IoT Security – you are in control!
Russell Doty, Technology Product Manager, Red Hat
The Industrial Internet of Things (IoT) is revolutionising how sensors and controllers are made and connected. The devices are becoming more capable and more intelligent. Using a network interface instead of direct hardwired connections for connecting the devices greatly simplifies installation and expansion of systems.
These new capabilities and features also come with new security concerns. Consider one vital fact: anything that can connect to a network is a computer. Computers are flexible, general purpose devices that can be modified – for good or for evil. And any connection to the network is an entry point into the network. If you network strategy is built around perimeter security, each IoT device is effectively punching a hole in your security.
First the good news: the Internet of Things can be secured. The technology exists to build a robust, secure, effective and powerful IoT. Digital signatures for software and systems, encrypted communications and storage, robust authentication, secure software development practices – the tools are available for everyone to use.
Next, the bad news: many IoT implementations are insecure. With the pressure to achieve a short time to market, a rich set of features, and greatest ease of use, security may take a back seat.
There are several things you can do to build a secure IoT:
• Make security part of your requirements – and part of your purchase decision. Do not purchase systems or components unless they include robust security. If buyers make security a requirement – a real requirement that gates buying, not a goal that can be over-ridden – IoT suppliers will deliver secure products.
• For Industrial IoT consider the long installed life of these systems. Many Industrial IoT systems will be in use for 10, 20 or 30 years. This long life has several implications:
- It must be possible to update all software on all devices. The vendor must provide a mechanism to securely update software while preventing unauthorised modifications. The updates should be done over the network – for Industrial IoT devices it isn’t feasible to physically update the devices; there may be hundreds or thousands of devices, many installed in inaccessible or hostile locations.
- The vendor must have a commitment to deliver updates. A long life device will need updates for security issues, bug fixes, and perhaps new features. With consumer IoT devices, which commonly have a very short product lifespan, it may be reasonable for a vendor to ship a new device rather than updating the software on existing devices. For Industrial IoT devices it is vital to select vendors that will maintain and update the software in their products.
- The vendor needs to support industry standards. This is especially critical for network interfaces – the IoT devices should support standard network interfaces and network protocols. This is challenging today because the technologies are quickly evolving. Wherever possible use open industry standards like Ethernet, WiFi, or Bluetooth.
• Carefully consider device identification, registration, and configuration. The greatest ease of use occurs when an IoT device can be powered on, recognized, and automatically configured into the network and the IoT system. This may be appropriate for consumer IoT devices, but carries risk for Industrial IoT. You need to be able to identify a new device, authenticate and validate the device, and then securely register it into your IoT environment. Secure identification, authentication and validation is especially critical for controllers which affect their environment. You don’t want “mystery devices” just showing up and automatically being added to your network!
• The Industrial IoT is not a “fire and forget” environment. You must monitor it – for performance, for correct results, for system and network integrity, and for security.
• You must actively manage the IoT. Devices and capabilities will be added, moved, updated, and removed. Hardware and software will fail. As you explore the expanded capabilities of an IoT system you will uncover new things to do with the distributed system and the data it produces. Plan for change and evolution in your system, because this will happen!
The future of the Industrial Internet of Things is under your control. The buying decisions you make will determine whether it is secure, robust, and flexible – or if it is driven by lowest initial price, biggest feature set, vendor lock-in, and ongoing security disasters. Choose wisely!