Can the prin­ciples of Zero Trust be applied to IoT?

Stuart Mitchell of ZARIOT

The perception that security has never been a core component or key consideration for the Internet of Things (IoT) has even been highlighted in the familiar joke: ‘the ‘S’ in IoT stands for security. Yet with tens of billions of connected devices, the safety and financial implications of even small security breaches can be vast, as has already been demonstrated by the likes of the Mirai botnet which compromised over half a million IoT devices.

Furthermore, says Stuart Mitchell of ZARIOT, there is much-warranted concern that ‘unless security concerns are comprehensively addressed and trust enabled then IoT’s full potential will not be realised’. A Zero Trust methodology can be comprehensively applied to address and tackle all layers of threat to an IoT project.

Malicious unless certified as safe

As the name implies, Zero Trust assumes all interactions are malicious unless explicitly certified as safe. The methodology evolved in corporate IT, but is arguably more important in IoT security where it has been asserted that the average IoT device will be attacked within only minutes after being connected. The more traditional application of perimeter security allows trust between all those within the perimeter. Zero Trust, on the other hand, customises protection for each individual asset according to its requirements and by mitigating possible attack vectors identified through methodical assessment. By securing each device separately, if any of these assets is compromised the security breach is contained and does not extend to others within the network.

The type and application of IoT devices is hugely varied, as is the way in which these devices use networks to connect and communicate. For example, a connected car requires global and continuous connectivity, high data volumes and can be accessed sporadically. A smart meter requires fixed-location and predictable connectivity, very low data volumes and remote access. A tracked shipment requires regional and periodic connectivity, relatively low data volumes and can be accessed often. Security breaches to any of these can be catastrophic and costly – in different ways, but as a result of the same threats.

Managing security by usage, needs and threats

The Zero Trust approach manages the security of each and every device according to its usage, needs and possible threats. A detailed analysis of any IoT deployment can be carried out by looking at who, what, when, where, why and how the devices are going to be used and what the corresponding attack vectors are. These threats are then eliminated by applying Zero Trust principles accordingly. There are many models, but the following principles, provided by the UK National Cyber Security Centre are very accessible for designing an IoT Zero-Trust architecture.

For example, when do you trust your device to connect? As outlined earlier, a connected car may need to be connected constantly, but a smart meter may only need to be connected the first hour of each month. If the trusted time framework of a device is known, the appropriate protection can be provided. Through applying the Zero Trust key principle of “setting policies”, time-based controls can be imposed to restrict connectivity to when it is needed, thereby reducing the likelihood of attack. If a device doesn’t need to be connected all the time, it shouldn’t be.

Similarly when asking who you trust, consideration must be given to who the network trusts. We’ll use cellular as an example, however all network types from 2G to Wi-Fi have vulnerabilities and security concerns. While much attention has been given to protecting the Internet Protocol (IP) layer, protecting the mobile network infrastructure has been overlooked in relation to cellular IoT devices and connectivity. The inherent and inherited vulnerabilities of the mobile network leave it wide open to a number of threats and attacks such as denial of service (DoS), privacy breaches and fraud. Hackers are well acquainted with these access points of cellular networks.

Reliable smart data

A connected car needs to maintain its connectivity for mapping data however it is also necessary to ensure that the location of the car cannot be tracked by bad actors through its SIM. Smart meter data needs not just to arrive, but to be reliable with guarantees that it has not been altered in any way. Application of the Zero Trust principles would focus on “monitoring” the devices and “choosing zero trust services”. The best way to protect the cellular connectivity of IoT devices is with a dynamic, expertly-maintained signalling firewall. It is therefore crucial to ensure that the device is using a SIM from a mobile operator that has a signalling firewall in place in order to restrict unauthorised access to the network itself.

Such analyses on what can and must be trusted are carried out across all aspects of an IoT deployment, from device to SIM to the online services, and Zero Trust principles then applied to minimise the attack surface over each possible attack vector. As IoT projects and products develop across all industries – from smart cars to time-critical medical devices – and as networks evolve, it is essential to adapt to and grow with changing needs, demands and threats, all while placing connectivity security at the fore. A Zero Trust methodology in connectivity is the most effective way to facilitate this and to provide a fully secured IoT solution for the lifetime of an IoT device, no matter its application.

The author is Stuart Mitchell of ZARIOT.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

What is a vCIO and why do SMEs need them to thrive?

Posted on: September 28, 2021

The pandemic forced many small and medium-sized companies to rethink their business plans and the technologies they use. The hybrid and remote workforce has spawned technology challenges, including cross-team collaboration and vulnerabilities. Additionally, says Gary Pica, founder and president of TruMethods, a Kaseya company, many businesses are now evaluating regulatory issues and boosting cybersecurity measures.

Read more

Truphone enables mass IoT deployments with iSIM collaboration

Posted on: September 28, 2021

Truphone has announced that, in collaboration with Sony Semiconductor Israel Ltd., a cellular IoT chipset provider, and Kigen, a global security provider, it has enabled its IoT platform and global connectivity to run on the integrated SIM of Sony’s Altair cellular IoT chipsets, powered by Kigen iSIM OS.

Read more