For many people, talking about security is about as interesting as a trip to the dentist. So why should you care about security? If you care enough to invest in an IoT solution, you should care about security on the Internet of Things.
In fact, Gartner proposes that overcoming security issues is the lynchpin to the Internet of Things’ success.
But does it really matter if your refrigerator, oil field devices, or asset tracker can be hacked? It does. Let’s take the first example, your refrigerator.
Your refrigerator itself may not be immensely valuable to hack, but the Google account credentials your refrigerator uses to display your Google calendar can be obtained because of poor security. Caring about security is a reflection of the value of the things that should be secured and what those things are connected to.
The Internet of Things (IoT) is supposed to increase our ability to control and monitor the world around us in an intelligent and often automated way. But as those connected devices increase, and become ever more interconnected, the importance of security increases. Interconnected devices are as strong as the weakest link.
When considering security on the Internet of Things, think about how valuable your entire system of connected things is. If you’re going so far as to invest in devices that are connected, then why leave off security?
Investing in IoT connectivity for your business or home without security is like buying a car without locks. “But the car does what I need it to do! Security is no big deal right?” Except that the car could easily be stolen and do what somebody else needs it to do.
And with IoT connectivity, the data collected is valuable, and could be used to compromise your business without your even knowing it until it is too late. No matter the data being collected, there are other patterns of your business that could be gleaned from your data collection habits and business operations.
Your data and the system that supports that data is highly valuable, don’t leave it exposed by choosing connectivity without robust security.
Where to Start to Ensure Secure Connectivity
When choosing an LPWA technology for your IoT solution you should remember the following three-fold security philosophy.
- Be secure by design
- Keep it simple
- Follow the standards
1. Secure by Design
Building technology secure by design basically assumes that somebody, someday, will try and hack it. Sure, it’s kind of a pessimistic view, but hey, better safe than sorry, right?
With security by design, security is built in from the beginning. It isn’t a bolted-on afterthought. This can make a serious difference. Imagine buying a house made of reeds, and then after it’s done, the builder decides to “add security” by installing a simple lock on the front door. Intruders will just ignore the lock and make a hole straight through the wall! That seems a little far-fetched but it really isn’t too far off from what happens when a wireless protocol isn’t secure by design.
2. Keep It Simple
Einstein has been attributed with saying, “Everything should be made as simple as possible, but no simpler.”
IoT security that is simple, is IoT security that is clear and transparent. You can see how the pieces come together to create a comprehensive suite of IoT security protection. A glob of security features doth not strong security make.
3. Follow the Standards
Finally, following security standards builds on the ‘keep it simple’ principle by clarifying the security capabilities so you know what you’re getting.
Following standards enables utilities and other critical infrastructure providers meet theirs. This helps nuclear power plants, oil and energy providers, smart grids and other vital utilities remain compliant with Federal standards and guidelines.
Without this compliance, these entities could be fined up to a million dollars a day.
How to Implement Secure Connectivity
With this overarching philosophy in mind, LPWA wireless providers should offer these six security guarantees.
1. Message Confidentiality
It’s easy to slap a few bytes of encryption onto a protocol, call it secure, and walk away. But that’s the sort of mentality that gets you in trouble.
Encryption keeps your messages confidential. It’s basically a super fancy way to scramble messages that only gets unscrambled with the right key or password. But message confidentiality is only step one.
2. Message Integrity and Replay Protection
Even if your messages are encrypted, somebody could capture them and replay them later performing the same tasks.
Imagine a street lighting solution without replay protection, it would be pretty easy to mess with lighting if you capture the encrypted, but unprotected, message that controls on and off. Without message integrity and replay protection the message will be let on through causing unauthorized device déjà vu.
3. Mutual Authentication
Mutual authentication guarantees that everybody knows who everybody else is in a data exchange.
With mutual authentication, the device knows the network is real and the network knows the device is what it says it is. Is some stranger trying to get in your devices’ team huddle? Mutual authentication keeps them out.
4. Device Anonymity
Devices have unique identities that keep them distinguishable from other devices. It’s important that their secret identity never be revealed.
If Batman were a device on a network with device anonymity, it would never reveal that he was actually Bruce Wayne… oh wait, whoops.
5. Secure Multicasts
Want to know a secret? You wouldn’t think it, but secure multicasts are a whole different beast than straightforward unicasts, which use mutual authentication.
Secure multicasts guarantee that even when many devices are receiving messages, like street lights beings asked to turn on or off simultaneously, they are all protected.
6. Authentic Firmware Upgrades
And then there’s Mirai. Home-baked to exploit IoT devices, it wreaked havoc on DNS servers using the likes of routers, connected video players, and more, cutting off millions from internet access.
Eeek! Luckily, after they were detected, patches were developed that protected against these security threats when downloaded and installed.
But wait. What if those infected PCs and IoT devices could never download the updates? What if they were eternally stuck in the same vulnerable state just waiting for the hack to happen, or were already compromised? Talk about being left sitting high and dry! Now imagine that those PCs and IoT devices are actually your devices sitting on an IoT network, but that network doesn’t have firmware upgrade capabilities. That’s about as comforting as a cactus blanket.
There’s a better way, and that way is the capability to download firmware upgrades, for any purpose, to your devices.
If you ever need to improve device capabilities, beep, beep, boop, firmware downloaded and installed. This feature includes device security upgrades, as the firmware upgrade could be a simple patch to address a security vulnerability. This kind of feature gives you true peace of mind so you can run your business knowing that, worst case scenario, you can address vulnerabilities that may arise.
Another added benefit of being able to send firmware upgrades to your devices is that you can be proactive in improving your solution’s performance and efficiency. Any improvements in the firmware design can be propagated to your devices, allowing for possible improvements in other areas like battery life and sensor performance. This allows solution providers and their customers to increase the value of their IoT investment.
An IoT connectivity provider that lacks device security upgrades is leaving its customers in harm’s way. Keep devices secure and adaptable to changing cyber security conditions by enabling device security upgrades.
IoT security, don’t connect without it