Securing the Internet of Things
The Internet of Things (IoT) holds great promise for a more intelligent, efficient, safe, and even anticipatory means of human adaptation to the environment, be it natural or manmade. IoT has the potential to enable improvements to many facets of life. It's enabling the interconnectedness of "things" and resulting insights and synergies, yet that very connectedness raises concerns for security and privacy that must be addressed.
By Raghu Sowmyanarayanan
The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data. The Internet of Things allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy, and economic benefit. Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.
An Introduction to the IoT landscape
IoT has the potential to become as silent, hidden, omnipresent, and essential as air is to modern society. Like the air, IoT also has virtually limitless access points and vulnerabilities. Although initially hackers have been largely a nuisance, their intrusions will become increasingly impactful, leading to the potential for operational disruption, industrial espionage, damage to enterprise assets, and even potential physical harm to human beings.
To regain trust, IoT must undergo a transformation. To define where that transformation should be made, let's look at three basic IoT device classes.
Class 1 devices are simple devices, such as sensors that collect and transmit data or simple actuators that receive data.
Class 2 devices are more sophisticated and can perform data storage or analysis functions in addition to Class 1 capabilities Examples include a simple hub or gateway for devices.
Class 3 devices are sophisticated systems, much the same as general-purpose servers, that can serve as key aggregation points in an IoT network. Examples include multifunction gateways and security analytics platforms.
The device class, purpose, and environment can constrain the choice of authentication methods for security. Effective authentication enables devices to securely link to other devices, applications, and people to deliver data from the device and to accept commands by the device. Secure authentication ensures proper data flow to and from an IoT device and safeguards device integrity as well.
Authentication plays a pivotal role in securing access for IoT devices, but authentication methods used in today's IT may not work for all IoT device classes. Many IoT devices are not general-purpose computers, but "fit-for-purpose" devices with limited capacity and function.
Enabled IoT connectivity comes with challenges and security risks:
Diversity and lack of standardization in the IOT ecosystem: Understanding and managing all data generated by different "things" across an entire organization is possible with a platform capable of translating and communicating with a variety of protocols. By extracting and managing information, organizations can unlock significantly more business value from their systems and assets in a more flexible and efficient way.
Lack of identity-based access for trusted users and devices: Authentication in IOT involves more machine-to-machine automated exchange providing a codified assurance of the identity of one entity to another. Knowing which component to trust and identify any unauthorized access becomes more difficult in the "connected things" world.
Non-patched firmware: A wide variety of devices from different vendors using different operating systems need to work together seamlessly. Cheaper devices running older version of an OS may have exploitable vulnerabilities.
Complexity of monitoring and operational security: Utility providers want to optimize their operations to deliver uninterrupted services safely. From a security point of view, the IoT's "permanent availability" translates into "permanent vulnerability." Security breaches can often cause critical system disruptions that demand immediate actions.
Solving IoT's Challenges
Given this set of challenges and security risks, what's an enterprise to do? Here are seven actions to consider.
- Focus on communication alignment between multiple protocols and, if required, look at translation options across protocols
- Ensure secure data transfer for "things" (devices) that have limited computational capabilities
- Protect IoT devices that depend on hard-coded access keys
- Implement accurate management of all "things" (devices and components) with their identities
- Utilize appropriate tools and techniques capable of identifying any IoT component so that all IoT components are connected cohesively
- Ensure that software installed in IoT devices is of latest version and is "trusted"
- Create an approach for managing firmware updates for all IoT "things" (devices)
Enterprises should also consider adopting an IoT device management solution. Such solutions enable and control the configuration of IoT devices to ensure that security policies are set up in a consistent way. They also monitor the overall status and health of the device. IoT device management helps organizations move from challenges to solutions and can incorporate most of the solutions listed above. For example, IoT device management can help in:
- Local deployment of the device agent on the most popular platforms
- Making devices configurable to be accessed behind a variety of firewalls
- Managing identity and access
- Supporting roles and rights per your security-policy server
- Secure access to remote devices and products to diagnose and resolve issues
- Encryption for data in transit and data at rest
- Service discovery and application identification via a secure gateway
- Enabling proactive fault detection
- Creating dashboards showing assets and devices
- Log management, collecting data from the devices, and configuring alarms
- Automation of processes and services
As in previous computing eras, developers and device builders view security concerns as an "add-on" capability to be delivered near the end of the product cycle. This has been the case, for example, with the development of smart meters, with potential security issues relating to both authentication of access to devices and security of data in transfer.
The IoT presents a new order of complexity to security. The heterogeneity of protocols and standards has an impact on security when it becomes difficult to enforce and strengthen processes and collaboration across market players and end-user organizations.
An indirect impact of the IoT on security planning involves the considerable amount of data created by devices, sensors, and other deployed "things." The repercussions will impact storage and systems availability as well as privacy. With the data explosion, organizations will try to leverage the business advantages of analyzing data from the IoT infrastructure. Security and infrastructure management needs will create new opportunities for technology and data-center infrastructure providers. The inclusion of IoT-triggered business and service challenges will provide increasing market differentiation and competitive advantages.
Raghuveeran Sowmyanarayanan is a vice president at Accenture and is responsible for designing solution architecture for RFPs and opportunities. You can reach him at firstname.lastname@example.org.