The challenge of securing the IoT
The Internet as we know it can trace its origins back to just four inter-connected computers in 1969. Nobody at the time could conceive of an Internet of Things or ‘IoT’ (a phrase first attributed to Kevin Ashton in 1999) that would see 30 billion devices connected by 2019.
The IoT holds a great deal of promise for connected organisations, including greater process efficiency, intelligent automation, real-time communications, borderless networking, unlimited collaboration and big data analytics.
However, the IoT landscape is a complex one, and with complexity comes risk. In order to be effective, the IoT needs to be built upon a foundation of security as well as connectivity.
According to research by Gemalto, connected organisations spend an average of 11% of their IoT spend on security. However, of those who are committed to this level of expenditure, over 40% admit to not encrypting all of their IoT data.
As much as anything, this is an admission that there are challenges when it comes to securing something as vast and complex as the IoT. The sheer quantity of data traversing the IoT makes privacy difficult, and there is a concern that effective security will be expensive to implement.
The threat landscape
The IoT faces a diverse and evolving threat landscape. Just as with the high-speed, wide-area networks utilised by many companies, the IoT is vulnerable to data theft, eavesdropping, rogue data injection and denial of service attacks.
The implications for everything from economic performance to personal safety are wide ranging. As society becomes more reliant upon connected devices, how can it trust the integrity and authenticity of data it is receiving from such diverse sources as wearable tech, smart buildings, traffic management and SCADA control systems?
In order to offer high-assurance data protection, the IoT needs to be “secure by design”. This means securing every element of the ecosystem; from end-point devices and edge processors to secure cloud storage, device-to-device communication and lifecycle management.
According to the US Department of Homeland Security, there are three core requirements for IoT cryptographic security:
- all interactions between devices must be mutually authenticated
- all communication between devices should be encrypted
- when used, cryptographic keys must be protected
For manufacturers of IoT devices, this means more than simple, physical security. Data will need to be protected while at rest, or in motion across the network. This will have implications for device identification and authentication, secure booting and chip security.
Beyond this, there are wider-ranging considerations for secure lifecycle management that must include policies for vendor certification, risk assessment, patching, secure decommissioning and the establishment of recognised IoT security standards.
For cloud, data centre and communication service providers this will mean greater access control, the effective distribution of security policies across a massive estate, end-to-end encryption, platform and application integrity and verification, and adopting a unified threat management approach to IoT security.
Random Numbers – The Key to IoT Security
Any cryptographic system is only as strong as the keys it uses. Generating strong keys, based on true randomness, will be the cornerstone of IoT security. A good key must be unique, unpredictable and truly random; something that is only achievable through hardware key generation.
Software-based random number generators are deterministic and cannot generate true randomness without an external source of entropy, something that is not practical for physically constrained (small) devices.
ID Quantique is one of the world’s leading developers of quantum random number generators; sources of genuine entropy based on the fundamental principles of quantum physics. In partnership with SK Telecom, we have developed the Quantis QRNG chip; the world’s smallest low-cost quantum random number generator.
Designed specifically to meet the requirements of wide-spread, field-based deployments; the Quantis QRNG is ideal for IoT, SmartGrid and SmartHome installations. It is also the best choice for mobile computing devices, seed generation for blockchain and AI applications.