The 3 Core Technology Concepts of IoT Security You Need to Know
by Exosite, on July 6, 2017
The first step in developing a comprehensive IoT security strategy is understanding the core technology concepts in the realm of security—data, control, and hardware. Developing an understanding of these concepts can help organizations learn how to better prevent attacks, mitigate impacts, and recover from attacks on IoT systems. We’ll explain each of these concepts in depth and provide considerations when contemplating security for each.
Data is the currency of IoT solutions—it is the thing we collect, process, analyze, and use to identify and control users, behaviors, and environments. To secure data, it’s useful to think about it in three contexts: data at rest, data in motion, and data in use.
Data at Rest: Data that is stored on a hard drive, in a database, in flash memory, or in RAM. Customer-private data should always be encrypted so that if attackers gain access to a database, they can’t understand the information. Other data, like analog sensor data, may not be important to encrypt depending on the application. What’s really important is the embedded system that may or may not have encrypted flash. Some microcontrollers also allow a fuse to be blown at manufacturing time to disable another user from reading the contents of flash or re-programming it with their own software. These are all mechanisms to protect data at rest.
Data in Motion: Data sent from a sensing device over a wired or wireless network, like Wi-Fi, public Internet, or cellular. In this context, it’s important to make sure an attacker isn’t able to listen in and understand what is being sent. This is especially important for private customer data, but also for machine data in many cases. Each delivery mode should be carefully analyzed for any IoT solution.
Data in Use: Data accessed by a user, machine, or web service with particular permissions that others don’t have. For instance, a facilities engineer responsible for keeping an HVAC system up and running may have access to see data for their facility, but not permission to see another facility. Even more importantly, non-authorized personnel must not have access.
Control refers to a special piece of data designed to change the state of a device. Control plays an important role in IoT security, since it bridges the gap between the abstract Internet and reality, where a connected device can have physical impact on the world around it. However, simply connecting a device to the Internet doesn’t make it vulnerable. Devices have firmware that hard-codes the intended functions and cannot be easily changed by hackers. Similarly, the Internet cannot interfere with physical readouts of gauges on IoT-enabled industrial components.
However, an industrial component that can be controlled through the Internet must be treated as special and unique. All aspects of data, network, and hardware along the path of control to an industrial device must be scrutinized constantly. A healthy questioning attitude regarding any work done on systems connected to industrial components is important, and maintaining configuration control within a system must take higher priority than making device-state changes easy. As such, a properly designed system will limit user permissions for control of a component only to critical users.
End-user hardware, customer hardware, network hardware, and third-party hardware all play a role in the IoT game, and each have similar impact when considering IoT security. As a result, no cloud company truly exists free of hardware. The employees who code, provide support, and work for the company, the users that connect to the platform, and the servers that host their content all exist in real, physical ways. No matter what kind of computer system an IoT company uses, people will always interact with it in some physical way. The technology to secure hardware continues to mature, prevent more attacks, and provide more secure connections between systems; however, the people connected to these advanced machines continue to present the biggest vulnerabilities.
A healthy security culture—a concept that is addressed in greater depth in our white paper—encourages individuals to both understand the capacity they have to make components of a system vulnerable to attack and the sense of responsibility they should have in ensuring the security of that system.