The challenges of IoT security and how to harden the edge

Securing data and devices on the IoT is essential but extremely challenging. Assets can be distributed over a large geographical area, left unattended, and subjected to all manner of attacks by devious and determined hackers. IoT security is a multi-faceted challenge. Clear frameworks and best practices, developed by security experts, can help device designers and network planners to put the right security measures in the right places.


By Andrew Bickley, Arrow Electronics                                      Download PDF version of this article


Security has quickly become a key concern in the world of the IoT. While digital transformation has made clear to organisations the value of data, there are also high risks surrounding the potential misuse of data. This misuse highlights the absolute necessity for strong cyber security. IoT technologies introduce numerous attack surfaces that hackers can exploit to steal data or launch other exploits. Going forward, more and more companies will be affected: Gartner predicts that over half of major new business processes and systems will incorporate some element of the IoT by 2020.

There is no doubting the power IoT applications can deliver, to help improve business efficiency and raise quality of service. Deploying huge numbers of connected sensors and actuators enables organisations to gather massive quantities of data to drive continuous improvement including: control processes remotely to streamline staffing and maximise yield, track the locations of assets to increase operational efficiency, and anticipate maintenance requirements in remote equipment to minimise downtime and utilise staff efficiently, to name just a few. As a tool to support activities like business, commerce, and environmental management, the IoT is just at the beginning of its evolutionary cycle; many more as yet unimagined applications can be expected to emerge in the future. The imagination of application developers will likely be matched only by that of hackers intent on subverting the IoT for their own ends.

Organisations will come to rely heavily on their IoT-based applications, to respond quickly to events in the field and make the right long-term business decisions. They will need a high level of trust in the data from connected assets. Hence preventing unauthorised access to this data is extremely important, to prevent eavesdropping or sabotage; if malicious agents can intercept data or gain access to connected devices, they can exploit numerous opportunities to cause damage by selling or publishing the data illegally, altering the data to misinform or misdirect, loading bogus code to take over or block the devices, or gain access to more sensitive assets within the organisation. These could be security cameras, access-control systems, drives containing confidential information, or others. If any such exploits are successful, victims may suffer direct financial losses or other harm such as reputational damage or lost market opportunities.

Figure 1. Security concerns over product lifecycle

 

By their nature, IoT devices often operate autonomously for long periods, in remote locations, without being regularly inspected for signs of physical tampering. Moreover, being connected to the Internet gives online hackers the opportunity to launch attacks over the Internet without needing to go anywhere near the physical location of the device. Software that scours the Internet for vulnerable connected devices is already readily available on the Internet. Moreover, Gartner – in the same report that predicts the future pervasiveness of the IoT – has said there will be a $5 billion black market by 2020 for fake sensor and video data that can be used to compromise the integrity of data from legitimate IoT devices.

Clearly, the threat is real and significant, and organisations understand the key areas of vulnerability that present barriers to adoption of IoT-based business solutions. Businesses surveyed by 451 Research expressed concern about weaknesses throughout the IoT infrastructure, particularly at the network edge including IoT endpoints and their connections to other devices and the central network. The most important concerns are the physical security of endpoints, authentication of connected devices, the security of application software, and the connections between IoT devices and the central network. Issues like the security of IoT data stores and vulnerability to denial of service attacks rank below the challenges related to the more vulnerable edge devices and infrastructure.

Securing assets connected to the IoT is a huge challenge. Devices are not only vulnerable to physical attacks as well as online exploits, but also typically have only limited resources like processor cycles, power, and memory, to support electronic security. Suitable security must also be unobtrusive, so as not to obstruct authorised users or detract from the overall efficiency and business value of the application. To help implement adequate security, within the prevailing constraints, it is valuable to analyse the potential threats facing various types of device, and the possible implications of a breach in each case, and so develop coherent security policies and best practice guidelines. The IoT Security Foundation has comprehensively studied device and data security breaches, and their impact on privacy, business activity, infrastructure and safety, to formulate a set of security compliance classes. This analysis can help ensure that IoT devices are designed with adequate security for their intended use and deployed appropriately by network planners. Table 1 describes these compliance classes, in relation to device integrity, device availability, and data confidentiality.

Table 1. IoT Security Foundation compliance framework for IoT end nodes

 

Any approach to IoT security must also recognise that hackers will seek to target the weakest links in the network and use the smallest and lowest-cost nodes as entry points or stepping stones to reach higher-value assets and/or penetrate core networks. A structured approach is needed when designing IoT devices, and when setting up networks, to ensure that all available security techniques are assessed and implemented according to need and within the capabilities of the host system. Security measures applicable to IoT devices include: tamper detection, secure data storage, securing data transmission, authentication, secure boot, secure firmware updates, secure manufacturing of IoT devices, secure decommissioning of IoT end nodes and proper handling of associated assets (data), and security policies and procedures.

These considerations span the complete IoT-device lifecycle (figure 1), from the earliest stages of designing the embedded system – such as selecting a microcontroller with integrated cryptographic coprocessing, or a discrete hardware secure element – through manufacture, commissioning and maintaining while in the field, to removal from the network and disposal at end of life. Even with the aid of a rigorous compliance framework such as that developed by the IoT Security Foundation, and a clear grasp of applicable hardware and software-based security techniques, the fact remains: IoT data faces a huge diversity of security challenges between network endpoints and the core, whether this is a private corporate network, or the Cloud. A wide range of security solutions is available, from many providers, but developers need help to evaluate, select, and combine the chosen elements into a coherent whole that covers all potential vulnerabilities optimally.  Figure 2 suggests a security strategy for IoT-endpoint designs, to protect against physical and online attacks.

Figure 2. Security strategy for edge-node designs

 

The Arrow Connect offering aims to provide such a resource, by bringing together solutions for managing IoT devices including endpoints and gateways. It encompasses both a Software Development Kit (SDK) for gateways and endpoints, and the design of device to Cloud management. It includes solutions for provisioning devices on the network securely, authentication, handling security keys, device identification, device management, endpoint priorities, groupings and hierarchies, data ingestion, data storage, data access, and Over-The-Air (OTA) software update.


Related


Slimming program for medical operating devices

Operating devices in the medical sector are not only subject to strict controls and requirements. Nowadays design demands are becoming more and more important for developers of medical HMI devices. De...

Establishing a root of trust to secure the IoT

Security is not something that any developer can ignore. It is no longer safe, for the OEM or their customers, to assume that their product or service is immune to cyber attacks. The sheer size of the...

 

Perfect Motion Control For the Networked World

We live in a physical world where everything is connected. Trinamic transforms digital information into physical motion with accessible, flexible, and easy to use toolkits putting the world’s be...


New High-Performance Serial NAND: A Better High-Density Storage Option for Automotive Display

The automotive requirements: speed, reliability and compatibility. Winbond's high-performance serial NAND Flash technology offers both cost and performance advantages over the SPI NOR Flash typica...


President Tung-Yi talks about Winbond

Winbond is a leading specialty memory solution provider with a wide rage of product portfolio. Owned technology and innovation are our assets for our industry and our customers. Winbond we are high qu...


New Memory and Security Technologies for Designers of IoT Devices

Internet of Things (IoT) edge nodes are battery-powered, often portable, and are connected to an internet gateway or access point wirelessly. This means that the most important constraints on new I...


Winbond TrustMe Secure Flash - A Robust and Certifiable Secure Storage Solution

Winbond has introduced the TrustMe secure flash products to address the challenge of combining security with advanced process nodes and remove the barriers for adding secure non-volatile storage to pr...


Ultra-Low-Power DRAM: A “Green” Memory in IoT Devices

Winbond is offering a new way to extend the power savings available from Partial Array Self-Refresh (PASR), which was already specified in the JEDEC standard by implementing a new Deep Self-Refresh (D...


Polytronics Thermal Conductive Board (TCB) at Electronica 2018

This video introduce the basic product structure, advantage, and application of Polytronics thermal conductive board (TCB). Polytronics exhibit wide range of circuit protection products and thermal ma...


Arrow and Analog Devices strategic partnership and collaborative approach to provide solutions for our customers.

Mike Britchfield (VP for EMEA Sales) talks about why Analog Devices have a collaborative approach with Arrow Arrow’s design resources are key, from regional FAEs in the field to online des...


WE MAKE IT YOURS! Garz & Fricke to present the latest HMIs and SBCs at Electronica 2018

Sascha Ulrich, Head of Sales at Garz & Fricke, gives you a quick overview about the latest SBC, HMI and Panel-PC Highlights at electronica 2018. Learn more about the SANTOKA 15.6 Outdoor HMI, the ...


Macronix Innovations at electronica 2018

Macronix exhibited at electronica 2018 to showcase its latest innovations: 3D NAND, ArmorFlash secure memory, Ultra Low Vcc memory, and the NVM solutions with supreme quality mainly focusing on Automo...


ams CEO talks about their sensor solutions that define the mega trends of the future

In this video Alexander Everke, ams’ CEO, talks to Alix Paultre of EETimes about their optical, imaging and audio sensor solutions in fast-growing markets – from smartphones, mobile device...


Intel accelerated IoT Solutions by Arrow

Arrow is showing Intel’s Market Ready Solutions in a Retailer shop with complete eco environment. From sensors via gateways into the cloud, combined with data analytics, the full range of Intel ...


CSTAR - Manufacturers of cable assembly from Taiwan

CSTAR was founded in 2010 in Taipei, Taiwan. Through years of experience, we are experts in automotive products, LCD displays, LCD TVs, POS, computers, projectors, laptops, digital cameras, medical ca...


NXP Announces LPC5500 MCU Series

Check this video to discover the new NXP microcontroller LPC5500, the target application and focus area. Links to more information: LPC5500 Series: World’s First Arm® Cortex® -M...


Molex Meets Solutions at Electronica

These are exciting times in the electronics world as Molex migrates from a pure connectors company to an innovate solutions provider. Solutions often start at the component level, such as the connecto...


Alix Paultre investigates Bulgin's new optical fiber rugged connector range at Electronica 2018

Alix Paultre interviews Bulgin's Engineering Team Leader Christian Taylor to find out more about the company's new range of optical fiber connectors for harsh environments. As the smallest rug...


Cypress MCU and Connectivity are the best choice for real-world IoT solutions.

Cypress’ VP of Applications, Alan Hawse, explains why people should use Cypress for their IoT connectivity and MCU needs. Cypress wireless connectivity and MCU solutions work robustly and sea...


Chant Sincere unveils their latest High Speed/High Frequency connection solutions at Electronica 2018

Chant Sincere has been creating various of product families to provide comprehensive connection solutions to customers. USB Series Fakra Series QSFP Series Metric Connector Series Fibro ...


Addressing the energy challenge of IoT to unleash billions of devices

ON Semiconductor introduces various IoT use cases targeted towards smart homes/buildings, smart cities, industrial automation and medical applications on node-to-cloud platforms featuring ultra-low po...


ITECH, world leading manufacturer of power test instruments, shinned on electronica 2018

ITECH, as the leading power electronic instruments manufacturer, attended this show and brought abundant test solutions, such as automotive electronics, battery test, solar array simulator, and electr...


ITECH new series give users a fantastic user experience

ITECH latest series products have a first look at the electronics 2018, such as IT6000B regenerative power system, IT6000C bi-directional programmable DC power supply, IT6000D high power programmable ...


SOTB™ Process Technology - Energy Harvesting in Embedded Systems is Now a Reality

Exclusive SOTB technology from Renesas breaks the previous trade-off between achieving either low active current or low standby current consumption – previously you could only choose one. With S...


Power Integrations unveils their new motor control solution

In this video friend of the show Andy Smith of Power Integrations talks to Alix Paultre from Aspencore Media about their new BridgeSwitch ICs, which feature high- and low-side advanced FREDFETs (Fast ...


Panasonic talks about their automotive technology demonstrator

In this video Marco from Panasonic walks Alix Paultre of Aspencore Media through their automotive technology demonstrator at electronica 2018. The demonstrator highlights various vehicle subsystems an...