In our earlier blog, we discussed the reasons why IoT Security needs a customer centric approach. This blog will follow on and explore the importance of having a strong device identity and integrity, which are the new perimeter for IoT. We will look at why we must combine device and user dimensions for device centric IoT Identity and Access Management (IAM) and why IoT devices are the weak link in the IoT Ecosystem.
Why is IoT device security very critical for overall IoT success?
The Internet of Things has drawn attention of the White House and Congress amid growing concerns about the woeful state of IoT connected device security. The recent DDoS attacks via IoT botnets have brought into the spotlight the dangers of connecting vulnerable IoT devices such as cameras, DVRs, and refrigerators to the internet. Indeed, the lack of security in IoT devices portends a brave new world.
IT and OT convergence will drive IoT to the Enterprise: Each company is different in how it handles the influx of the IoT and the resulting IT/ OT convergence. Consequently, the traditional perimeter security (firewall) that separates the two becomes more complicated and less well defined. Traditionally, each was a separate entity; however, with IP-enabled devices, that dividing line becomes less clear. Unlike cyber hacks, where access and information are compromised in the digital domain, the IoT security threats have more far-reaching and irreversible physical consequences
IoT Devices Connecting to IoT Platforms: Many IoT platform vendors claim to enable customers to build IoT applications, connecting the devices and data quickly. These platforms do not have any control on the device side environment and expect customers to take care of the security. These vendors are promoting user centric IAM for device authentication and privacy that are not suitable for borderless headless IoT devices. The weakest link in the chain is the device. The security issues will be exacerbated as the future of the IoT presents millions of connected devices through wireless communication technology via the internet and the cloud. By infecting one device and gaining access to the network, a malicious actor can cause large-scale mayhem. IoT devices need strong authentication and integrity to help businesses ensure that devices connected are authentic and their critical functionality is not tampered or altered.
Why is the Device Centric Identity and Integrity critical?
As data traverses large networks of interconnected devices, more damages can be done if we don’t protect the data and authenticate the devices to shield from unauthorized access.
In 2008, attackers gained access to the operational controls of the Turkish oil pipeline by exploiting vulnerabilities they found in the cameras’ communication software. They could manipulate the pressure, using the wireless operating system as a digital weapon to manipulate the pipeline into a disastrous oil bomb causing approximately “30,000 barrels of oil to spill in an area above a water aquifer.”
Unfortunately, these types of attacks are not slowing. Imagine what unauthorized access or the wrong data for analytics driven controls can do in health care IoT devices; possible harm to patient safety and health.
Since traditional network security perimeter models do not apply to IoT, we need to treat each device as its own network access point, build defense in depth at the device itself by way of tamper proof authentication, integrity and provide an end-to-end data privacy model.
Unlike regular endpoints (PCs, laptops, and hand held mobile devices) and servers that reside on premise or located in different datacenters, security software that protects from malware cannot be installed, configured and constantly updated. Existing security solutions just can’t be applied to these IoT headless devices with no User Interface.
Device Authority's KeyScaler™ platform can deliver Device Identity, Integrity and Data Privacy:
KeyScaler™ provides active device authentication, integrity and policy enforcement for data privacy based on patented Dynamic Device Key Generation (DDKG) technology.
- Device authentication keys are dynamically generated and unique to each device for each authentication session – No more credential stealing and spoofing issues
- Device-derived crypto keys are generated from the dynamic device authentication process – No more stolen credential or keys
- Secure Software/Firmware upgrades, detect any critical changes in the device – which maintains device integrity
- End-to-end policy based data encryption till application layer – which maintains data privacy
Businesses need to make sure that IoT devices have strong device centric identity, authentication, integrity and access controls for end-to-end data transfers. To make this goal a reality, thoughtful security design becomes mandatory during device deployment with the right foundation that addresses these concerns to secure the IoT in future.
Start the conversation: Contact Device Authority