Securing the Internet of Everything: An Architectural View
As a follow up to my introductory blog on Securing the Internet of Everything, I would like to discuss further the security implications that will comprise proposed framework. As the applications of the IoT/M2M affect our daily lives, whether it is in the Industrial Control, Transportation, Smartgrid or Healthcare, it becomes imperative to ensure a secure IoT/M2M system. As the use of IP networks are employed, IoT/M2M applications have already become a target for attacks that will continue to grow in both quantity and sophistication. Both the scale and context of the IoT/M2M make it a compelling target for those who would do harm to companies, organizations, nations, and people.
The targets are abundant and cover many different industry segments. The potential impact spans from minor irritant to grave and significant damage and loss of life. The threats in this environment can be similarly categorized as those in the traditional IT environments. It’s useful to consider general platform architecture when discussing IoT security challenges. Below is the platform architecture that uses to frame IoT/M2M discussions.
While many existing security technologies and solutions can be leveraged across this architecture, perhaps especially across the Core and Data Center Cloud layers, there are unique challenges for the IoT. The nature of the endpoints and the sheer scale of aggregation in the data center require special attention.
The architecture is composed of four similar layers to those described in general network architectures. The first layer of the IoT/M2M architecture is comprised of embedded systems, sensors and actuators. As such, these are small devices, with varying operating systems, CPU types, memory, etc. Many of these will be inexpensive, single-function devices – for example a temperature or pressure sensor—and could have rudimentary network connectivity. In addition, these devices could be in remote and/or inaccessible locations where human intervention or configuration is impossible. The nature of sensors is such that they are embedded in what they are sensing—one can envisage a new workplace, hospital, school construction project where the technology is introduced during the construction phase as part of final fit rather than after completion as is common today. This in itself creates new challenges as the means of connectivity may only exist after the installation teams have left the site. Additionally, methods must be taken to ensure that the authenticity of the data, the path from the sensor to the collector and the connectivity authentication parameters cannot be compromised between the initial installation/configuration of the device, and its eventual presence on the IoT infrastructure.
The challenges of designing and building IoT devices can be summed up as follows:
• Typically small, inexpensive devices.
• Little to no physical security.
• Designed to operate autonomously in the field.
• May be installed prior to network availability.
• After deployment, may require secure remote management.
• Computing platform may not support traditional security algorithms.
The variability in the capabilities of endpoint devices, and the potentially enormous numbers of them highlight the importance of the multi-service edge in the IoT/M2M architecture. The multi-service edge spans the network edge and is required to handle the endpoints. This edge is multi-modal supporting both wired and wireless connectivity, and within those two categories, must support many different protocols, for example Zigbee, IEEE 802.11, 3G, and 4G. The edge has responsibility to support the many protocols that are used by the endpoints, some of which have no inherent security capabilities at all. It is a point where security services must be provided to protect these inherently insecure endpoints. Security services at the network core and data center cloud must also be present, similar to solutions already in existence and deployed in conventional networks.
These are required to ensure that the IoT/M2M system as a whole, has been hardened to protect against threats such as:
▪ Denial of Service (DoS) is the attempt by an attacker to make a resource unavailable. A good example of a resource vulnerable to DoS is the wireless medium. While many technologies exist today to harden the protocols to secure WiFi, LTE, 3G et al., a simple radio jammer can still be an effective DoS on these wireless medium.
▪ Man-in-the-middle (MITM) is the means by which the attacker can successfully create a connection between two points and eavesdrop into their conversation by relaying the messages it hears from one peer to the other while capturing the data too.
▪ Component and endpoint exploitation is the means by which the attacker can infiltrate a component in the (IoT/M2M) system (either an endpoint or network element, application or module) and use it to perform further exploits.
▪ Impersonation (spoofing) is the means by which an attacker has compromised an identity and can thus, through impersonation, send malicious traffic to victim endpoints or network.
▪ Confidentiality compromise is the means by which the data that is being relayed can be altered by an attacker.
These threats can be typically addressed through established cryptographic mechanisms, provisioning of strong identities and credentials to allow them to authenticate into the network, and finally with strong policies to affect the appropriate access controls. Because the IoT will not be a single-use, single-ownership “solution” with sources and the platform on which data may be consumed potentially being in different ownership, managerial and connectivity domains, devices will be required to have equal and open access to a number of data consumers concurrently, while still retaining privacy and exclusivity of data where that is required between those consumers.
So we have seemingly competing, complex security requirements to be deployed on a platform with potentially limited resources:
• Authenticate to multiple networks securely.
• Ensure that data is available to multiple endpoints .
• Manage the contention between that data access .
• Manage privacy concerns between multiple consumers .
• Provide strong authentication and data protection (integrity and confidentiality) that cannot be compromised.
• Maintain availability of the data or the service.
We have to manage existing issues that all network-attached devices must contend with such as Denial of Service (DoS) attacks, transaction replays, and compromised identity through subscriber theft, device theft or compromised encryption keys. These issues have particular relevance in the IoT where the availability of data is of paramount importance. For example, a critical industrial process may rely on accurate and timely temperature measurement—if that endpoint is undergoing a DoS attack, the process collection agent must understand that, and be able to either source data from another location, or take evasive action. It must also be able to distinguish between loss-of-data due to an on-going DoS attack or loss of the device due to a catastrophic event in the plant. This could be the difference between a safe shut-down, and a major incident.
Authentication and authorization will require re-engineering to be appropriate for the IoT. Today’s strong encryption and authentication schemes are based on cryptographic suites such as Advanced Encryption Suite (AES) for confidential data transport, Rivest-Shamir-Adleman (RSA) for digital signatures and key transport and Diffie-Hellman (DH) for key agreement. While the protocols are robust, they make very high demands of the compute platform—resources that may not exist in all IoT-attached devices. These authentication and authorization protocols also require a degree of user-intervention in terms of configuration and provisioning. However, many IoT devices will have limited access; initial configuration needs to be protected from tampering, stealing and other forms of compromise between devices build and install, and also for its usable life, which could be many years. In order to overcome these issues, new authentication schemes that allow for strong authentication to many domains while building on the experience of today’s strong encryption/authentication algorithms are required.
The good news is that new technologies and algorithms are being worked on. For example, NIST has recently chosen the algorithm for SHA-3. According to NIST, the compact nature of the new SHA-3 could make it “useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers”. Other elements in security that could be considered include strong authentication between the device and the network attachment point (such as through digital authentication at the MAC layer), application of geographic location and privacy levels to data, strong identities, strengthening of other network-centric methods such as the Domain Name System (DNS) with DNSsec and the Dynamic Host Configuration Protocol (DHCP) to prevent attacks, adoption of other protocols that are more tolerant to delay or transient connectivity (such as Delay Tolerant Networks).
In the my next blog, I will propose an IoT Secure Framework for consideration as you prepare for the implementation of IoT/M2M in your environments.