Security is a concern that was, is and will be valid at any given point, spanning time, spaces and generations. The pretty picture painted by the potential of Internet of Things is a fascinating one. We see a future where IoT has transformed our interaction with devices and our lives. Where networks and devices around us act intelligently and respond in way that humans do and possibly even better!
But, once these billions of devices are connected together and humongous data gets exchanged, IoT security is going to be a key challenge. Joshua Corman, security strategist and philosopher serving in the IT Security space, says living in the IoT world will be like swimming with the sharks.
The movies have visualized various scenarios that makes us aware of what can go wrong when IoT security is breached. From G-Force, where home appliances with a destructive program turn against humans, to Die-Hard 4 where cyber terrorists hack into financial and public utilities infrastructures and hold the government to ransom, to the Skynet in the iconic Terminators series which machines make it a mission to wipeout human race ― all of that could be a reality in the future.
We have real life instances of hackers finding their way into government, financial and other sites. Possibility of connected car being hacked in to causing damage to human life and much more is not far away. All these are critical concerns which demand fast and sustained resolution.
What happens when a cyber-criminal takes over?
What else can happen? A prankster hacker can play with your bedroom lights, lock you inside your car, disable the heating and render your refrigerator useless. Hospital systems can be hacked into, blood bank refrigeration tampered with and medical reports can be manipulated. An insulin pump or a dialysis machine that can be remotely controlled is a nightmare come true. A cyber-criminal can do all this and much more.
Gartner’s research on Cybersecurity Challenges says that the top Inhibitors to the adoption of the Internet of Things are security and privacy concerns. It also points out that by 2020, 60% of enterprise information cybersecurity budgets will be allocated for rapid detection and response approaches. By 2020, at least one consumer product manufacturer will be held liable by a national government for cybersecurity vulnerabilities in its product. This exposes the vulnerability of the system and importance of the security in the era of IoT.
The IoT security must-haves!
Security should be the foundation stone in every aspect of IoT, right from a small-sized sensor device to the gateway, cloud platform and applications. Not to forget the wired and wireless network used for connecting these devices together. Considering the numerous complex elements of the IoT ecosystem a multilayered, multi-dimensional security system is the need of the hour. A device security should able to protect data even if there is a physical tampering like manipulating an USB interface of the device. The main challenges of sensor devices are the limited memory footprint and processing power, it makes more difficult to implement industry top notch software security. This is where hardware implemented security system features like ARM TrustZone technology or Intel’s UEFI secure boot comes to rescue. These technologies make sure that only authenticated Operating Software and applications will be loaded on to the device. Hardware security protects from both tampering and hacking.
In case of ARM TrustZone, it uses a dedicated security core and provides two virtual processors backed by hardware access control. This allows the application to switch between two worlds – the more trusted one and the less trusted. Both the worlds can run independently and an optimized security specialized code can run on trusted zone.
All the devices connecting to a gateway or a cloud should be authenticated before they can initiate any data transfer. Most sensor devices are headless, i.e. they do not have a user interface where a “user name and password” can be entered. Hence a mechanism to automatically authenticate devices to cloud applications is vital. Certification-based authentication mechanism is considered to be a tamper-proof method. Private keys and certificate will be burnt into the device secure storage.
Most of the IoT devices and cloud platforms use the D/TLS technology for transport layer security. The technology is supported by almost all operating systems and programming languages, which makes it easy to implement. TLS handshake protocol defines how a client and server negotiate and what encryption algorithm and cryptography keys are to be used for further communication. This negotiation is so secure that even an eavesdropper/attacker cannot crack the keys used for encryption. TLS mainly uses various AES 128 bit and AES 256 cipher suites.
Cloud applications can be programmed in such a way that only certain access can be given to the sensor devices - this is called the access policy. In the event of being hacked by a device only limited portion of the data will be accessible to the intruder.
Who is responsible?
A security consultant should be able to think like a hacker and find ways to fix the holes in the system. In a scenario where one of the elements (e.g. sensor device) is compromised, the intruder should not get further access to other systems like gateway, cloud and applications. Access control, detecting an intrusion in time and stopping further damages are equally important. Sometimes an application can act as a legitimate entity and gain access to the cloud infrastructure only to pose a formidable threat
Today, no system can provide 100% security. As the technology grows, hackers and criminals acquire more sophisticated tools to pursue their goal. More security in place implies more money and time required to hack into a system.
Aricent is the leading IoT solutions provider and has extensive experience in IoT and cybersecurity and can provide consultancy and engineering services to customers to select the right security mechanism to protect their IoT devices, gateways and cloud infrastructure.
For more details or to talk to Aricent experts contact us today.
Gartner: Address Cybersecurity Challenges Proactively to Ensure Success with Outsourced IoT Initiatives