We know about Internet of Things (IoT). It’s a hot topic now in the Industry but the concept has been from well over a decade. In the early 2000’s Kevin Ashton laid the groundwork for what would become the Internet of Things(IoT) at MIT’s AutoID lab.
In a 1999 article for RFID journal, Ashton wrote: “If we had computers that knew everything there was to know about things—using data they gathered without any help from us — we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. We need to empower computers with their own means of gathering information, so they can see, hear and smell the world for themselves, in all its random glory. RFID and sensor technology enable computers to observe, identify and understand the world—without the limitations of human-entered data.”
This has been proved to be true now! But, what about security? The main problem is that as the concept of IoT has been implemented recently, security hasn’t been in the picture. IoT products are often sold with old operating systems or software. It works fine on a personal level but what about an application on an industrial level? For this, an IoT device needs to be connected to the Internet, should be segmented into its own network and have network access restricted.
We know about Cyber threats and the next thing in line is IoT. What can be done to prevent it? A lot of concepts and ideas are being shared. A conference also is being held in Cambridge, Massachusetts, United States (The link to the conference https://securityofthings.com/ ).
A generic Internet of Things topology: A typical IoT deployment will consist of sensor-equipped edge devices on a wired or wireless network sending data via a gateway to a public or private cloud. Aspects of the topology will vary broadly from application to application; for example, in some cases, the gateway may be on the device. Devices based on such topologies may be built from the ground up to leverage IoT (greenfield) or may be legacy devices that will have IoT capabilities added post-deployment (brownfield). Image via http://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
Some ideas on SECoT were given by Wind River (Wind River is a subsidiary company of Intel providing embedded system software which comprises run-time software, industry-specific software solutions, simulation technology, development tools and middleware.) one of which is
Building In Security From The Bottom Top:
Knowing no one single control is going to adequately protect a device, how do we apply what we have learned over the past 25 years to implement security in a variety of scenarios? We do so through a multi-layered approach to security that starts at the beginning when power is applied, establishes a trusted computing baseline, and anchors that trust in something immutable that cannot be tampered with.
- Secure booting: When power is first introduced to the device, the authenticity and integrity of the software on the device is verified using cryptographically generated digital signatures. In much the same way that a person signs a check or a legal document, a digital signature attached to the software image and verified by the device ensures that only the software that has been authorized to run on that device, and signed by the entity that authorized it, will be loaded.
- Access control: Next, different forms of resource and access control are applied. Mandatory or role-based access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs.
- Device authentication: When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data
- Firewalling and IPS: The device also needs a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device. Why is a host-based firewall or IPS required if network-based appliances are in place? Deeply embedded devices have unique protocols, distinct from enterprise IT protocols. For instance, the smart energy grid has its own set of protocols governing how devices talk to each other
- Updates and patches: Once the device is in operation, it will start receiving hot patches and software updates. Operators need to roll out patches, and devices need to authenticate them, in a way that does not consume bandwidth or impair the functional safety of the device.
So concluding this post we can say that though how appealing IoT is and the potential it carries, there are some major requirements to fulfill before actually starting to implement it on a major scale.
If you like this blog post and have some suggestions do leave a comment. Also ideas for blog posts on related topics is highly appreciated!