Securing data for the IoT: A best practice guide
With billions of new connections expected in the next decade, it has never been more important to design solutions for trust. Fears about security are a major barrier to the adoption of IoT solutions. The potential to disrupt or even close-down operations, to steal personal or financial data, and peek at industrial secrets and intellectual property pose an ever-present danger. Fortunately, it is becoming easier than ever to build robust security into IoT applications, right from the start.
In the early days of the IoT, security was an afterthought: time to market considerations were paramount. But the sheer pace and complexity of IoT growth – coupled with the increasing agility and ingenuity of cybercriminals – has highlighted the pivotal role of security.
When HP Labs carried out a study of popular IoT devices in 2014, it found that their security was appalling. This analysis of ten devices scrutinised end-to-end security capabilities including privacy protection, authorisation, encryption, user interface protection, and code security. Around 70% of the devices revealed one or more significant vulnerabilities. In total, more than 250 vulnerabilities were found - an average of 25 per device.
Security requirements in the Internet of Things – from Cloud Adoptions Practices & Priorities Survey Report (2015)
Further high-profile reports have identified potentially dangerous vulnerabilities and exploits in IoT devices from baby monitors and consumer wearables, to internet-connected vehicles and medical equipment. Poor security in any device could potentially compromise anything that it is connected to: including industrial facilities, government and financial organisations, data centres and network infrastructure. Security needs to be built in from the start.
Fortunately, designers do not have to compromise time-to-market in order to integrate robust security standards into new devices. Turnkey hardware solutions allow security to be built-in at the start of a new design. A further advantage is that new designs can be brought to market without the need to invest in extensive security expertise. Host software libraries, demonstration and prototyping tools take care of that. Secure elements such as STSAFE-A from STMicro and Gemalto’s Cinterion are prime examples of this approach.
The STSAFE-A100 is a highly secure solution that acts as a secure element providing authentication and data management services to a local or remote host. It consists of a full turnkey IC solution with a secure operating system running on the latest generation of secure microcontrollers. Certification to Common Criteria EAL5+ provides banking-level security meeting industry standards.
This smart solution acts as a secure element providing authentication and data management services to a local or remote host. When used in an IoT device, it connects to the local host via its I2C-bus slave interface, enabling transmission up to 400 Kbps with true open-drain pads and 7-bit addressing. The ST security chip authenticates to a remote host using the local host as a pass-through to the remote server.
The secure element proves to remote or local hosts that a certain peripheral or IoT device is legitimate. Manufacturers can therefore control which peripherals are permissible for use in conjunction with the original equipment. Secure elements can also be used by service providers in order to ensure that specific services are only provided to IoT devices that are allowed to use them.
Secure IoT development is accelerated by secure elements with host software libraries, demonstration and prototyping tools
Authentication is secured using advanced asymmetric cryptography, and digital signatures are generated utilising elliptic curve digital signature algorithm (ECDSA) schemes with SHA-256 and SHA-384. The secure element is also compatible with USB Type-C authentication.
Communication with remote host is secured via Transport Layer Security (TLS) handshaking. Secure elements furthermore support the secure update of local hosts. With STSAFE, firmware updates benefit from its signature verification capabilities. Using public keys provided by the local host offloads the task from local application processors that have limited computing power and no ECC accelerator.
Where it is necessary to secure the exchange of sensitive information with the local host over via I2C port, a secure channel can be set up based on AES-128-bit keys. Secure elements like the STSAFE-A100 can also be used to encrypt or decrypt data between the remote host and the local host.
Security with lifecycle management
Secure elements can be integrated with a comprehensive end-to-end security ecosystem that runs from IoT ‘things’ to complete infrastructures. This concept is exemplified by Gemalto’s Cinterion Secure Element - a tamper resistant hardware component that can be embedded in IoT and industrial connected equipment and machines to deliver smartcard-level digital security and device lifecycle management.
Smart card level security ensures that data is stored in a safe place and access is granted only to authorised applications and people. The secure element component enables secure over-the-air management of security credentials as well as software updates across the lifecycle of solutions. This offers an added layer of protection for a variety of applications and represents a powerful key to help secure the entire IoT ecosystem.
Security at this level does not work as an afterthought. It must be incorporated from the ground up at the start of new development projects. The Cinterion Secure Element provides for this, combining flexibility with high levels of security. Built on a “Security by Design” approach along with a suite of M2M optimised solutions including the secure element, this turnkey solution provides end-to-end protection from the edge to the core
Solutions for application, data network and virtual machine encryption, signature management, cloud data security and enterprise key management are complemented by hardware security modules (HSMs) - dedicated crypto processors specifically designed for the protection of the crypto key lifecycle. These provide reliable protection for transactions, identities, and applications by securing cryptographic keys and provisioning encryption, decryption, authentication, and digital signing services.
SafeNet hardware security modules enable cryptographic operations to be offloaded to a dedicated cryptographic processor that eliminates bottlenecks and maximises application performance. Users can centralise lifecycle management of cryptographic keys – from generation, distribution, rotation, storage, termination, and archival – in a purpose-built, highly secure appliance
From secure element components and software, through to comprehensive hardware security modules, solutions like, these provide security and trust for all types of connected objects. Building security in from the outset is the only way to make the IoT safe and secure.
Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.
- » Australia releases a draft code of practice for IoT cybersecurity
- » Maersk invests in Danish networking startup Onomondo
- » tado's first SaaS product speeds-up heating repairs while reducing carbon
- » How the IoT will save lives: Applying IoT technology to emergency communications
- » IoT Security Foundation launch certification scheme ahead of potential laws