How to Secure IOT Devices: IOT Security Requirements

The key requirements for any IoT security solution are:

• IoT Device and data security, including authentication of devices and confidentiality and integrity of data
• Implementing and running security operations at IoT scale
• Meeting compliance requirements and requests
• Meeting performance requirements as per the use case

IoT security solutions need to implement the functional blocks listed below as interconnected modules, not in isolation, to meet the IoT scale, data security, device trust and compliance requirements.

• IoT Device Trust: Establishing and managing Device Identity and Integrity
• IoT Data Trust: Policy driven end-to-end data security, privacy from creation to consumption
• Operationalizing the Trust: Automating and interfacing to the standards based, proven technologies/products. E.g. PKI products.

To securely participate in the IoT, each connected device needs a unique identification – even before it has an IP address. This digital credential establishes the root of trust for the device’s entire lifecycle, from initial design to deployment to retirement.

Entrust uses nShield hardware security modules (HSMs), combined with supporting security applications from Entrust technology partners, to enable manufacturers to provide each device a unique ID using the strongest cryptographic processing, key protection, and key management available. A digital certificate is injected into each device to enable:

• Authentication of each device introduced to the organization’s architecture
• Verification of the integrity of the operating system and applications on the device
• Secure communications between devices, gateway, and cloud
• Authorized software and firmware updates, based on approved code

A number of organizations have developed security guidelines for the IoT. These include:

• The IoT Security Foundation’s “Best Practice Guidelines”
• The Open Web Application Security Project’s (OWASP) “Security Guidance”
• Groupe Spéciale Mobile Association’s (GSMA) “GSMA IoT Security Guidelines & Assessment”
• The U.S. Department of Commerce National Institute of Standards and Technology’s (NIST) Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices
• The Cloud Security Alliance’s (CSA) “Future Proofing the Connected World: 13 Step to Developing Secure IoT Products”

Strong IoT device authentication is required to ensure connected devices on the IoT can be trusted to be what they purport to be. Consequently, each IoT device needs a unique identity that can be authenticated when the device attempts to connect to a gateway or central server. With this unique ID in place, IT system administrators can track each device throughout its lifecycle, communicate securely with it, and prevent it from executing harmful processes. If a device exhibits unexpected behavior, administrators can simply revoke its privileges.

IoT devices produced through unsecured manufacturing processes provide criminals opportunities to change production runs to introduce unauthorized code or produce additional units that are subsequently sold on the black market.

One way to secure manufacturing processes is to use hardware security modules (HSMs) and supporting security software to inject cryptographic keys and digital certificates and to control the number of units built and the code incorporated into each.

To protect businesses, brands, partners, and users from software that has been infected by malware, software developers have adopted code signing. In the IoT, code signing in the software release process ensures the integrity of IoT device software and firmware updates, and defends against the risks associated with IoT software code tampering or code that deviates from organizational policies.

In public key cryptography, code signing is a specific use of certificate-based digital signatures that enables an organization to verify the identity of the software publisher and certify the software has not been changed since it was published.

Today there are more things (devices) online than there are people on the planet! Devices are the number one users of the Internet and need digital identities for secure operation. As enterprises seek to transform their business models to stay competitive, rapid adoption of IoT technologies is creating increasing demand for internet of things public key infrastructure (IoT PKI). PKIs provide digital certificates for the growing number of devices and the software and firmware they run.

Safe IoT deployments require not only trusting the devices to be authentic and to be who they say they are, but also trusting that the data they collect is real and not altered. If one cannot trust the IoT devices and the data, there is no point in collecting, running analytics, and executing decisions based on the information collected.

Secure adoption of IoT requires:

• Enabling mutual authentication between connected devices and applications
• Maintaining the integrity and confidentiality of the data collected by devices
• Ensuring the legitimacy and integrity of the software downloaded to devices
• Preserving the privacy of sensitive data in light of stricter security regulations