Bringing Trust to the Internet of Things
nCipher, an Entrust Datacard Company
Author: Author: John Grimm, VP Security Strategy, nCipher Security
In this era of digital transformation, where companies are deploying digital technologies to improve their operations, deliver value to customers, and gain competitive edge, IoT initiatives invariably are the backbone of those efforts. Huge amounts of data are generated by and collected from a wide variety of IoT devices. However, if you can't trust the data and the devices that produce it, there's no point in undertaking the massive effort required to collect and analyze the data, or worse make business decisions based on it. IoT security is all about enabling that trust.
Many IoT devices simply were not built with security in mind. The introduction of connectivity to legacy devices, or to newer devices whose designers lacked expertise to develop for high-security networked environments, can result in the introduction of new and unanticipated vulnerabilities. And those vulnerabilities can be exploited by attackers, using an IoT device as an entry point to a network that they can then leverage to go after higher value systems and data.
The diversity of IoT devices and lack of standardization poses challenges. However, proven time-tested security techniques — adapted to the IoT environment — are key to addressing these challenges. Digital certificates to uniquely identify devices and form a root of trust for IoT systems; firmware signing to ensure that devices can accept authentic and unaltered updates and security patches; and encryption to protect sensitive data collected by IoT devices are three important technologies to enable a secure and scalable IoT.
Offering assurance
Securing the IoT is dependent on authenticating connected devices and ensuring each one can be trusted to do what it is expected of it. Providing this assurance requires a solution that protects both the transfer and receipt of critical data; authenticates the addition of any new device to the network establishing a root of trust and identity; and offers end-to-end encryption with strong key management. Only with such provisions in place can we be fully confident that our connected devices are secure.
Hardware security modules (HSMs) help IoT device manufacturers create a unique device identity or ‘digital birth certificate' that can be authenticated when a device attempts to communicate with a gateway or central server. With this unique ID in place a device can be tracked throughout its lifecycle, can be communicated with securely and prevented from executing harmful processes. If a device exhibits unexpected behaviour its privileges can simply be revoked.
IoT security is seen by many as a barrier to their IoT projects, particularly when treated as an add-on rather than a core component that must be designed in from the beginning. Security getting a seat at the table from the inception of IoT projects will evolve from being the exception to being the rule. And rather than being the "no" people, the security team must recognize its role as a key enabler in the IoT, navigating the vast ecosystem of connected products and platforms, and developing ways to ensure and maintain trust.