This article is a continuation of a series posts about the Internet of Things from the perspective of the Citrix Labs research and development organization. The series started with a discussion about the intersection of the IoT and the Enterprise to create a software-defined workplace. In the next post we presented important security challenges to consider when contemplating the influx of connected devices of every size and description into the enterprise. Today, we’ll explore the topic of IoT security in more depth.
When I think about security, the first thing that enters my mind is encryption.
While this is certainly important to keep information confidential, considerably more than cryptography is required to secure the IoT. Why? First, there is more to security than just confidentiality as a review of information security fundamentals will remind us. Second, a distinct set of security requirements applies to each layer of the IoT stack. In this post, we’ll explore how the security model for the actual IoT devices is different from the security model for the communications between devices, which is different from the security model for the IoT service which manages all the devices and aggregates their data.
If encryption is not enough to secure the IoT, then what else is required? To answer that let’s quickly review some well-established information security principals, starting with the classic “CIA” security triad. Over the years, the CIA triad has expanded to include other noteworthy security goals such as non-repudiation, authenticity, and privacy.
A Simple IoT Framework
To apply these security principles to the IoT, we need to define an IoT framework. For the purposes of this discussion we will divide the IoT into a simplified framework of three layers.
Securing the Device Layer
This layer of the framework is characterized as the intersection of people, places, and things. These things can be simple devices like connected thermometers and lightbulbs, or complex devices such as medical instruments and manufacturing equipment. For security in the IoT to be fully realized, it must be designed and built into the devices themselves. This means that IoT devices must be able to prove their identity to maintain authenticity, sign and encrypt their data to maintain integrity, and limit locally stored data to protect privacy. The security model for devices must be strict enough to prevent unauthorized use, but flexible enough to support secure, ad hoc interactions with people and other devices on a temporary basis. For example, you want to prevent someone from changing the toll rate on a connected parking meter, but provide a secure interface to reserve and pay for the parking spot for a limited duration.
Because IoT devices will eventually exist everywhere in the environment, physical security is also important. This creates the need to design tamper resistance into devices so that it is difficult to extract sensitive information like personal data, cryptographic keys, or credentials. Finally, we expect IoT devices to have long lives so it is important to enable software updates to address the inevitable exploits that are discovered after their release.
Securing the Gateway Layer
This layer of the IoT framework represents the connectivity and messaging between things and cloud services. Communications in the IoT are usually over a combination of private and public networks, so securing the traffic is obviously important. This is probably the most understood area of IoT security, with technology like TLS/SSL encryption ideally suited to solve the problem. The primary difficulty arises when you consider the challenges of cryptography on devices with constrained resources, i.e. 8-bit microcontrollers with limited RAM. For example an Arduino Uno takes up to 3 minutes to encrypt a test payload when using RSA 1024 bit keys, however an elliptical curve digital signature algorithm (ECDSA) with a comparable RSA key length can encrypt the same payload in .3 seconds. This indicates that device manufactures cannot use resource constraints as an excuse to avoid security in their products.
Another security consideration for the gateway layer is that many IoT devices communicate over protocols other than Wi-Fi. This means the IoT gateway is responsible for maintaining confidentiality, integrity, and availability while translating between different wireless protocols, from Z-Wave or ZigBee to Wi-Fi for example.
Securing the Service Layer
This layer of the framework represents the IoT management system and is responsible for onboarding devices and users, applying policies and rules, and orchestrating automation across devices. Role-based access control to manage user and device identity and the actions they are authorized to take is critical at this layer. To achieve non-repudiation, it is also important to maintain an audit trail of changes made by each user and device so that it impossible to refute actions taken in the system. This monitoring data could also be used to identify potentially compromised devices when abnormal behavior is detected.
Big data analysis of the aggregate data generated by IoT is often described as the most valuable aspect of IoT for device and service providers alike. Conversely, maintaining consumer privacy is also top of mind for government agencies with the FTC and ENISA releasing their respective guidelines for securing the IoT. This creates a set of privacy related security requirements such as: providing clear data use notification so that customers have visibility and fine grained control of the data sent to the cloud service, keeping customer data stored in the cloud service segregated and/or encrypted with customer provided keys, and when analyzing data in aggregate across customers, the data should be anonymized.
There are many challenges to securing the IoT, many unique to each layer of the IoT framework. Robust security begins by building it into the devices themselves. Even small, resource constrained devices common in the IoT must implement cryptography to maintain confidentiality, integrity, and authenticity when communicating over the network. Finally, a balance between consumer and enterprise privacy and the insight and value derived from the mountains of data generated by the IoT must be found.
We’ve only scratched the surface of what’s required to secure the IoT. Stay tuned as we delve into the specific security models and requirements for each layer of the IoT stack and speculate about how the IoT will evolve in the future.