How to Secure IoT Devices: IoT Security Requirements
Internet of Things (IoT)
What Are the Key Requirements of IoT Security?
The key requirements for any IoT security solution are:
- IoT Device and data security, including authentication of devices and confidentiality and integrity of data
- Implementing and running security operations at IoT scale
- Meeting compliance requirements and requests
- Meeting performance requirements as per the use case
What Are the Key Functional Blocks of IoT Security?
IoT security solutions need to implement the functional blocks listed below as interconnected modules, not in isolation, to meet the IoT scale, data security, device trust and compliance requirements.
- IoT Device Trust: Establishing and managing Device Identity and Integrity
- IoT Data Trust: Policy driven end-to-end data security, privacy from creation to consumption
- Operationalizing the Trust: Automating and interfacing to the standards based, proven technologies/products. E.g. PKI products.
What Do Connected Devices Require to Participate in the IoT Securely?
To securely participate in the IoT, each connected device needs a unique identification – even before it has an IP address. This digital credential establishes the root of trust for the device’s entire lifecycle, from initial design to deployment to retirement.
Entrust uses nShield hardware security modules (HSMs), combined with supporting security applications from Entrust technology partners, to enable manufacturers to provide each device a unique ID using the strongest cryptographic processing, key protection, and key management available. A digital certificate is injected into each device to enable:
- Authentication of each device introduced to the organization’s architecture
- Verification of the integrity of the operating system and applications on the device
- Secure communications between devices, gateway, and cloud
- Authorized software and firmware updates, based on approved code
Are There Security Guidelines for the IoT?
A number of organizations have developed security guidelines for the IoT. These include:
- The IoT Security Foundation’s “Best Practice Guidelines”
- The Open Web Application Security Project’s (OWASP) “Security Guidance”
- Groupe Spéciale Mobile Association’s (GSMA) “GSMA IoT Security Guidelines & Assessment”
- The U.S. Department of Commerce National Institute of Standards and Technology’s (NIST) Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices
- The Cloud Security Alliance’s (CSA) “Future Proofing the Connected World: 13 Step to Developing Secure IoT Products”
Why Is Device Authentication Necessary for the IoT?
Strong IoT device authentication is required to ensure connected devices on the IoT can be trusted to be what they purport to be. Consequently, each IoT device needs a unique identity that can be authenticated when the device attempts to connect to a gateway or central server. With this unique ID in place, IT system administrators can track each device throughout its lifecycle, communicate securely with it, and prevent it from executing harmful processes. If a device exhibits unexpected behavior, administrators can simply revoke its privileges.
Why Is Secure Manufacturing Necessary for IoT Devices?
IoT devices produced through unsecured manufacturing processes provide criminals opportunities to change production runs to introduce unauthorized code or produce additional units that are subsequently sold on the black market.
One way to secure manufacturing processes is to use hardware security modules (HSMs) and supporting security software to inject cryptographic keys and digital certificates and to control the number of units built and the code incorporated into each.
Why Is Code Signing Necessary for IoT Devices?
To protect businesses, brands, partners, and users from software that has been infected by malware, software developers have adopted code signing. In the IoT, code signing in the software release process ensures the integrity of IoT device software and firmware updates, and defends against the risks associated with IoT software code tampering or code that deviates from organizational policies.
In public key cryptography, code signing is a specific use of certificate-based digital signatures that enables an organization to verify the identity of the software publisher and certify the software has not been changed since it was published.
What is IoT PKI?
Today there are more things (devices) online than there are people on the planet! Devices are the number one users of the Internet and need digital identities for secure operation. As enterprises seek to transform their business models to stay competitive, rapid adoption of IoT technologies is creating increasing demand for internet of things public key infrastructure (IoT PKI). PKIs provide digital certificates for the growing number of devices and the software and firmware they run.
Safe IoT deployments require not only trusting the devices to be authentic and to be who they say they are, but also trusting that the data they collect is real and not altered. If one cannot trust the IoT devices and the data, there is no point in collecting, running analytics, and executing decisions based on the information collected.
Secure adoption of IoT requires:
- Enabling mutual authentication between connected devices and applications
- Maintaining the integrity and confidentiality of the data collected by devices
- Ensuring the legitimacy and integrity of the software downloaded to devices
- Preserving the privacy of sensitive data in light of stricter security regulations