Security: where the IoT meets the IT infrastructure
It’s true that in the animal kingdom there is safety in numbers. But in the Internet of Things (IoT), where billions of devices are expected to be connected within the next decade, the sheer volume of devices isn’t expected to mitigate the security risk. In fact, given that many devices may share the same codebase or hardware design, the numbers will simply increase the risk.
This is the reality of creating a more connected world; it will become easier to infringe personal space both in the real world and online. To some extent modern society has little choice; it needs that level of connectivity in to meet the rising demand for food production, mass transit, and energy distribution. Reconciling these two paradigms of risk and need will be where the emerging IoT meets the established IT infrastructure.
There is much the embedded industry can learn from the enterprise sector, in terms of the technology developed to provide security. Firewalls, authentication, encryption, and intrusion detection have all evolved within the enterprise space. Perhaps the most important thing to understand is that all these technologies are intended to work cooperatively. There is no single solution to security in IT; each technology must play its part.
Unfortunately, this technology isn’t directly transferable from IT to IoT. Putting a firewall in a device intended to communicate with other devices on an ad hoc basis would be difficult, for example (although embedded firewalls do exist). Similarly, intrusion detection may be challenging to implement reliably in resource-constrained devices such as smart sensors and other ‘edge node’ devices. However, authentication and encryption are security techniques that most definitely could — and should — be implemented in the embedded domain.
A significant aspect of the IoT security imperative stems from the way disparate devices will participate. By its nature the IoT will involve known and unknown devices joining and leaving networks on a relatively frequent basis. When those networks are considered ‘local’ and comprise only devices in the local area, the security risk is perhaps limited. But in reality a wireless device can join a ‘local’ network from some considerable distance. Physical barriers such as locked doors and high walls offer little or no barrier to a wireless signal.
Further, even wired interfaces represent a threat where physical access is possible and no security measures have (or can be) taken. These interfaces could be any kind of serial or parallel port, such as PCI Express, CAN, USB, or even (and, as it turns out, quite ubiquitously) JTAG/Boundary Scan. The problem isn’t necessarily the lack of security in the interface itself, but the lack of security in the devices and data that the interfaces connect to and, by extension, its network.
Some work to protect wired interfaces is already being carried out. The introduction of the USB Type C authentication protocol intends to inhibit unauthorized USB Type C chargers and devices from gaining full access to a system. Similar steps should perhaps be taken with other prominent interfaces, particularly those that implement a message-based protocol. While such actions wouldn’t help protect the many millions of instances already deployed, they would at least help to protect the future devices that are also more likely to be connected to the IoT.
Until all wired and wireless interfaces are protected—and even after—there are steps to be taking now. Using encryption and authentication, for instance, can significantly improve overall security in the IoT. The Open Web Application Security Project has identified a number of so-called Attack Surface Areas in the IoT that arise mainly due to missing or poorly implemented encryption or two-factor authentication.
The Public Key Infrastructure methodology allows data to be passed securely to only its intended recipient.
Many of the microcontrollers that will enable the IoT already provide support for encryption and authentication. ARM, for instance, has extended its TrustZone technology to the Cortex-M cores that are popular foundations for IoT designs. TrustZone is a technology that provides a ‘hardwired firewall’ at the transistor level, allowing trusted software to run completely isolated from untrusted software. Because it is implemented at the hardware level, TrustZone can still deliver the real-time operation needed in many IoT applications.Continue reading on Embedded.com for more on IoT security concerns.
- Handling Privacy and Security Concerns in the IoT: Big Data and Privacy
- Building the IoT: connectivity and security
- Securing the IoT: Part 1 - Public key cryptography
- The Right and Wrong Way to Implement Cryptographic Algorithms in Embedded Electronic Systems
- 7 steps to security for the Internet of Things