A Reference Architecture for the Internet of Things Security

The Internet of Things (IoT) has entered our lives and the lives of billions of people around the world. However, the growth in the number of connected devices is leading to increased security risks – from physical harm to people to downtime and equipment damage – this can even be pipelines, blast furnaces, and power plants. Because a number of such IoT facilities and systems have already been attacked and severely damaged, ensuring their protection comes to the fore.

Below in this blog post, we will cover;

• Introduction (What is IoT)
• What does IoT Protection Consist of?
• The Evolution of the Paradigm
• Security of Communication. Enhanced Trust Model for IoT
• Device Protection. IoT Program Code Protection
• Device Protection. Effective Host Protection for IoT
• Summary

Introduction

In everyday life, when we talk about IoT, we usually mean light bulbs, heaters, refrigerators and other home appliances which can be controlled via the Internet. In fact, the IoT topic is much wider. By the Internet of Things, we primarily mean area network connected by cars, TV sets, surveillance cameras, robotic production, intelligent medical equipment, power supply networks and countless industrial control systems (turbines, valves, server drives, etc.).

Fortunately, the security of IoT can be built on a foundation of four cornerstones:

1. Communication security
2. Device protection
3. Device control
4. Network communication control

This foundation can be used to create a powerful and easy-to-deploy security system that can mitigate most security threats to the Internet of Things, including targeted attacks.

In this article, I will describe four fundamental directions, their purpose, and strategies for easy and effective implementation. I will try to provide some examples and basic recommendations that apply to all the areas, including the automotive industry, energy, manufacturing, healthcare, financial services, the public sector, retail, logistics, aviation, consumer goods and a few more.

So what are these four cornerstones?

What does IoT Protection Consist of?

#1 Communication security.

The communication channel must be protected by encryption and authentication technologies so that the devices know if they can trust the remote system. It’s great that new cryptographic technologies like ECC (Elliptic Curve Cryptography) work ten times better than their predecessors in low-power IoT 8-bit 8 MHz chips.

Equally important here is key management to verify the authenticity of the data and the reliability of the data channels. Leading CAs have already built “device certifications” into more than a billion IoT devices, providing the ability to authenticate a wide range of devices, including cellular base stations, TVs and more.

#2 Device security

Device protection is primarily about ensuring the security and integrity of program code. The topic of code security goes beyond the scope of this article, so let’s focus on integrity. Code-signing is required to confirm the legitimacy of its launch, and it is also necessary for the code protection during its execution, so that attackers do not overwrite it during the download.

Cryptographically code-signing guarantees that it has not been hacked after signing and is safe for the device. This can be implemented at the application and firmware levels and even on devices with a monolithic firmware image. All critical devices, whether they are sensors, controllers or something else, should be configured to run a signed code only.

Devices should be protected in the next stages after the code has already been launched. Host-based protection which provides hardening, system resource and file sharing, connection control, a sandbox, protection from intruders, behavioral and reputation-based protection, can help.

This long list of host protection features also includes blocking, logging and alerting for various IoT operating systems. Recently, many features have been adapted to IoT and are now well designed and tuned, also, they do not require cloud access and cautiously use computing resources of IoT devices.

#3 Device Control

Sadly, there will still be vulnerabilities in the IoT devices which will need to be patched, and this can happen for a long time after the equipment is handed over to the consumer. Even code that is obfuscated in critical systems is eventually rebuilt, and intruders may find vulnerabilities in it.

Nobody wants to, and often can’t, send their employees to every IoT device for a face-to-face visit to update the firmware, especially when it comes to, for example, a couple of trucks or a network of control sensors spread over 100s of kilometers. For this reason, “Over-the-Air Controllability” (OTA) must be integrated into the devices before they reach customers.

#4 Control of Network Interactions.

Some threats will be able to overcome any measures taken, no matter how well protected everything is. Therefore, it is extremely important to have the capabilities of security analysis in IoT. Security analytics systems can help you better understand your network, and detect suspicious, dangerous or malicious anomalies.

The Evolution of the Paradigm

According to It-Rate project, most IoT devices are “closed systems”. Customers will not be able to add security software after the devices leave the factory. Such interference will void the warranty and is often simply impossible. For this reason, security features must be built into the IoT devices to be safe in their architecture.

For most of the industries, this “internal security”, i.e. factory built-in, is a new way of providing security, as is the case with classic security technologies like encryption, authentication, integrity verification, intrusion prevention, and secure upgrade capabilities.

Given the close relationship between hardware and software in the IoT model, it is sometimes easier for security software to leverage hardware enhancements and create “external” layers of security.  It’s great that many chip manufacturers have already built security features into their hardware. But the hardware layer is just the first one required for comprehensive protection of communication and devices.

Comprehensive protection requires the integration of key management, host-based protection, OTA infrastructure, and security analytics, as we mentioned earlier. The absence of even one of the cornerstones in the security foundation will leave a wide margin of discretion for intruders.

Since the industrial Internet and IoT import network intelligence into physical things around us, we must be attentive to their security. Our lives depend on planes, trains, and vehicles that convey us, on healthcare infrastructure and civilian infrastructure that allows us to live and work.

It is easy to imagine how the illegal manipulation of traffic lights, medical equipment or countless other devices can lead to disastrous consequences. It is also clear that ordinary citizens and IoT customers do not want strangers to break into their homes or cars, or be harmed by someone else’s failure at automated industrial facilities.

In this case, I will try to offer recommendations that will form a holistic safety framework for IoT while making it both effective and easy to implement.

Communication Security

The enhanced trust model for IoT Encryption, authentication and manageability are always the foundation of sustainable security. There are excellent open source libraries that encrypt even IoT devices with limited computing resources. But unfortunately, most companies are still exposed to dangerous risks, making mistakes in key management for IoT.

$4 billion worth of transactions per day in e-commerce is protected by a simple and reliable trust model that serves billions of users and more than a million companies around the world. This model of trust helps systems to securely authenticate other companies’ systems and interact with them over encrypted communication channels.

The trust model is now a critical factor in secure communication in computer environments and is based on a very short list of trusted CAs. These same CAs deploy certificates to billions of devices each year. Device certificates allow, for example, the authentication of smartphones for secure connection to base stations, smart meters for the power industry, as well as extensions in the cable TV industry.

Reliable CAs allow you to easily and securely generate, issue, register, monitor and revoke certificates, keys, and credentials that are critical for secure authentication. Given the realizable volume of security certificates for IoT, most device certificates are sold in long runs for a very modest amount of money per unit (talking about 10s of cents per certificate).

Why does authentication matter? It is dangerous to accept data from unapproved devices or services. Such data can damage or compromise the system, provide criminals with control of the equipment. Using reliable authentication to limit unwanted connections helps protect IoT systems from such dangers and maintain control over your devices and services. Whether the device is connecting to another one or communicating with a remote service, like cloud, communication should always be protected.

All communications require reliable authentication and mutual trust. For these reasons, savings on device certificates are controversial. Fortunately, many standards have been developed to make it easy for you and me to deploy reliable authentication across the entire communication chain.

Standards exist for certificate formats, and reliable certification authorities support both standard and custom formats. In most cases, certificates can be easily managed remotely (OTA) using standard protocols such as Simple Certificate Enrollment Protocol (SCEP), Enrollment over Secure Transport (EST) and Online Certificate Status Protocol (OCSP).

With a reliable certificate authority that can handle certificates, keys, and credentials, actual authentication can be done using powerful Transport Layer Security (TLS) and Datagram TLS (DTLS) – related SSL standards.

Mutual authentication, where both endpoints are verifying each other, is critical to the security of IoT systems. For an additional bonus, once TLS or DTLS authentication has been performed, the two endpoints can exchange encryption keys or receive them to exchange data that cannot be decrypted by listening devices.

Many IoT applications require absolute data privacy, a requirement that is easily met with TLS/DTLS certificates and protocols. However, when confidentiality is not a mandatory requirement, the authenticity of transmitted data can be verified by any party if it was signed at the time of its appearance on the sensor. This approach does not burden the channel with encryption which is preferable in multi-hop architectures.

Questions often arise regarding the cost and performance of IoT chips for cryptographic operations. One thing to bear in mind here is that Elliptic Curve Cryptography (ECC) is 10 times faster and more efficient than traditional encryption, even on computationally limited devices.

The speed and efficiency are achieved without compromising security. The ECC has even demonstrated an industry best practice equivalent to RSA 2048, including extremely resource-constrained chips – on 8-bit 1-MHz processors and 32-bit 1-KHz processors while consuming only microwatts of power. DTLS, the TLS variant was developed specifically for low-power devices that operate periodically between sleep cycles.

Finally, the price of such 32-bit chips is only a few 10s of cents, so the price or power of the chips will not be used as an argument to reduce the protection requirements below reasonable thresholds when security matters. Due to the factors described, the following key length recommendations are offered for IoT authentication where security is important:

• Minimum 224-bit ECC for 256-bit and 384-bit end-use certificates;
• Minimum 256-bit ECC for 384-bit root certificates.

Today we can’t imagine the inconvenience of manually installing certificates in our browsers for each web server. At the same time, we can’t imagine the damage, in case we blindly believe any certificate. That’s why each browser has several roots of trust against which all certificates are verified. The embedding of these roots in browsers has made it possible to scale the protection to millions of servers on the Internet. As billions of devices become online every year, it is equally important that both the roots and the device certificate are embedded into the devices.

Data related to IoT must be stored securely at all times. Our lives often depend more on the correctness, integrity and proper functioning of these systems than on data privacy. Verifying the authenticity of the information, devices and the origin of information can be crucial.

Data is often stored, cached and processed by multiple nodes, rather than simply being transferred from point A to point B. For these reasons, data should always be signed at the time when it is first recorded and stored. This helps reduce the risk of any interference with the information.

Signing data objects, once they have been captured, and retransmitting the signature with the data even after they have been decrypted, is an increasingly common and successful practice.

Device Protection. IoT Program Code Protection

When turned on, each device loads and launches a specific executable code. It’s very important for us to make sure that the devices will only do what we have programmed them to do, and outsiders won’t be able to reprogram them for malicious behavior. The first step in protecting the devices is to protect the code so that only the one we need would load and run.

Fortunately, many manufacturers have already built secure loading capabilities into their chips. The same is true for high-level code – various time-tested open-source client libraries like OpenSSL can be used to check signatures and permissions from an authorized source only. As a result, signed firmware, boot images, and higher-level embedded code, including signed basic software components that include an operating system, are becoming increasingly common.

More and more often, there are not just signed application programs but the whole code on the device, in general, is met. This approach ensures that all critical components of IoT systems (sensors, mechanisms, controllers, and relays) are properly configured to run only the signed code and never an unsigned code.

It would be good practice to follow the principle of “never trust an unsigned code”. A logical continuation would be to “never trust unsigned data, let alone unsigned configuration data”. The use of modern signature verification tools and the proliferation of hardware implementations of secure downloads pose a serious challenge to many companies – key management and access control to the keys to sign the code and protect the embedded software.

Fortunately, some certification centers offer cloud services that make it easier, safer and more secure to administer code signing programs and guarantee strict control over who can sign code, revoke signatures, and how keys to sign and revoke are protected.

There are situations where software needs to be updated, for example, for security reasons, but the impact of updates on battery power needs to be considered. Data overwriting operations increase power consumption and shorten autonomous work of the device.

It becomes necessary to sign and update individual blocks or fragments of such updates, rather than whole monolithic images or binary files. Then, software, signed at the block or fragment level, can be updated with much finer granularity without sacrificing security or battery power. Hardware support is not necessary for this; such flexibility can be achieved from a pre-boot environment that can work on a variety of embedded devices.

If battery life is so important, why not just configure a device with fixed firmware that no one can change or update? Unfortunately, we have to assume that devices in field conditions are subject to reverse engineering for malicious purposes.

After the event, vulnerabilities are discovered and exploited that need to be patched as soon as possible. Obfuscation and code encryption can significantly slow down the process of reverse engineering and discourage the continued attack from most intruders. But hostile special services or interethnic destructive organizations are still able to do this even for programs protected with obfuscation and encryption, primarily because the code must be decrypted to run.

Such organizations will find and take advantage of vulnerabilities that have not been patched in a timely manner. In this regard, remote update capabilities (OTA) are crucial and must be built into devices before leaving the factory. OTA software and firmware updates are very important to maintain a high level of device security.

This point will be discussed in more detail in the “Device Control” section. However, obfuscation, segmented code signing, and OTA updates must ultimately be tightly interconnected to work effectively.

By the way, both segmented and monolithic code signing use a certificate-based trust model described in the previous “Communication Security” section, and using ECC when signing code can provide the same benefits of a high level of security combined with high performance and low power consumption. While signing a code, a publisher can choose cheap code signing certificates that is available in SSL industry easily. There are RSA and ECC algorithm with which a publisher can sign the code and publish it publicly. In this situation, the following key length recommendations are suggested for signing an IoT code where security matters:

• Minimum 224-bit ECC for end-entity certificates with preferred 256-bit and 384-bit;
• Minimum 521-bit ECC for root certificates, since, as a rule, it is expected that the signed code will be used for years or even decades after signing, and signatures must be strong enough to remain reliable for such a long time.

Device Protection. Effective Host Protection for IoT

In the previous chapter, we looked at the first aspect of device protection which defines the basic principles of key management, authentication for IoT, code signing and configuration to protect the integrity of a device, the basis of OTA control of such code and configuration.

However, after the communication protection and the implementation of safe launching of a well-controlled device, protection during the operation phase is necessary. Host protection solves this problem.

IoT devices face many threats, including malicious code that can spread through proven connections, exploiting vulnerabilities or configuration errors. In such attacks, several weak points are often exploited, including but not limited to:

• Failure to use code signature verification and secure boot;
• Poorly implemented validation models that can be circumvented.

Attackers often use these flaws to install backdoors, sniffers, data collection software, the ability to transfer files to extract confidential information from the system, and sometimes even the command & control (C&C) infrastructure to manipulate system behavior.

Particularly disturbing is the ability of some attackers to exploit vulnerabilities to install malware directly into the memory of already running IoT systems. And sometimes this type of infection is chosen, in which the malware disappears after the device is rebooted, but manages to cause enormous damage.

This works because some IoT systems and many industrial systems almost never reboot. In this case, it is difficult for the security department to detect the vulnerability used in the system and investigate the origin of the attack.

Sometimes such attacks occur through an IT network connected to an industrial network or an IoT network, in other cases, an attack occurs via the Internet or through direct physical access to the device.

As you understand, it does not matter what the original infection vector was, but if it was not detected, the first compromised device still remains trusted and becomes a conductor for infecting the rest of the network, whether it is a vehicular network or the entire plant’s production network. Therefore, IoT security must be comprehensive. Closing the windows,  leaving doors open is unacceptable. All threat vectors must be suppressed.

Fortunately, when combined with a reliable code signature and verification model, host protection can help protect a device from a multitude of hazards. Host protection uses a number of protection technologies, including hardening, access control to system resources, a sandbox, reputation and behavior protection, protection against malicious programs, and finally encryption. Depending on the needs of a particular IoT system, a combination of these technologies can provide the highest level of protection for each device.

Hardening, delineation of access to resources, and a sandbox will protect all the “doors” to the system. They limit network connections to applications and regulate incoming and outgoing traffic, protect against various exploits, buffer overflows, targeted attacks, regulate the behavior of apps while allowing them to maintain control over the device. Such solutions can still be used to prevent unauthorized use of removable media, block device configuration, and settings, and even de-escalate user privileges if needed.

Host protection has auditing and alerting capabilities, helping to track logs and security events. Policy-based technologies can even work in environments without an information network connection or with the limited computing power required to use traditional technologies.

The reputation-based protection technology can be used to determine the essence of files by their age, prevalence, location, and other to identify hazards that are not detectable by other means, and also give an idea of whether the new device should be trusted even with successful authentication. In this way, you can identify threats that use a mutated code or adapt their encryption scheme by simply separating high-risk files from safe ones, quickly and accurately detecting malware, despite all their tricks.

Of course, the combination of technologies used will depend on a specific situation, but the above tools can be combined to protect devices, even in environments with limited computing resources.

Summary

How can IoT be protected? These systems are very complex, they require comprehensive protection measures covering cloud and connection levels. Support for IoT devices with limited computing resources which are insufficient to maintain traditional security solutions is also needed. There is no simple or universal solution, and to ensure security, it is not enough to “lock the doors”, leaving the windows open.

Security must be comprehensive, otherwise, attackers will simply take advantage of the weakest link. Of course, traditional IT systems typically transmit and process data from IoT systems, but the IoT systems themselves have their own unique protection needs.

Author bio: Roy Emerson is a technology enthusiast, a loving father of twins, a programmer in a custom software company. Greedy reader and gardener.