public-key cryptography protocol, providing effective authentication, key distribution and revocation in a variety of deployment scenarios. Secure Chorus and its members have chosen MIKEY-SAKKE as our open cryptography standard, allowing us to develop interoperability standards for MIKEY-SAKKE based multimedia communications solutions.
The author of this blog is Roderick Hodgson, director, Secure Chorus
About the author
Roderick Hodgson is a technologist and innovation strategist with oversight of all technology aspects of Secure Chorus, including technical management, setting technical strategy and representing the technology externally.