Internet of Things security

When the internet started, it connected mainframes of large organizations. As the internet gained popularity, it expanded to connect individuals using PCs and smaller devices, such as smart phones. Now, with the onset of the internet of things (IoT), any device that has a microchip is connectable.

From smart TVs, refrigerators, thermostats, lights, and locks in the home to smart roads, power grids, agricultural systems and warehousing for organizations, IoT has numerous uses and capabilities. The ability to monitor, send data and control operations remotely enables huge efficiencies, cost savings and makes tasks that much easier. The IoT market is growing at 28.5 percent annually and is expected to reach $457 billion by 2020.

IoT Security and Access

While IoT promises significant gains, it’s imperative that proper security and access measures are in place to protect data integrity and operational control. Each device needs to have the same checks that protects other users on the internet — identity verification. In addition to user identities, device and system identity verification will help ensure IoT achieves its promise and better avoid the security pitfalls.

Already, there have been numerous cases of fraud, spyware, password theft, device imitation and many other security lapses and attacks. The issues are confounded by the networked nature of the technology; one security hole can spread the issue to thousands of devices. For example, the Marai attack of 2016 infected nearly 150,000 smart security cameras.

A big part of the issue is the rapid proliferation of the number of internet connected devices with Gartner reporting that there 11.4 billion connected devices. However, that overlooks the human part of the equation; are there proper security procedures in place and are people following those procedures? People are often the weakest link in security; having insecure passwords, leaking information, and improperly setting up and maintaining systems are just some of the issues that are associated directly with poor individual security habits.

IoT Security Best Practices

While security experts might promote individual best practices until they’re blue in the face, changing people’s patterns are an uphill battle. It’s probably a wiser strategy to focus on hardening the tech, improving the user interface and other improvements on the technology side to make IoT security more robust.

The industry is responding; the market to ensure that these devices are secure is rapidly growing, especially on the enterprise side. A report from ABI Research states that IoT identity and management revenues could reach $21.5 billion by 2022. According to Dimitrios Pavlakis, Industry Analyst at ABI Research, “we are entering a transformational period where device IDs, system IDs, and user IDs are forced to merge under the hyper-connected IoT paradigms.”

There are several verification methods that IoT developers can use to build effective trust into their devices:

Birth certificate
Developers can build in a unique identifier into each device such as a serial number or key (a cryptographic code used in modern digital security operations).

A list of approved common identifiers to allow.

The device must respond in a certain way to a request. For example, an approved private key is given when prompted with a public key.

Device fingerprinting
Use the known behavior of the device to create a behavioral signature and check against the expected results.

Environmental checks
Check the operating environment of the device against expectations (IP address, time).

One-time trust event
Assume trust at a certain point in the device lifecycle and maintain it, as long as conditions remain. For example, if the device is initiated in a secure environment and is not disconnected, then the device is still trusted.

As with identity verification for people, best practice is not to rely on one method. Rather, using multiple methods in conjunction offers the best security model.

Also, smart risk-mitigation strategies depend on the level of associated risk. A smart tv module doesn’t need the same security as a nuclear power plant controller. Developers need to consider the risk parameters and costs and determine what level of security is optimum.

IoT Standards

As there are so many types of devices, so many use cases, and so many users of IoT security standards are a work in progress. As with any new field, there are numerous differing approaches to security and consensus is not even a consideration.

However, as the technology develops, security models develop and gain acceptance. A good example is WebAuthn, a protocol has been designed and proposed to help deploy simpler yet stronger web authentication methods to users around the world. Note though, that the web was invented in 1993 so that security standard took 25 years.

There are numerous protocols, frameworks, and architectures being put forward by various alliances and organizations. All the different approaches might make sense from a technical point of view — optimizing the security setup for a specific situation — but it causes squabbles, misalignments, confusion, questions and other project management nightmares.

While we can’t expect the quagmire being solved anytime soon, the Trulioo approach to identity does offer a way forward. The consortium view of identity is about using multiple data sources and multiple identity attributes to create a robust, scalable, trustable identity. This consortium view of identity makes use of traditional data sources, adding in new capabilities as appropriate and accounts for the needs of the user.

In this model, different protocols, frameworks, and architectures are fine, different alliances and organizations can co-exist, and all can deliver their data and outlook so that developers can pick and choose their sources to optimize their results. And, in the end, isn’t that what IoT is all about? A network of networks, the ability to interconnect all things and human-kind to reap the benefits of more data, more control and more power. An identity framework that considers all points, delivers security and ease of use will help deliver a future that builds trust online.