Organisations look to back end and device security to survive, thrive and achieve compliance in IoT

As IoT deployments accelerate, an area of growing concern is security. The likelihood of billions of additional connections and the proliferation of endpoint devices in the form of IoT modules, sensors and other equipment is radically increasing the threat surface that organisations need to defend, writes Dr Mihai Voicu

The security news is continually glum as incidences of cybercrime proliferate and criminals utilise new technologies to spread their malicious acts across the connected landscape. The issue is well-known and organisations are investing heavily in technologies to combat the threats and enable them to cope better when the almost inevitable attack happens.

IoT, with its enormous footprint, is under particular threat and all stakeholders are paying attention to how to secure this huge market place. Gartner expects worldwide spending on IoT security to reach $348 million in 2016, a 23.7% increase from 2015 but it believes IoT security market spending will increase at a faster rate after 2020 as improved skills, organisational change and more scalable service options improve execution.

The author, Dr Mihai Voicu,
is chief security officer at Telit

By that point, the analyst firm predicts that more than 25% of identified attacks in enterprises will involve IoT. It warns that IoT will continue to account for less than 10% of IT security budgets in spite of this. Organisations that deploy IoT solutions therefore will have to be clever with their security investment and, for that reason in part, Gartner predicts that more than half of all IoT implementations will use some form of cloudbased security service by 2020.

It’s clear the stakes are becoming ever greater. We’re now in a world in which a tyre pressure sensor on a vehicle can be hacked, enabling cyber criminals to gain control of other vehicle systems with malicious intent. However, it’s important not get swept away by a wave of paranoia even while recognising threats are real and therefore they need to be prevented and controlled.

We’re at a stage now where organisations are acknowledging that security attacks are a fact of life and breach occurrences are a case of when not if. As a consequence of this, knowing how to handle an attack is growing in importance over learning how to prevent attacks themselves. The cure, alarmingly, is becoming more significant than the prevention.

Concern about the security of early IoT deployments has emerged as the leading impediment to new IoT projects, with 46.2% of 533 respondents to a 451 Research survey expressing concern.

What is different about IoT security?

IoT security is little more than an extension of traditional internet security. The fundamentals are that endpoint devices exist which need to be secure, the network itself needs to be secure and the servers and IT architecture at the other end must also be secure. That’s easily said and, regrettably, sometimes easy for criminals to hack.

There are two core aspects to security in IoT: securing the endpoint devices and securing the control plane of IoT solutions. A key aspect of the security focus is on how to secure the data from sensors and the collection of information that is relevant to a particular customer. At the same time, equal or greater focus is devoted to the security of the control plane of IoT solutions.

The majority of insights into IoT vulnerabilities today that are publicly available are related to how the criminals got to the data. The issues do not concern how they actually gained control of the data because just getting to the data today means that you have the ability to utilise it. It’s therefore important that IoT security addresses how to prevent criminals getting to the data as a priority. If they can’t get to it, they can’t steal it. Prevention may be better than the cure after all.

Secure the endpoint devices

One of the most relevant aspects of IoT security is the multiplicity of endpoint devices and the strength of their security. The majority of security penetrations are coming from vulnerabilities that result in compromised devices. This is partly because of the price point of endpoint devices is becoming that of a novelty item and therefore the pricing does not support inclusion of security.

However, it’s important to consider that hacking an endpoint doesn’t offer much value to a criminal. When you look at an endpoint device, it may be easy to get into but what can you do once you have access to it? The device therefore may be just an entry point and organisations may feel they can maintain security utilising secure technologies in the operations and control plane of the IoT platform, but they should be aware that these too can be compromised at the device level. Such back end security technologies are robust but, if the correct policies and processes are not put in place by the enterprise, criminals can get round them by hacking devices and fooling the back end into believing that they have not been taken over and remain legitimate.

Secure boot

Endpoint devices present a huge attack surface for cybercriminals to exploit but in themselves are not valuable for a criminal to hack. Nevertheless, Telit has been working with the GSMA to create security guidelines for endpoint devices. Efforts have focused first on what is put on the endpoint device, which is the interface with the cloud or network. A secure boot capability, which ensures that when an endpoint device’s communications module is booted a trusted, secure environment is created, has been developed by Telit to ensure a secure anchor into an endpoint device exists.

This secure anchor means that as soon as the chip fires up and the firmware initiates, every single line of code is assured to be from a trusted source. Firmware has many different inputs including those from cellular operators, from chip developers and from module providers. Telit’s secure boot capability ensures that these, plus the customer firmware, are trusted. This comes together to assemble a series of firmware that users know is trusted and has no possibility of allowing or enabling any malicious code to be injected. Secure boot capability helps strengthen the endpoint device and is available today.

Once this trusted firmware environment exists it becomes less important whether an endpoint device is a high- or low-end product. High-end endpoint devices have a lot of maturity when it comes to security and a lot of security can therefore be applied to them. However, the majority of endpoint devices in deployment are low-end devices without operating systems that might include a microcontroller. It’s not uncommon to see a module that has the capability to support a microcontroller and that opens up security threats.

Secure the aggregation points

Beyond the module and the network, the next points of security weakness are the aggregation points at which data from modules are brought into the systems of an enterprise. First comes the gateway but the major aggregation point is the IoT platform which makes the connection into the enterprise. This point of aggregation is where all the gateways connect and, from there, multiple ways of getting data out exist.

The data itself is coming in from a multitude of inputs, including:

An asset gateway which provides access from a hardware perspective into the cloud. At the same time, Telit offers an agent in specific gateways that creates a secure bridge into IoT cloud so the enterprise can receive information in a secure way.

An enterprise gateway has a similar agent that securely connects into the cloud so, once the data is aggregated in the cloud, an enterprise will want to extract it and deploy it into enterprise systems such as ERP. The gateway can enable a secure bridge from the cloud into the interfaces of each enterprise systems.

In essence, data can be encrypted by agents in an asset gateway and decrypted by agents in an enterprise gateway ensuring data is secure in the cloud.

RECENT ARTICLES

Aeris to acquire IoT business from Ericsson

Posted on: December 8, 2022

Ericsson and Aeris Communications, a provider of Internet of Things (IoT) solutions based in San Jose, California, have signed an agreement for the transfer of Ericsson’s IoT Accelerator and Connected Vehicle Cloud businesses.

Read more

Telenor IoT passes milestone of 20mn SIM cards

Posted on: December 8, 2022

Telenor, the global IoT provider and telecom operator, has experienced rapid growth over the last years and ranks among the top 3 IoT operators in Europe and among the top IoT operators in the world. The positive development is due to an accelerated pace of new customers combined with a successful growth of existing customers’

Read more
FEATURED IoT STORIES

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

Talking Heads: The M2M Doctor is in the House

Posted on: December 26, 2013

Mobile health is M2M at its most rewarding. So says, Dan MacDuffie CEO of Wyless (left). And he should know, his managed services company has achieved 50% yearon- year growth recently and a growing portion of that is in mHealth and Wellness services. He’s certain we’re standing on the threshold of a new generation of health services that cut delivery costs, extend the reach

Read more

Talking Heads: mHealth gains ground as one-stop shops and M2M with ‘wired safety net’ bring efficient patient monitoring

Posted on: December 23, 2013

For years analysts have touted mobile healthcare as a huge opportunity for those offering machine-to-machine communication (M2M) services. Truth be told, the progress so far has been patchy, at best. So M2M Now asked Alexander Bufalino, SEVP Global Marketing at Telit, to describe the hurdles in the way of M2M mHealth, how they are now being overcome and what

Read more

Unlocking the total value of M2M

Posted on: December 19, 2013

Do you ever wonder why people and organisations invest in machine-to-machine communications (M2M) and the Internet of Things (IoT), asks Fred Yentz? Reasons may differ somewhat across industry segments but in most cases they fall in one or more of three categories: To make money, to save money or to be compliant. ILS Technology is squarely focused on helping

Read more

Paving the way to the Internet of Things

Posted on: December 17, 2013

Combining the ARM computing engine with location-awareness and wireless connectivity It’s set to be the Perfect Storm: The rapid growth of high-speed cellular networks and the introduction of IP version 6 which has enough IP addresses for every grain of sand on Earth. Add to this mix the proliferation of the ARM embedded computing architecture, now the de facto global

Read more

What’s the ‘real deal’ on the Internet of Things?

Posted on: December 16, 2013

The ‘Internet of Things’ buzzword appears to have picked up steam during the past several months as large players such as GE and Cisco have touted their stories on the growing number of connected devices. But, as Alex Brisbourne of KORE asks, how different, if at all, is the Internet of Things when compared with other connected device markets,

Read more

M2M Now Magazine December 2013 Edition

Posted on: December 5, 2013

M2M Now magazine explores the evolving opportunities and challenges facing CSPs across this sector. Our exclusive interviews pass on some key lessons learned by those who have taken the first steps in next gen Machine to Machine (M2M) services. In the latest issue: TALKING HEADS: Alexander Bufalino of Telit tells how one-stop shops and M2M with a ‘wired

Read more