How to build a secure IoT infrastructure
5 pillars for state-of-the-art security for the internet of things
The internet of things (IoT) is booming, with more than 75 billion connected devices expected worldwide by 2025. Whether the purpose is to remotely control smart home devices, to manage communication between industry robots, or to monitor the streetlights of a city, security cannot be overlooked.
Read our guide to learn why security is vital to consider for any IoT application and our recommended five pillars for a well-founded security design.
Define your needs
Since IoT includes all use cases that involve things connected to the internet, the associated risks vary a lot. You must find out what your biggest threats are, and where you have possible loopholes that hackers can take advantage of.
Be aware of the risks
Do a risk assessment to find out where your biggest risks are. Use any relevant common standards, such as ISO 27001, to assess and counteract on cyberthreats. Do regular revisions as new threats may arise. Since Internet connectivity is part of the definition of IoT, there is an inherent interface with the outside world. You must assess what type of information is captured, processed and transferred by your IoT devices and your IoT cloud applications, and what the consequences of eavesdropping, data manipulation or loss are. What happens if an unauthorized person accesses your device or if manipulated software is executed by it? What happens if hacked devices or malicious software deliver manipulated or forged data to your cloud services?
The risks and their consequences must be balanced against the added value of collecting data, as well as any specific requirements on how accessible your service needs to be and how simple it must be to use.
What do you need to protect and for how long?
Depending on what you need to protect – storing or transferring data, activating a physical function of a device, or accessing a function of a cloud service – different security mechanisms are needed. If the purpose is to keep data secret, it can be encrypted, whereas digital signatures can be used to prove the origin of data and guarantee its integrity. Depending on the lifecycle of your product or data, different measures may be suitable.
Make sure to secure all parts of the IoT solution The European Union Agency for Network and Information Security (ENISA) has defined four layers of an IoT infrastructure :
- Devices – such as sensors and actuators.
- Communications – such as PAN, LAN, gateways.
- Cloud platform, backend, and services – such as databases, process automation, and decision systems.
- Use cases – such as transport, healthcare, and smart homes.
Consider all the included parts of your solution, to make sure you don’t leave any security holes.
IoT security is a complex area. It needs expertise and experience to overview risks and consequences, and to define how to mitigate them. The environment is constantly changing, as new types of operating systems, communication protocols, and cyberattacks are developed. For these reasons, it is crucial to find an established partner to advise you.
Find an experienced advisor
A security expert with a solid background is likely to have come upon issues that are relevant to your use cases, for example they may have experience providing security for large IT deployments or to organizations in the same industry. Many issues can be addressed the same way, even across industries.
Trusting the vendor is key
If you don’t have the competence inhouse on how to secure your IoT application, then it may also seem hard to evaluate and choose a partner. Lack of standards in the IoT area makes it even harder.
Focus on your core business
Taking advantage of the competence and experience of your security advisors lets you focus on your core business and develop innovative and highly usable services to your customers. Look for a security vendor that offers a solution that is easy to use, deploy, and operate. Preferably, you get a choice between operating a solution on-premises or consuming it as a cloud service, whichever fits you best.
Take advantage of available technologies
All connected IoT devices and services must have trusted digital identities to be able to distinguish them from each other and from unauthorized or malicious parties trying to intrude on or disrupt your devices and services. Digital identities are the basis for security services; they enable encrypted communication, verification of the origin of data, and guaranteed integrity of data and software being stored, transferred, or executed.
Public-key infrastructure (PKI) certificates provide cryptographically secure, unforgeable, theft-safe identities, which enable devices and services to be empowered with:
- Authentication: Strong authentication ensures that only approved users and devices can connect to the network.
- Encryption: Certificates enable encrypted communication between devices and services.
- Integrity protection: Digital signatures prove the origin and integrity of data and software.
PKI is a mature and well-standardized technology, so you can choose from a large pool of software vendors, open source implementations, service providers, and system integrators . All these can provide you the same core technology, so that you are safe from being locked into a solution.
Since IoT means that services and devices are connected with the internet, it is especially important to prevent unauthorized persons from accessing the systems, devices, and cloud services. Passwords are proven to be insecure. According to the Data Breach Investigations Report by Verizon, 81% of hacking-related breaches leveraged stolen or weak passwords. With strong, cryptography-based authentication, you make it much harder for the attackers. For persons that need to access devices or services, apply two-factor authentication (2FA). In addition to the strength of the method, consider how the keys are created, distributed, and stored. Unsecure management spoils the security of even the strongest cryptographic method. Also, look for simplicity in your authentication solutions. For example, a mobile app using biometric factors is both user-friendly and secure. If the security solutions are hard to use, then people find ways around them.
Use industry standards and open source
Other technologies and protocols that fit well into IoT applications include Automated Certificate Management Environment (ACME), Constrained Application Protocol (CoAP), Message Queuing Telemetry Transport (MQTT), Transport Layer Security (TLS), Datagram Transport Layer Security (DTLS) and Enrolment over Secure Transport (EST).
Take account of industry demands
The IoT area has for a long time been unregulated and without common standards and common security, safety, and privacy policies. Lately, a number of IoT and IIoT security standards have however emerged. Those include IEC 62443 and ETSI EN 303 645 as well as the IEEE 802.1AR specifying an initial device identity (IDevID). [5, 6].
Example: Security in connected cars
The V2X use case raises many specific requirements. As shown, a high-performing PKI platform is one of them. Other requirements are more efficient ways to generate keys using butterfly elliptic curve cryptography, a redundant setup of two certificate authorities (CAs) to guarantee drivers’ privacy, and high availability to reliably function at all times.There are technical standards to describe these requirements, such as IEEE1609.2 in the US , and ETSI TS 102 941 and TS 103 097 in the EU .
Consider data privacy
In general, consider all international and national regulations that might apply for privacy of data. Since the Global Data Protection Regulation (GDPR) went into effect in May 2018, it is still not clear how it will apply to IoT. Besides personal data, unsecure IoT devices may expose behavioral patterns such as the movement profile or home absence of the owners, or deliver audio and video streams from the private environment.
Stay aware of legal issues
There are many legal issues that are still uncertain. For example, regarding who owns the data collected by an IoT device. Another question is who is responsible and liable, when something goes wrong. Imagine someone hacking an IoT enabled lawn mower, taking control over it and mowing the neighbour’s rose garden – who can be held responsible? Since there are no easy answers to these questions today, the best you can do is to try to stay aware.
The benefits of IoT cannot be denied and it is unlikely that businesses not taking advantage of IoT will survive, but IoT comes with apparent safety, privacy and business risks. Therefore, security considerations and a suitable implementation are crucial for IoT applications.
Stay aware of the risks and define what you need to protect and for how long. Design your IoT infrastructure for security and privacy from the start. Rely on trusted and experienced IT security professionals to help you. Use available technologies such as PKI and strong authentication to ensure security, as well as efficiency, scalability, standardization, and usability. Make sure to follow any specific requirements on performance, protocols and policies for your industry, while being aware of general privacy and legal demands.
As complex as it may appear, if you build on the pillars in this guide, you get a good start to defining your specific needs and your way of securing your IoT application.
 A Patient Dies After a Ransomware Attack Hits a Hospital: https://www.wired.com/story/a-patient-dies-after-a-ransomware-attack-hits-a-hospital
 Mirai (malware) article on wikipedia: https://en.wikipedia.org/wiki/Mirai_(malware)
 PKI Is Gearing Up for the Internet of Things, Gartner: https://www.gartner.com/doc/3426421/pki-gearing-internet-things
 Cybersecurity IoT program, National Institute of Standards and Technology (NIST):https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program
 IoT and smart infrastructures, European Union Agency for Network and Information Security (ENISA): https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures
 Standard for Wireless Access in Vehicular Environments (WAVE), Institute of Electrical and Electronics Engineers (IEEE): https://standards.ieee.org/findstds/ standard/1609.2-2016.html
 Intelligent transport system security, European Telecommunications Standards Institute (ETSI): https://portal.etsi.org/services/centrefortestinginteroperability/activities/intelligenttransportsystem/security.aspx
Explore more resources
How to secure your IoT devices to shape a secure tomorrow
Watch the webinar to discover how your business can ensure that the connected things you produce are provisioned with a trusted identity.
STIHL selects Nexus to secure IOT connected equipment
STIHL is a German manufacturer of chainsaws and handheld power equipment with a vast international manufacturing network.
Simplified and secured IoT device management
Nexus, Software AG and a range of industry experts are contributing
to the open-source thin-edge.io
Nexus Go enables Danfoss to strengthen security for IoT devices
Danfoss, a leading Danish technology company focusing on infrastructure, energy efficiency and
climate-friendly-solutions, has selected the Nexus Go IoT PKI to help secure their IoT devices.
READ FULL CASE
Smart ID IoT to secure world’s most ambitious smart meter project
Nexus has been selected to provide a key management system (KMS) that enhances the security of a pioneering Smart Metering Project for one of the largest electric energy companies in the Middle East.
Industry leaders come together for pioneering 5G cybersecurity solution
An ambitious initiative has been developed in partnership between Nexus, Telefónica, DEKRA, CTAG, Harman and HPE to make vehicular communications more effective, reliable and secure by using 5G and cryptographic technology.