IoT Security: Keeping the Things secure

It seems that almost every day there is a new story about an IT security issue, whether its data breaches, just-discovered vulnerabilities, or new malware. With IoT becoming increasingly important in daily life and the business world, gathering data and connecting items as diverse as freezers and CCTV-linked stock control systems to the internet for controllers to use, the questions regarding Internet of Things securityand how to improve IoT security are becoming louder and more urgent.
In this article, we’ll look at five key aspects of IoT security technologies that need to be considered by IoT development services:

• Network vulnerabilities
• Authentication
• Encryption
• Public Key Infrastructure (PKI)
• Application Programming Interfaces (APIs)

Network vulnerabilities

As with any IT network, measures have to be taken with IoT networks to ensure that they are secure. It’s a cliché to say that a network is only as strong as its weakest point but there is truth in it. Any access point to a network can be a potential exploitation or intrusion point. IoT networks and devices need to make full use of all the tools that an IT network would use: firewalls (hardware and/or software-based), malware detection, anti-virus checking, and intrusion detection systems. All need to be kept up to date and maintained appropriately. If there are any indications of compromise, the device needs to be isolated automatically.

Authentication

The Russian proverb “Trust, but Verify” (Russian: Доверяй, нопроверяй, Doveryai, no proveryai) can well be applied here. IoT devices have to be able to interact with the external world – to gather data and then to transmit that data to IoT platforms.But appropriate security and authentication is vital. There have to be the appropriate systems in place to ensure that the credentials of the IoT device trying to connect to the network are actually the correct ones for that particular IoT device. However, with the variety of IoT devices that have been and will be developed, this can get very complicated for IoT application development services.

Strong machine authentication – carried out with machine credentials – is important.It is also recommended that devices be configured to only allow limited permissions in a network and/or for a time-limited period. In these ways, should they be breached, there can be a limit on what can be done. One option that is coming increasingly into use is the Trusted Platform Module that assists in the managing of the process.

Encryption

Encryption is a key part of daily business on the internet. It is a key methodology for protecting data, whether in transit or in storage. If IoT technology solutions are gathering sensitive data – for example, associated with medical treatments or health monitoring – encryption of the data should be considered. Further, any device that cannot positive demonstrate that is it up to date with all of its protection measures (not to mention authentication steps) needs to be refused access to any encrypted data or to the encryption keys themselves.

Public Key Infrastructure

PKI is one of the most robust methods for ensuring the secure electronic transfer of data. In a nutshell, PKI binds encryption keys with particular entities’ identity (people or organizations), with a process of registration and issuance of certificates. When employed in the building of an IoT platform, a PKI enables devices to obtain and renew appropriate certificates (for example X.509) that are used to establish relationships of trust between devices and the platform. PKI also enables encryption of communication through Transport Layer Security (TLS). Having and integrating PKI can thus be one of the strongest steps to take to ensure IoT security.

Application Programming Interfaces

APIs are another integral part of the IoT design and operations. In effect, APIs define the methods of communication between various software components. In IoT, this is between the devices, the platform and the processing at the data system. Given their importance, APIs need to be made to be secure, so that they cannot be altered. For IoT there needs to be a control over the devices and applications that are allowed to access the API.
Summary

Security needs to be an essential part of IoT application or device development. It cannot be an afterthought. Whether it is the devices themselves, the IoT applications, or the communications between them – amongst other aspects – all need to be developed with security in mind. This has real importance for the commercial success of a device or application for a company. Any IoT device or application that is known to be vulnerable or lacking in security is likely to suffer in the competitive commercial world. Any company that develops such as device or application will also suffer reputational damage. But by keeping security in mind, this can be avoided and commercially success assisted.