In part 2 of this series I touched on some of the challenges involved in protecting IoT devices and what products currently exist that attempt to fill the security gaps. In this entry I will dive deeper into the technical side of IoT Security.
Regardless of functionality, the security challenges that these devices face can be categorized into the following vulnerability layers:
Communication – Securing communications to and from the device. Dynamic data encryption in the form of TLS is the industry standard, likely to remain in use for some time, and is easily implementable. The technical challenge here is in protecting the artifacts required to ensure that the encryption remains secure; namely private keys. There are existing solutions that can be deployed but it is crucial, in this and in all other layers, to remember that storage and runtime space on the device will likely be extremely limited. As an example, the Raspberry Pi Compute Module is a prototyping kit intended for industrial applications and contains 512MB of RAM and 4GB of flash storage. How many CA products can run under those limitations? The range of memory and storage will vary depending on the device functionality, but the variance will likely not be that great.
Access – Securing and controlling remote access to the device. Fundamental to all security systems is determining and enforcing who can and cannot gain access. This functionality is well understood and implemented in the web-space, which should translate well into IoT.
Execution – Securing and controlling code execution on the device. Un-monitored devices are ripe for being used in all sorts of virus and bot attack schemes; securing and verifying what code and when it can run is vital.
Data – Securing any data, especially Personally Identifiable Information (PII), on the device. Due to storage constraints, very few devices will actually contain data that requires protection, but it may happen. When it does, this data must be properly handled and protected.
Physicality – Controlling, evaluating and monitoring the physical realities of the device. This aspect of an IoT device is tricky. Consider the previous example of a temperature sensor. What if there is a sudden spike or dip in a reading? How would the device monitor be able to tell if the change is due to the movement of the sun or an attack on the device? Securing the device physically is the concern of the device owner; however, we should provide tools such as data analytics and machine learning to aide in the determination of the legitimacy of device’s readings and how to determine and react to potential attacks.
Properly protecting IoT devices will certainly be a challenge; however, one advantage we have is that we will be able to build on our own understanding of cybersecurity. While existing products may or may not be sufficient to the task, existing knowledge and understanding will take us a long way.
My next post will look at the market landscape for security within the Internet of Things.