IoT Security: How to Protect your IoT Systems
IoT is transforming the way we live and work. In fact, you might already be familiar with how industries are being transformed to take advantage of embedded technologies and their benefits – but how much do you know about IoT Security and how to protect your IoT Systems? Join us in today’s article to find out!
Table of Contents
- IoT Security & Its Importance
- How IoT Security is Generally Achieved
- Common IoT Security Models
- Using Trusted & Secure Software
- Using Secure Hardware
IoT Security & Its Importance
The Internet of Things, or IoT, represents a hyperconnected network of embedded devices that are able to exchange data on an incredible rate and scale. However, it is the same interconnectedness that makes IoT systems particularly vulnerable to cyber attacks, especially with regards to data security, since even a single device is sufficient as an entry point to infiltrate the larger network. Given that IoT devices were not built with security in mind, the risk of cyber-attacks is higher now than ever.
A breach of IoT security can have numerous drastic consequences. For one, the IoT system may perform erroneously or become disabled, causing the operations that are supported by it to fail. In critical industrial control systems where IoT devices are used as failsafes, this can represent severe safety implications and significant downtime costs. In addition, sensitive data may be exposed, which can harm both individuals and businesses alike.
These are just a few examples of what may happen in the event of an IoT security breach! Therefore, IoT security is a major concern when it comes to developing practical and robust IoT solutions. Read on to find out how we can achieve it!
An Overview of IoT Security
The field of IoT security (and cybersecurity in general) is becoming increasingly recognised for the unique set of challenges that it brings. Nonetheless, the best and most common method of securing IoT networks is through IoT authentication.
What is IoT authentication? Well, it’s a model for building trust in the IoT network through the following control measures:
- Verify the identity of IoT devices connected to the network
- Only allow communications to and from authorised devices
- Restrict network control access from IoT devices that do not require it
With these measures, we can ensure that there are no foreign or fraudulent devices in our network. Furthermore, even in the event of an infiltration, attackers would not be able to tamper with the system through unauthorised communications or network controls.
IoT Authentication Models
Now that we know what IoT security aims to achieve, it is good to know that there are several protocols or tools that are commonly used for IoT authentication. Ultimately, choosing an IoT authentication protocol depends on several factors, such as your resources, hardware capacity, budget, security expertise, requirements, and method of connectivity. Nonetheless, here are some choices to get you started.
Symmetric Key Certification is the most simple and common way to authenticate a device with a Device Provisioning Service such as an IoT hub. To connect or communicate, the device has to produce a Shared Access Signature (SAS) token, which is created using a symmetric key. This token is then verified against the same key held by the Device Provisioning Service for authentication.
Symmetric Keys are the easiest way to get your IoT devices connected to the cloud, and are especially useful for older devices with limited security features. However, they are also considered to be less secure since the same key is shared between the device and the cloud, which increases opportunities for cyber attacks. Thus, while Symmetric Keys are a great introduction to IoT security for beginners, a stronger authentication protocol is recommended when scaling to production or deployment.
Asymmetric authentication follows a similar principle of operation as symmetric authentication, but with two different keys instead of one. One key is known as the public key, which is made freely available for any device to encrypt messages. On the other hand, the private key (or secret key) is only held by authorised devices to decrypt said messages.
While the clear advantage of asymmetric authentication is improved security, the encryption and decryption processes are more resource intensive due to the large size of the keys. Hence, when provisioning asymmetric authentication for edge devices like microcontrollers that have limited resources, additional consideration may be required.
The X.509 protocol is the most secure method of IoT authentication. Based on the certificate chain of trust model, X.509 certificates authenticate devices that are linked in a chain. In the authentication process, the chain is traversed to certify if it has been issued from a trusted Root Certificate Authority (Root CA). If the Root CA is not found, authentication fails and the connection request is refused.
While X.509 is the most secure option that is easily scalable for production or equipment delivery, it requires a significant amount of management control. Hence, this IoT authentication method is typically outsourced to vendors (eg. KeyFactor), which can represent higher costs for your solution. Hence, X.509 is often employed only when there is a strict security requirement to be met.
Hardware Security Modules
Hardware Security Modules, or HSMs, are specialised hardware for storing authentication strings such as X.509 certificates or SAS tokens. They are designed to be tamper proof, so that attackers will not be able to extract the keys they store, even if they have the device in hand!
One popular HSM is the ATECC608, which is a crypto-authentication module from Microchip that employs ultra-secure hardware-based cryptographic key storage and cryptographic countermeasures which eliminate potential backdoors associated with software weaknesses.
Trusted Platform Modules
Trusted Platform Modules or TPMs are also hardware for authenticating device identities in an IoT network. They may be implemented as separate / embedded hardware or in firmware / software, and have the following features:
- Store certificates & keys securely
- Secure device boot-up
- Establish the Root of Trust
- Verify device identity
TPMs are typically implemented at various points along a supply chain, to verify that the devices in the chain have not been tampered with. They are considered to be more secure than Symmetric Authentication, but can be difficult to develop and may even require hardware to be redesigned.
TPMs vs HSMs
While TPMs sound quite similar to the HSMs that we discussed previously, there are actually a few key differences between them. In essence, TPMs are built in and verify that the platforms they are on remain authentic and untampered with. On the other hand, HSMs are additional secure hardware for securely storing authentication keys.
Some additional differences are highlighted below!
Use Secure Software
Apart from authentication protocols and hardware, the software on our IoT devices is just as important! In fact, one convenient yet effective way to keep our IoT networks secure is to use frameworks from trusted IoT cloud providers like Amazon & Microsoft!
AWS IoT Greengrass
AWS IoT Greengrass is an IoT open source edge runtime and cloud service from Amazon. It allows you to quickly and easily build device software for your IoT devices regardless of application, and even run machine learning on the edge! AWS IoT Greengrass features built in authentication and encryption for device data, for both local and cloud communications. Furthermore, Amazon offers hardware-secured end-to-end encryption for messages sent between Greengrass Core and AWS cloud!
Read more about AWS IoT Greengrass on their official site.
Microsoft’s Azure Sphere is a comprehensive IoT security solution which covers hardware, OS, and cloud components. Azure Sphere features a number of in-depth security features, such as the Azure Sphere OS that adds protection and security updates for your IoT devices. In addition, the Azure Sphere Security Service maintains trust in device-to-cloud communication and is capable of detecting threats, while also renewing IoT device security frequently to reduce attack vulnerability.
Read more about Azure Sphere on their official site.
Choose IoT Secure Hardware
To make it easier to develop robust IoT security in your networks, it’s definitely a good choice to select hardware that suits your needs. This will provide significant security advantages over using legacy devices, while making it easier to interface with cloud platforms in a secure manner. Here are some of my IoT security oriented device recommendations to get you started.
The Seeeduino Crypto is based on the high-performance ATmega4809 and features the Microchip ECC608 crypto chip which enables encrypted communication protocols such as I2C encryption. It comes in the familiar form factor of the Seeeduino V4.2 and Arduino Uno, featuring a wealth of interfaces like GPIO, PWM and Grove. Take advantage of the Seeeduino Crypto to build secure IoT solutions today!
- High-performance ATmega4809 microcontroller
- High-security ECC608 Cryptographic Chip, supports SHA-256 & HMAC Hash / AES-128
- 2 Grove I2C + 1 Grove UART for Easy, Modular Prototyping
- Type C Power Supply + Data Transmission
To learn more about the Seeeduino Crypto, visit its product page on the Seeed Online Store!
Seeed MT3620 Dev Board
For a more heavyweight solution, consider the Seeed MT3620 Dev Board, which has been developed specifically to be highly compatible with Microsoft Azure Sphere! It is part of a special class of Azure Sphere certified MCUs, featuring a built-in security subsystem with its own dedicated CM4F core for secure boot and system operation, along with dual-band WiFi.
- Azure Sphere: End-to-end security for IoT devices
- Dual-band 802.11 b/g/n with antenna diversity
- Tri-core microcontroller with on-chip RAM & flash
- Microsoft Visual Studio development environment
- Online authentication & updates for device lifetime
The Seeed MT3620 Dev Board also comes in a Mini Version as well as an Azure Sphere Grove Starter Kit (Mini Version).
Don’t miss out and get started with the Seeed MT3620 Dev Board today!
News: Armv9 Architecture to Bring Improvements to AI & Security
In March 2021, Arm announced the new Armv9, which is the first update to the Arm architecture in almost a decade. Amongst the planned changes, the new Arm Confidential Compute Architecture (CCA) is bringing advanced security features to all computers running chipsets on the Arm architecture. The CCA is a type of TPM that aims to bring hardware-secure environments as standard to Arm, which will allow data to be encrypted and protected with greater robustness against external vulnerabilities.
To read the official press release from Arm, visit their newsroom site here.
Summary & More Resources
As IoT systems become an increasingly important part of the way we live and industries work, we must take care to pay more attention to IoT security. I hope that today’s article has provided a better insight on various ways that IoT security can be achieved to help us build more robust networks of IoT devices!
If you would like to learn more about IoT, IoT security and encryption, you may wish to visit the following links: