IIoT security: critical importance, under-addressed
The industrial internet of things presents a cybersecurity concern of a scale we have never before seen. Its premise alone – making every “thing” around us connected to a network – is enough to spur the imagination of entire environments being taken over by cyber-attacks, and unthinkable amounts of private data in the hands of hackers. Nokia claims IoT security is under-addressed by the market, an alarming statement for a technology trend that is otherwise progressing at rapid speeds. We have looked at blockchain as a possible solution, and in our article Consideration and approaches to securing the IIoT, we highlight a number of approaches to minimizing the risk associated with the deployment of an IoT solution. Now, we will take a look at the steps enterprises are taking to help keep the IIoT secure.
Nokia IMPACT and NetGuard
In June 2016, Nokia launched its Intelligent Management Platform for All Connected Things (IMPACT), which gives operators, enterprises and governments a security platform on which to scale new IoT services. According to Nokia, IMPACT addresses the increasing security requirements including network, cloud and end-point security. It also implements a lightweight M2M (LWM2M) security model for IoT device management.
The company also released NetGuard Security Management Center, which it claims is the first all-in-one centralized security configuration.
The management center integrates all network security systems, regardless of vendor, to monitor security status and manage incidents, vulnerabilities, security policies and network access.
Intel and its multi-layered IoT security products
Intel offers several hardware and software products that have “end-to-end protection” across an IoT deployment. Intel claims its hardware and software security “creates a chain of trust, from ‘thing’ to network to cloud. Valuable data is safeguarded against theft and tampering, only trusted data is analyzed, and you can protect, detect and correct against attacks.”
Some of those products include:
- McAfee Embedded Control
- ePolicy Orchestrator
- McAfee Enhanced Infrastructure Protection
- Intel Enhanced Privacy Identity ID Digital Signature Technology – adopted by Microchip and Atmel to help improve interoperability in securing Internet of Things (IoT) solutions
- Trusted Execution Environments (TEEs)
Microsoft securing the Azure cloud
The Microsoft Azure cloud supports more than one billion customers in 127 countries, according to Microsoft. The company’s Security Development Lifecycle (SDL) is coupled with other infrastructure-level security services like Microsoft Operational Security Assurance process and the Cyber Defense Operations Center.
Microsoft uses a dedicated “red team” of software security experts who simulate attacks, and test Azure to detect and protect against emerging threats, and recover from breaches.
“Azure systems provide continuous intrusion detection and prevention, service attack prevention, regular penetration testing, and forensic tools that help identify and mitigate threats.”
Multi-factor authentication for the cloud portal provides an extra layer of security for end users to access the network.
Here are the elements of security Microsoft offers for its IoT cloud:
- Device security. The Azure IoT Suite secures devices by providing a unique identity key for each device, which the IoT infrastructure can use to communicate with the device while it’s operating.
- Connection security. Connectivity between devices and Azure IoT Suite is secured using industry standard encryption technologies such as TLS using X.509 based certificates.
- Cloud security. Azure IoT Suite helps keep data secure provides flexibility to implement additional encryption and management of security keys. Azure IoT Suite uses Azure Active Directory (AAD) for user authentication and authorization to provide a policy-based authorization model for data in the cloud, enabling easy, auditable, reviewable access management. All security keys used by the IoT infrastructure are stored in the cloud in secure storage, and data can be stored in DB formats that enable you define security levels.
IBM Watson IoT platform
IBM is big backer of blockchain for it’s multi-domain Watson IoT solution. The company has also mapped out how the platform is able to keep client’s data protected:
The browser-based GUI and REST APIs are fronted by HTTPS, with a certificate signed by DigiCert enabling you to trust that you’re connecting to the genuine Watson IoT platform.
- GUI: authenticated via your IBM ID.
- REST API: once you create an API key through the GUI, you can use this to make authenticated REST calls against your organization.
When devices are registered or API keys are generated, the authentication token is salted and hashed. IBM says this means your organization’s credentials can never be recovered from our systems – even in the unlikely event that the Watson IoT platform is compromised.
- Device credentials and API keys can be individually revoked if they are compromised.
- Devices connect through a unique combination of clientId and authentication token that only you know.
- Full support for connectivity over TLS (v1.2) is provided.
- Open standards are used (MQTT v3.1.1) to allow easy interop across many platforms and languages
Cisco Security Solutions for the IoT-Connected Network
Cisco says the IoT has the potential to bring together every aspect of different networks, therefore, cyber and physical security solutions must also work together to produce comprehensive, actionable security intelligence in real time.
Cisco solutions include:
- Cloud-based threat analysis and advanced malware protection
- Network and perimeter cyber security solutions
- Physical safety and security solutions
- IP-based dispatch and incident response
Companies dedicated to IoT security
There are also a number of companies making software specifically for IoT security. Bastille claims to be “The first and only company to completely secure the [IoT] enterprise by identifying airborne threats and allowing for preemptive response.” In February 2016 the company was behind the research that broke MouseJack and KeySniffer, discovering the vulnerabilities present in millions of wireless consumer keyboards and mice.
Other IoT security software companies include the well-established security company Symantec and newcomer ZingBox.
