IoT Security has been an identified issue from the installation of the very first networked devices. Whether it is a CCTV camera with an unencrypted password in firmware and RTSP streaming capability, or an “intelligent” switch for lighting which requires you to connect the switch to a server in some remote location by a third party provider before you can switch your lights on, this raises issues of privacy as well as security, even with “closed” systems such a PLCs as was shown in the case of the Stuxnet worm. Hardly a day goes by without news of some company becoming a ransomeware victim, such 2 oil storage supply firms in Germany, an attack on a mobile phone company in Portugal, the world’s largest meat packing company or the USA’s largest oil pipeline.
IoT security has to be seen as part of a layered system of protection, focused on 3 important principles:-
- Data Confidentiality
- Data Integrity
- System Availability
The approach to IoT security has to be a layered approach, with the view that if one layer is breached, the remaining layers remain in place to help mitigate any damage done by a security breach.
Secure By Design
Layer 1 – Devices
The first step with IoT devices is to ensure that devices, whether sensors, machines, or complex entities with multiple sensors, are identified and authenticated – in much the same way a biometric passport ensures that the traveller is who they say they are when going through passport control.
The second is to ensure that code, whether in embedded or downloaded (in firmware or otherwise) has not been manipulated or modified and is genuine.
The third is to ensure that data is encrypted throughout it’s lifetime in the IoT infrastructure. While this may appear cumbersome to developers accustomed to JSON strings or plaintext communication once a device is identified, it is essential for IoT devices to ensure that data is not susceptible to interception.
Layer 2 – Networks, Connectivity & Gateways
Very often, sensors and actuators have very limited local capability, which increases the risk of data interception. Streamblocks devices are always encrypted at the sensor level and include a connectivity verification and routing process, which can be expanded to include existing devices on a network.
Needless to say, firewalls between local area networks and the internet are a key part of IoT and infrastructure security.
Security At Your Server Not a Third Party
Remove the need for Internet conncection & monitoring by third parties of your IoT device usage.
Layer 3 – Server/Cloud Applications & User Authentication
Security is at the heart of the StreamBlocks servers and architecture and it is here that the “heavy lifting” is done. Other than authentication and encryption, data is being retrospectively analysed, to ensure data integrity as well as communication effectiveness and system performance.
User authentication is also performed using best practice, with a complete audit trail of all user and application actions.
Equally importantly, is the verification of the control algorithms which the user can implement in StreamBlocks, including scripts, so as to ensure system integrity and inadvertent weakness in system architecture are introduced.
While StreamBlocks provides you with tools to help you maintain data confidentiality, integrity and security, this must be viewed as part of the overall security solution that is used by the enterprise, site or application and should be combined with processes for maintaining data confidentiality such as physical access to servers, cyrptographic authentication to devices, Firewalls, DDoS Prevention and IPS systems where applicable or necessary, among others.
StreamBlocks can assist users in selecting the best approach to suite their needs, as well as system security integrity test.