Opinion: What Makes IoT Security So Hard?

Companies looking to manufacture connected devices have to tackle four main challenges says Exosite CTO Mark Benson.
Companies looking to manufacture connected devices have to tackle four main challenges says Exosite CTO Mark Benson.

In-brief: What makes IoT security so hard for these companies? Exosite Chief Technology Officer Mark Benson has identified four, important factors to consider and address.

The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as users become increasingly reliant on these intelligent, interconnected devices in their lives and businesses.

New technologies are being combined in new ways and deployed in new cyber-physical contexts, all of which expand the threat surface and open up new types of vulnerabilities. At the same time, manufacturers that are rushing to create new, connected devices lack the capabilities to properly prepare for, deploy, and support IoT solutions in a secure way.

Mark Benson is the Chief Technology Officer at Exosite.
Mark Benson is the Chief Technology Officer at Exosite.

What makes IoT security so hard for these companies? Here are four, important factors to consider and address:

Pervasive Physical Access

Historically, computing systems have been either inside secure data centers (e.g. IT applications, networking equipment), or outside data centers in non-Internet-connected ways (e.g. industrial control systems, automobiles, appliances).

The IoT changes this by combining the cyber world with the physical world and in doing so opens new types of attack vectors. For example, gaining physical access to an embedded computing system allows an attacker to review open serial ports, examine memory contents, manipulate exposed test points, access debug interfaces, or control the environment surrounding the device and associated sensors it may have.

Manufacturers should take great care in securing these types of physical security vulnerabilities, but sadly many do not.

Resource-Constrained Systems

Devices used in IoT deployments are often resource-constrained and heavily cost-optimized. Limited computational abilities, limited flash storage, limited memory capacity, and lossy network connections all combine together in a way that makes security difficult. Figure 1 shows the path of data through a typical IoT solution and the three primary modes of data: data at rest, data in motion, and data in use.

Figure 1: Data at rest, data in motion, and data in use within the context of a resource-constrained IoT solution

In Figure 1, there are four primary solution layers:

  1. Enterprise web services such as enterprise resource planning (ERP) software
  2. An IoT data platform that bridges communications between enterprise web services and the physical world of connected devices
  3. A gateway or aggregator device that serves as a proxy between the IoT data platform and very low-powered highly resource-constrained embedded sensing nodes
  4. Sensing nodes that collect sensor data and pass it on through the gateway/aggregator to the IoT data platform and ultimately integrated into the enterprise

Sensing nodes and gateway/aggregator devices are often resource-constrained, which makes it more difficult to run a full Transport Layer Security (TLS) stack, or leverage secure elements to manage private keys and certificates.

Complex Deployment Topologies

Simple IoT deployments include IP-enabled devices communicating directly to an IoT data platform. However, most IoT solutions, especially industrial ones, have incredibly complex deployment topologies that include serial communications, wireless technologies, mesh networks, local human-machine interfaces (HMIs), and integrations with local and remote analytics or condition-based monitoring services.

Complex deployment topologies make security harder due to the fact that the sheer number of places that data can be at rest (stored), in motion (moved), and used (accessed) are large. A team responsible for creating an IoT solution that includes such a complex deployment must plan for how data should be secured at each point in the system. This is not a trivial exercise, especially considering the fact that embedded engineers are not normally security experts, and IT security professionals don’t know much about embedded devices.

Inadequate Organizational Capabilities

Perhaps the most nagging problem with IoT security is that organizations often lack the capabilities necessary to create a unified security strategy that comprehends the full complexity and scope of IoT deployments. Organizations beginning to roll out IoT solutions must learn to design secure embedded devices, secure communications, secure manufacturing practices, secure support operations, and secure IT enterprise integrations.

Change is hard, not only for individuals but also for organizations. Progressive organizations must get clear on their IoT strategy, and then align resources in a way that supports and drives towards that strategy. Security should be embraced as a process and journey that is engrained in the company culture from the outset of an IoT initiative rather than a bolt-on afterthought.

Without question, there will be more high-profile IoT security breaches in the coming years. Manufacturers willing to embrace and tackle security challenges in depth, and close the organizational skill gap necessary to execute effectively, are positioned well to turn security risks into a strategic competitive advantage.

Comments are closed.