By Ron Ih, Kyrio
The industry has been chasing its tail for the past 5 to 7 years on the issue of Internet of Things (IoT) security, and it seems every week brings a new article about the need for device security or details about yet another security vulnerability exploit. The Internet is teeming with articles about issues and after-the fact bandages, but very few of them get to the heart of the problem, which is how to secure network ecosystems that include interoperable autonomous devices.
IoT adoption continues to grow—but at the expense of good network and cybersecurity practices.
Industrial and commercial IoT had previously been characterized by isolated networks that allowed devices within the network to communicate, but there was no connection to the outside world. In these use cases, it was possible to get away with weak security because it was more difficult to execute a wide scale attack from the Internet. However, there is growing demand by utilities and builders to enable external communication and control of commercial devices to improve energy efficiency and provide better power grid management. This requires that commercial, industrial and even residential IoT devices be connected to the Internet so that they can be reached by utilities and state energy regulators. These would include lighting control systems, smart meters, solar inverters and home appliances. In fact, network connectivity is already starting to be mandated in some states (e.g., California Rule 21).
However, as critical electric power infrastructure is being network-connected, there needs to be an economical solution that adequately addresses security concerns as well as the logistics surrounding its implementation.
Companies that can provide strong security at scale will be able to use that as a key differentiator for their products, protect their brand and future-proof their products— which can have lifespans of 10 to 20 years or more— as calls for stricter requirements regarding device security loom on the horizon. Even as more wired control systems get connected, wirelessly connected devices are seeing exploding growth. Wireless devices are much easier to install and often reduce deployment time from several weeks to just a few days— or even hours. Easier installation reduces the amount of time installers need to spend on a job, thus reducing costs and increasing revenue by enabling them to do more jobs in the same amount of time.
However, expanded wired and wireless connectivity accelerates the need for a more scalable security solution for these networked devices.
This paper covers the fundamentals of security architecture, best practices and new processes that can vastly simplify the implementation of strong, enterprise-grade security into small resource-constrained IoT devices. The goal is to enable deployment of security on the massive scale needed for IoT, while not sacrificing security robustness, and provide a workflow that can be implemented in hardware across a highly fragmented, embedded system.
This paper will not cover any hacks or exploits; those have been covered quite sufficiently to date. What is needed are more articles that cover the “how” of IoT security, not just further descriptions of new problems. In the new IoT reality, users need to know how to apply security that is strong, simple and massively scalable to tens of billions of hardware devices.