By Guillaume Crinon
Global IoT Strategy Manager at Avnet
Deploying an IoT solution isn’t like putting a product on a shelf. The solution cannot be created and let go of, as the best ones should flex with business needs and security challenges. Indeed, a safe protocol today might get hacked tomorrow. Or a field of sensors could be compromised or marked ‘end of life’ six months after being deployed globally. This complexity is the root of so many cyber vulnerabilities—especially as deployments in the IoT get even more intricate.
Gartner says worldwide Internet of Things (IoT) security spending was $8.47 billion in 2018. This figure is projected to grow to over $73 billion by 2026, a CAGR of 31.2%. That aligns with predictions that the global IoT market is expected to be $3.9 trillion dollars by 2021, led by discrete manufacturing, transportation, logistics and utilities. However, while that growth is promising, it does pose a challenge, as there can be no one-size-fits-all technology to accomplish IoT security. Any custom IoT solution presents a number of individual security challenges—all on faster timelines and with more data breaches than ever.
This is probably why a 2019 SMB Cyberthreat Study by Keeper Security found that only 40% of service providers have a cybersecurity plan in place to react to a potential breach. That means six out of every 10 providers aren’t preparing for a crack in the system. At the same time, 66% of developers believe a breach is unlikely to happen in the first place – even though 67% experienced one within the last year.
Developers too often forget that the implementation of a security countermeasure is as important as the countermeasure itself.
Developers too often forget that the implementation of a security countermeasure is as important as the countermeasure itself. For instance, HTTPS with the use of private keys and certificates is the right way to HTTP. However, implementing HTTPS in pure software, with unprotected storage and computation of private keys and certificates, is very weak and prone to easy hacking.
One underlying misconception that drives security weakness relates to the idea of Machine-to-Machine (M2M) security. M2M is a misleading acronym. For scalability reasons, in most deployed IoT architectures, machines, appliances, and devices, sensors do not directly talk to one another, but instead report and pull data to and from more or less distant, larger systems that are capable of analyzing and making decisions. This happens either on the edge or in the cloud itself. It is impossible to anticipate which route, network and backhaul will carry the data. We only know that there will be multiple legs operated by as many providers with no guarantee of persistence: network routes are dynamic and the route from point A to point B can be different every day.
As a consequence, network security is insufficient as it only takes care of securing traffic on a leg-by-leg basis.
As a consequence, network security is insufficient as it only takes care of securing traffic on a leg-by-leg basis. As internet users, we know this very well: when accessing the web from public WiFi, our web browsers make sure we have an HTTPS/FTTPS connection to the URL we are visiting. Otherwise, we get a red flag in our URL bar. Just like HTTPS, we need an extra layer of end-to-end security between the connected device and the data repository above every network security so that we do not have to care and trust which network is carrying what. Transport Layer Security (TLS) and derivatives are the best protocols to achieve this — they can be applied to HTTP, FTTP, MQTT and turn them into HTTPS, FTTPS, and MQTTS respectively, exactly what we need in the complicated security world of IoT.
To put it simply, IoT, as with so many other technologies, embodies innate security defects. They can only be avoided if a technology product ensures three things:
- Mutual authentication: Devices and servers should and can prove true and unique identities to each other
- Message integrity: Messages sent between devices and servers should be able to be sent safely so that they can’t be hacked, altered or changed by an interfering party
- Message confidentiality: Messages should also be able to be coded so only parties authorized to receive them can read what they say—a main center of data privacy
With these three ideas in mind, it becomes possible to commence robust security practices in IoT.
About the Author: Guillaume Crinon is the Global IoT Strategy Manager at Avnet, responsible for security and connectivity solutions. He has more than 20 years of experience in the semiconductor industry, mostly in radio-frequency circuit design, but also has extensive experience in metering, building/home automation and security systems. He joined Avnet in 2011. Guillaume graduated from SUPELEC in Paris (MSc in EE) and has co-authored 12 international patents in wireless systems, IC architectures and design to date.