Defining a Security Strategy for an IoT Solution
A successful IoT security strategy requires thoughtful implementation at every level: from edge devices to the cloud. Most importantly, IoT security must be built into devices and infrastructure from the ground up, rather than bolted on as an afterthought. Security by design is a crucial element of success in keeping IoT deployments safe from cyber threats.
What Does IoT Security by Design Look Like?
At the device level, the cellular module must be secured and personalized at the time of manufacture. In this way, the device is “born” with identification, credentials and SIM functions embedded inside, allowing for a secure boot and making it distinct and straightforward to identify on a network. Modules should come equipped with a Trusted Execution Environment (TEE), a blend of secure hardware and software features used to store essential data such as firmware, encryption keys and the operating system.
Secure data transportation involves encryption everywhere — both for data in transit and data at rest. IoT security by design also means organizations must retain complete data visibility and control across the enterprise.
At the platform level, servers should be protected against security threats with built-in features such as role-based security, transport layer security (TLS) and virtual private networks (VPN).
A Checklist for IoT Security
An organization seeking to secure an IoT deployment must look at the issue from many angles. This checklist provides a starting point for evaluating an IoT security strategy:
It’s vital to consider the site’s physical security to secure IoT deployments in manufacturing facilities. Also, check the status of hardware, libraries, firmware and software to ensure every part is patched and up to date.
- Are your manufacturing facilities secure?
- Is your hardware clean?
- Are you using the correct libraries?
- Are you using the right software?
- Do you use secure boot?
- Where is your firmware CA?
Communications and Protocols
Protocols and communication details are essential components of IoT security because any carelessness in this outer layer can provide an unlocked door for bad actors to enter the network. Regularly ask your team the following questions:
- Are you using “S”?
- Are you using mutual authentication?
- Where are the keys stored?
- Are all your devices public?
- What about access point names (APNs)?
- Are you using proxies?
- Where is the TLS encryption terminating?
Always be aware of who has access to devices and data on your IoT network and how much control they have. Maintaining role-based access control allows organizations to limit each team member’s realm of influence, keeping potential security risks at a minimum. Other system operations issues to consider include encryption of data at rest, change management processes and security audit logs.
- Is your data at rest encrypted?
- Are all your servers controlled from a single image?
- What is your change management process?
- Who has access to the databases?
- Who has access to your firmware?
- Is your firmware encrypted in transit?
- Where are your builds?
- Do you have adequate detail in your security audit logs?
Remote provisioning is becoming more common in IoT with the advent of the eUICC-enabled eSIM. When initial provisioning or firmware updates are sent OTA, it’s important to steward your provisioning process by asking the following questions:
- How do you do provisioning?
- Do you need to provision keys in the gateway or platform?
- Where is your firmware over-the-air (FOTA) stored?
- Who is generating the FOTA delta?
Identity and Crypto
Encryption is key to IoT security, but it needs to be done correctly. The ability to provide adequate encryption for your own and your customers’ data is essential, along with creating unique identities for hardware and software.
- Can you provide immutable, unique identities for your hardware and software?
- Can you provide the right encryption?
- Can you provide the right TEE?
- Is your private key in the clear?
- Can your customer use pre-shared keys for encrypting data?
Simplifying Complex IoT Security Concerns
Ultimately, IoT security is a complex undertaking; however, Telit’s approach seeks to make it simpler by building security into our solutions from end to end. Our guiding principle considers value, vendors and technologies as the three most critical components of an IoT security strategy. We’ve created a secure IoT ecosystem — encompassing modules, connectivity plans, and software and platforms — that works to bridge edge technologies with cloud servers and applications in a seamless way.
To learn more about securing your IoT deployment, check out our webinar titled “Secure Device Onboarding in IoT Deployments Part 1” and “Secure Device Onboarding in IoT Deployments Part 2.”