The challenge of securing the IoT

The Internet as we know it can trace its origins back to just four inter-connected computers in 1969. Nobody at the time could conceive of an Internet of Things or ‘IoT’ (a phrase first attributed to Kevin Ashton in 1999) that would see 30 billion devices connected by 2019.

The IoT holds a great deal of promise for connected organisations, including greater process efficiency, intelligent automation, real-time communications, borderless networking, unlimited collaboration and big data analytics.

However, the IoT landscape is a complex one, and with complexity comes risk. In order to be effective, the IoT needs to be built upon a foundation of security as well as connectivity.

According to research by Gemalto, connected organisations spend an average of 11% of their IoT spend on security. However, of those who are committed to this level of expenditure, over 40% admit to not encrypting all of their IoT data.

As much as anything, this is an admission that there are challenges when it comes to securing something as vast and complex as the IoT. The sheer quantity of data traversing the IoT makes privacy difficult, and there is a concern that effective security will be expensive to implement.

The threat landscape

The IoT faces a diverse and evolving threat landscape. Just as with the high-speed, wide-area networks utilised by many companies, the IoT is vulnerable to data theft, eavesdropping, rogue data injection and denial of service attacks.

The implications for everything from economic performance to personal safety are wide ranging. As society becomes more reliant upon connected devices, how can it trust the integrity and authenticity of data it is receiving from such diverse sources as wearable tech, smart buildings, traffic management and SCADA control systems?

In order to offer high-assurance data protection, the IoT needs to be “secure by design”. This means securing every element of the ecosystem; from end-point devices and edge processors to secure cloud storage, device-to-device communication and lifecycle management.

According to the US Department of Homeland Security, there are three core requirements for IoT cryptographic security:

all interactions between devices must be mutually authenticated
all communication between devices should be encrypted
when used, cryptographic keys must be protected

For manufacturers of IoT devices, this means more than simple, physical security. Data will need to be protected while at rest, or in motion across the network. This will have implications for device identification and authentication, secure booting and chip security.

Beyond this, there are wider-ranging considerations for secure lifecycle management that must include policies for vendor certification, risk assessment, patching, secure decommissioning and the establishment of recognised IoT security standards.

For cloud, data centre and communication service providers this will mean greater access control, the effective distribution of security policies across a massive estate, end-to-end encryption, platform and application integrity and verification, and adopting a unified threat management approach to IoT security.

Random Numbers – The Key to IoT Security

Any cryptographic system is only as strong as the keys it uses. Generating strong keys, based on true randomness, will be the cornerstone of IoT security. A good key must be unique, unpredictable and truly random; something that is only achievable through hardware key generation.

Software-based random number generators are deterministic and cannot generate true randomness without an external source of entropy, something that is not practical for physically constrained (small) devices.

ID Quantique is one of the world’s leading developers of quantum random number generators; sources of genuine entropy based on the fundamental principles of quantum physics. In partnership with SK Telecom, we have developed the Quantis QRNG chip; the world’s smallest low-cost quantum random number generator.

Designed specifically to meet the requirements of wide-spread, field-based deployments; the Quantis QRNG is ideal for IoT, SmartGrid and SmartHome installations. It is also the best choice for mobile computing devices, seed generation for blockchain and AI applications.

To find out more, visit the Quantis QRNG Chip page on our website, or contact us directly by calling +41 22 301 8371 or emailing info@idquantique.com

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.n
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
datatranscw-woocommerce-context-id	session	Description is currently not available.
datatranscw-woocommerce-context-key	session	Description is currently not available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.
wp11868	1 year	Marketing automation. Automatically sets cookie tracking when visitors engage through form submissions, clickthrough’s in email messages, and web pages containing the Act-On Beacon Tracker.

The challenge of securing the IoT

The threat landscape

Random Numbers – The Key to IoT Security

Stay one step ahead