Setting the standard for IoT security
The term “Internet of Things” (IoT) was first used in 1999 as a reference to the increased number of “connected” devices that leveraged IP networks to communicate with each other. Ten years later the concept had become a reality as, by 2009, there were more “things” connected to the internet than people.
Since then, the exponential growth in the IoT will see the number of connected devices exceed 50 billion by 2020. At this point, we will be generating a staggering 44 zetabytes (44 trillion gigabytes) of “big data” per year.
Of course, the trouble with big data is that it requires big data protection. Security is not always front of mind in an emerging market. When vendors rush to beat the competition to market, or to hit a specific price point, it often comes at the expense of security or quality. What we are left with is an infrastructure comprising 50 billion potential vulnerabilities.
As infrastructure becomes borderless, and data processing becomes decentralised, cyber-security experts face a new challenge. Historically, IT departments have focused most of their energies on securing core IT components. As networks increase in scale and edge computing becomes more commonplace, there is a greater need to secure the WAN, all the way to the virtual edge.
Securing critical data when it arrives at its destination is one thing, but in an IoT environment this security needs to incorporate every step of the data journey; including collection, collation, transport, storage and analysis.
In its 2017 IoT Security Report, Gemalto revealed that the biggest challenge facing those who are working towards securing the IoT was a lack of any external guidance or regulation. It’s fair to say that this will not be an easy process.
Whilst there is currently no recognised standard for IoT device security, there is a groundswell of support for the initiative, from both vendors and regulators alike. From a vendor perspective, an established standard gives them something to aim for, acts as a quality differentiator and can help eliminate sub-standard products from the marketplace.
Early indicators are that the principle of “security by design” can act as a significant aid to adoption. Over 90% of companies report an increase in sales of products that have shown an improvement in security.
Organisations have become increasingly aware of their security posture. The IoT adds potential points of weakness, so the ability to incorporate devices that meet a recognised security standard can contribute significantly to overall cyber-security strength.
Self-regulation for the IoT market is not a viable option, which is why we have started to see regulatory authorities working on frameworks. In 2017, the US introduced the Internet of Things Cyber Security Improvement Act. Whilst the act only applies to government agency suppliers and affiliates, it is hoped that it will set a standard that commercial organisations will seek to follow.
Still in the US, the Department of Homeland Security has made a number of recommendations for the cryptographic security of what it refers to as “life critical embedded systems”, including:
- All interactions between devices must be mutually authenticated
- All communications between devices should be encrypted
- Devices must never trust unauthenticated data
- When used, cryptographic keys must be protected
Where we have globally recognised standards for health and safety, the IoT demands a similar standard for IP security. The question is, how enforceable is this and how long might it take to implement?
The National Institute of Standards and Technology (NIST) recently launched a call for commentary on draft requirements for the standardisation of “lightweight” cryptography for IoT devices. NIST acknowledges that its current encryption standards were designed with “general purpose computing platforms” in mind and are not suitable for small device that are resource limited.
After a 45-day consultancy period, NIST will define its evaluation criteria and issue a call for public submissions of encryption algorithms. Once the deadline for submission has passed, there will be a 12-month public review, followed by a further 10-month assessment by NIST itself, before being considered for standardization.
Addressing the challenge
Any cryptographic system is only as secure as the encryption keys it uses. Key security is predicated on one process; randomness. A strong key must be unique, unpredictable and based on true randomness. It is also essential that the key generation process is resistant to external or environmental perturbation.
IDQ and SK Telecom recently developed the Quantis QRNG Chip, the world’s smallest low-cost quantum random number generator and a source of genuine randomness (entropy) for securing IoT and critical infrastructure applications.
The Quantis QRNG Chip was designed to meet the requirements of widespread, resource-restrained field deployments; including IoT, SmartGrid and SmartHome applications. At the same time, it provides a true source of randomness for general purpose computing devices, including tablet, mobile phones, desktop PCs and Servers. The Quantis QRNG Chip is also ideal for seed generation for blockchain.
Software-based RNGs are not suitable for IoT applications as the programs used to generate numbers are deterministic and, therefore, unable to generate truly random numbers without an external source of entropy. As many critical infrastructure and IoT applications are in remote locations, these external sources of entropy are hard to come by.
Discover more about quantum technologies and their implications for applications by downloading our White Paper: Why Quantum Technologies Matter in Critical Infrastructure and IoT