Energy versus security–the IoT tradeoff
Enterprises harnessing the IoT will need to strike a careful balance between security and power consumption
Amid all the buzz about the arrival of low power wide area (LPWA) connectivity and IoT devices that can function for a decade on a single battery charge, there is an elephant in the room. Maintaining internet of things security will need energy.
In simple terms, each layer of security increases the processing and power requirements of a connected device, adding to its complexity and reducing its battery life. Sending and receiving security-related traffic across a network consumes energy, as does processing network and application layer cryptography and installing security patches. In other words, security can be expensive, both directly in terms of the cost of the necessary software and hardware, and indirectly in terms of energy consumption.
That’s a problem: Low energy consumption and low maintenance costs are a prerequisite for the many industrial IoT applications, such as smart metering, smart supply chains, and smart parking, that rely on the deployment of large numbers of connected sensors in inaccessible locations. If batteries need to be replaced every year, instead of every five years, the cost of such applications will spiral.
Of course, the energy and maintenance overhead needs to be weighed against the potential financial impact of security breaches. Juniper Research has predicted the total cost of data breaches will soar to $2.1 trillion globally by 2019 – almost four times the estimated cost of breaches in 2015. Some 68% of the 500 companies participating in AT&T’s CyberSecurity Insights study, conducted in October 2015, said they planned to invest in IoT security in 2016.
When the chips are secure
Given the size of the internet of things security elephant, it is not surprising that players across the IoT value chain are scrambling to parade the security credentials of their solutions. A case in point is ARM, which licenses semiconductor designs and intellectual property that chip makers can use to make the microcontrollers and wireless connectivity chips employed by IoT devices. ARM has made a series of acquisitions to beef up its security expertise. For example, in July 2015, it acquired Israel-based Sansa Security, a provider of hardware security IP and software for system-on-chip components for the IoT and mobile devices.
ARM says it is now introducing new processors designed for microcontrollers and smart sensors that will help secure data inside tiny chips costing less than $1 apiece. Indeed, U.K.-based ARM claims its new mbed operating system for IoT devices provides “banking-class end-to-end IP security across the communication channels through TLS & DTLS” in “energy constrained environments.” ARM reckons its chip designs accounted for 25% of the microcontroller market in 2015 and 60% of the wireless connectivity chip market. One of its main rivals, Intel, is also touting the advantages of chip-level security embedded in the hardware, noting that there is little capacity on a typical IoT device for running security software.
Indeed, chip designers could hold the key to making IoT security more affordable: If security features can be integrated as much as possible into the hardware that should reduce the amount of work that needs to be done by software, helping to minimise the power and cost overhead.
Telcos play the security card
At the other end of the value chain, AT&T and other leading telcos are highlighting the security advantages of using cellular networks in licensed spectrum to connect IoT devices. They point to the benefits of having a SIM card authenticate the device on the network, such as being able to remotely bar devices, where necessary. Without a secure link, IoT applications may be more vulnerable to attacks, such as spoofing, where a fraudulent end device injects false data into the network or a fraudulent access point hijacks the data captured by a device.
But embedding a SIM card in each connected device has power and cost implications. For some applications, authentication may have to be carried out by a local gateway connected to a power supply, rather than at an individual device level. In a recent report positioning the “mobile IoT” as the “trusted IoT”, the trade group the GSMA outlined the various options: “Mobile operators can use very compact removable or embedded SIM cards, either in individual modules or in gateways, to securely provision and store device identity and credentials, and to authenticate devices connecting to the network and ensure they are legitimate.” Some carriers also hope that enterprises will pay for data analytics services designed to spot unusual patterns of behaviour on their networks that can indicate a problem or a security threat.
Although real-time data analytics, together with the ongoing integration of security features into hardware, should help to lower the cost of internet of things security, they won’t provide a panacea. Some sensitive IoT applications, such as solutions that automate the control of city infrastructure or factories, will require multiple layers of security involving cryptography and regular bursts of data traffic. Those requirements could be difficult to meet given the energy, bandwidth, processing power and memory constraints within a typical LPWA device. In other words, enterprises need to be aware that the price of a decade-long battery life may be greater vulnerability.