Security in IoT has often been listed as a development priority but then postponed or neglected with negative consequences. Traditional approaches to securing devices are too inflexible, too expensive or too complex to integrate to meet the timescale and volume needs of IoT enterprises.
Thales’ Stephane Quetglas recently sat down with George Malim from IoT Now to discuss this changing landscape, and how the GSMA’s IoT SAFE initiative provides an alternative for IoT enterprises that provides a standardised method for securing IoT devices.
Read on for part one of the interview below:
What are the challenges of addressing the sheer volume of IoT attacks?
We’ve seen the attacks on IoT devices and services for more than ten years and IoT security remains a significant concern for us. There have been some substantial disruptions caused by security and the situation has not improved much over the years because there are more and more companies wanting to connect their devices and to deliver more value and have more mobile services.
Companies have started to put functionality and the service itself at the top of their list and not the security. This is because they haven’t been sufficiently aware of the security issues that exist and the additional security issues that exist when you connect a device to a network.
The scale of IoT is enormous and is well beyond the availability of skilled security experts in the industry so companies tend to forget about security or use very simple methods such as log-in passwords. When you use passwords and don’t pay attention to them, you risk having a password that is too simple or shared across devices, making all of them vulnerable at once.
The main barriers come down to shortage of security skills and the cost of implementing security in IoT. Implementing security has a cost and whatever the device it is important to diversify the secure credentials that you deploy in the device. This is so that if a device is attacked, other devices are not vulnerable to risk, but this process is costly.
The other big reason that implementing security in the proper manner is very costly is the need for solutions that address both the level of security required and the level of scalability needed. This is in the context of billions of IoT devices so the scale is huge and will be even larger in the context of the new generation of 5G and low power networks which are arriving and bringing an even greater number of connected devices.
In addition, there are use cases where there’s a need for securing the connectivity of the device to the IoT application and this relates to the value of data. Apps increasingly are deployed in the cloud and that means you need secure connections so you can sign data when you send it back and it can be verified. For example, in use cases in the energy, automotive or healthcare industries the value lies in the type of data that is exchanged, not in the fact that the platform is cloud-based.
In addition to public networks, in private networks you have use cases where the data circulating needs to be certified so it can be trusted. IoT in private networks such as at manufacturing sites relies on the ability for devices to sign data and prove it is genuine. There are more and more use cases emerging that require security in this way so scalability is essential.
How does the GSMA’s IoT SAFE initiative solve the issues by making use of the hardware’s tamper-resistant element?
The tamper-resistant element is the subscriber identification module (SIM) or embedded SIM (eSIM) already in use in connected cars, smart meters or container trackers. That’s the first element so the obvious choice is to build on what is already in the connected device. It is the first step to address scalability requirements because you don’t have to add another chip or element to your bill of materials (BOM).
The SIM and eSIM offer a very high level of security and have been used for many years so they are a perfect platform for a security solution. The second choice is to adopt an approach based on public key infrastructure (PKI) which provides a cryptographic method used for strong authentication between cloud and devices and data integrity. Typically, you might use this method on your computer to access online banking. The PKI technology allows you distribute strong credentials in a secure and scalable manner unlike a login/password.
The two main choices therefore come down to re-use of the field-proven tamper resistant element that is the foundation of SIM and eSIM, with a PKI approach, which is very appropriate for addressing the security issues IoT faces. When done in a standardised manner like IoT SAFE, this is ideally suited to scale and manage large volumes of connected objects.
Highlights from part two of the interview can be found here, and to read the full interview with IOT Now you can visit here.