The opportunity for the Internet of Things is often connected business potential represented by all the new and interesting devices, sensors and things that are riding the IoT wave. This opportunity especially manifests itself when you consider the benefit from all the connections these devices will make, as they gather and pass data back to users, other devices, Enterprise applications and big data analytics solutions. These connections promise to improve workflows, solve business problems and yield new business insights.
Yet one of the concerns that comes with introducing these new devices and connections is how you secure these devices. Adding more devices, sensors and things to your network also represents the potential to increase your attack surface. In short, all devices, including IoT devices, need to be secure. So organizations need to be diligent, and purchase enterprise-class IoT devices that can be configured and updated in line with security policy – just like anything else that is connected to your network. Many consumer devices don’t meet the security bar, and never will.
But there’s a deeper underlying problem: lack of security standards for IoT devices.
One of the genuine technical challenges is encryption in the smallest IoT devices, such as sensors. These devices have to operate for extended periods on battery power, so they often use microcontrollers with extremely limited amounts of RAM and ROM. Some of these microcontrollers have merely 64 bytes of RAM or less. Yes, bytes – not kilobytes or megabytes. This means that entirely new algorithms have to be devised to fit. This is called lightweight cryptography (LWC), and NIST, in the U.S., has now started a standardization initiative for LWC.
It’s time: the need is pressing, and the research community has already been studying and experimenting with LWC for more than a decade. Devices using LWC will always involve specialist design, but the aim is to standardize these security building blocks for IoT.
Another technical challenge is that IoT devices use different protocols for communication. Some of these protocols, such as MQTT, can run on top of existing secure session protocols such as Transport Layer Security (TLS) – the standardized replacement for SSL. This is an excellent fit for gateways that already support TLS. Less powerful devices may use protocols such as COAP. Because COAP uses UDP rather than TCP, it can run on top of the DTLS variant of TLS. This again is a great fit for those gateways, as DTLS is so closely similar to TLS. The smallest IoT devices using LWC with message-based security protocols – because they aren’t powerful enough to support TLS/DTLS – will be more challenging, as we just saw. Gateways are vital to IoT security, as they allow the traffic to be inspected and validated in a scalable way.
A third security challenge applies to a different class of IoT: updating multi-function devices. The smallest IoT devices, like sensors, won’t be updatable. More powerful single-function devices can just be updated by their vendor. But multi-function devices may involve software from different vendors, so there needs to be a trustworthy way to update their software without them interfering. Smartphones have already successfully tackled this challenge, and their approach is now being repurposed as the Open Trust Protocol (OTrP) within the IETF.
More broadly, great work is going on within the Online Trust Alliance (OTA) and Cloud Security Alliance (CSA), and the Trusted Computing Group (TCG) to provide detailed security guidance and checklists for developers of IoT devices. Much of the guidance will be familiar to enterprise software developers; developers of IoT devices need to follow it, too. After all, it’s not the size of the device that counts: it’s the size of the risk that it can pose.
You can find out how Octoblu helps secure IoT devices here: https://www.citrix.com/blogs/2015/12/10/citrix-octoblu-is-securing-the-internet-of-things/ . And with the emergence of these standards, let’s hope that IoT security becomes a routine operations matter, rather than something exotic.
Architect’s Guide: IoT Security:
Secure Design and Development of IoT Products – [CSA “coming soon”]
Online Trust Alliance: Internet of Things: