The Internet of Things (IoT) has made it possible to understand data and automate myriad processes in ways that were once unimaginable. Yet, billions of different devices residing on the edge of networks also introduce enormous security challenges.
Locking down all these devices and protecting the data that flows through them is a daunting proposition. Unfortunately, manufacturers design and build devices with varying levels of protection. Adding to the challenge, it’s difficult—and sometimes impossible—for users to patch flaws and vulnerabilities in a timely manner. Of course, replacing older and less secure devices might not be practical or cost-effective.
Encryption takes direct aim at this problem. It protects IoT data at rest and in motion—while boosting regulatory compliance. Yet, using cryptography effectively in a highly interconnected IT framework isn’t easy. An array of technical and practical issues come to the fore. This can include limited CPU capacity on devices, battery drain, how devices work with 5G and other network systems, and how data moves across gateways, clouds, and other components.
It’s no secret that IoT security is notoriously weak, and even absent, in many devices. Too many manufacturers approach cybersecurity as an afterthought. They fail to build in adequate protections at the firmware level, or produce buggy code. Making matters worse, end users typically deploy devices from different manufacturers that take different approaches to device security. This creates gaps. Finally, applying patches and security updates across hundreds or thousands of devices can prove daunting.
It’s not an abstract problem. Numerous security breaches have occurred as a result of IoT devices. For instance, in 2018, a gambling casino in the UK was hacked after cybercrooks entered the company’s network through an Internet-connected thermometer in an aquarium located in the lobby. Thieves stole the casino’s customer database.
There’s a common belief that it’s difficult and sometimes impossible to use existing, standard AES encryption with connected devices. But this simply isn’t true. Research and real-world examples demonstrate that conventional Advanced Encryption Standard (AES) technology can be used to lock down various connected gadgets and machines. Consider that passports, credit cards, and employee badges all use AES. AdvancedEncryption Standard (AES) technology can be used to lock down various connected gadgets and machines. Consider that passports, credit cards, and employee badges all use AES.
What’s more, IoT cryptography continues to improve. TheNational Institute of Standards and Technology (NIST) supports efforts to develop more advanced lightweight cryptography for the IoT. Meanwhile, Google has introduced a cipher, dubbed Adiantum, that encrypts Android devices regardless of their size or limitations. Using both standard AES and lightweight AES or ARMv8 crypto extensions, it’s possible to address requirements for the vast majority of IoT devices.
There are several ways to maximize the effectiveness of encryption on IoT devices. One of the most important is to strip out all default settings and replace them with continually changing passwords and, when possible, tokens. Multi-factor authentication (MFA) serves as an insurance policy if a password is breached. In some cases, a basic text message might be adequate. In other instances, there may be a need for a physical key or biometric authentication.
Of course, encryption at rest is only part of the story. It is critical to ensure that data in motion is also protected. Because IoT data travels across networks—in some cases multiple organizations—there’s a need to ensure that virtual private networks (VPN) are used when and where possible, and routers and other networking gear have been patched and updated to address security flaws and open-source vulnerabilities.
Other tools include network segmentation for IoT devices and solutions that can monitor devices, analyze data, and spot potential security risks. In the event of a cyber-attack, segmentation also allows an organization to shut down parts of the network that are compromised—and prevent attackers from gaining access to additional devices across a larger swath of the network.
There’s a need to examine specific use cases and data-management issues when mapping out a strategy. What’s more, it’s vital to consider several factors, including how cryptography impacts performance, battery life, and latency. Once an organization understands what protection is required for various devices and use cases, it’s possible to understand how and where to focus an initiative across clouds, devices, and networks.
As organizations venture into AI and machine learning, there’s also a need to rethink and rewire encryption schemes. For example, an emerging open-source framework called Tiny Machine Learning (TinyML) supports low-latency processing across distributed devices on the network edge. However, it and other forms of pooledAI require entirely different security frameworks. Consequently, it’s essential to monitor open-source code for vulnerabilities and use tokens and other complementary data-anonymization techniques.
The goal is an IoT framework that not only uses cryptography to protect devices and data but is part of a broader cybersecurity initiative that addresses device- and data-protection in a holistic way. This includes keeping an eye on how TCP/IPstacks and X.509 certificates verify devices and whether they introduce vulnerabilities that undermine encryption. Organizations that adopt a modern framework and close gaps in security are well positioned to unleash the full value of the IoT.