Security level: tailoring to every use case
Firstly, the level of security must be considered based on the use case and adapted according to the level of risk: the risk is lower for simple data collection and higher when it involves control-command (remote control takeover). For example, simple temperature data collection in a room for energy optimization purposes does not pose the same risk as remote valve control.
The choice of technology can already imply a specific security level. For instance, in “low speed, low power” networks like LoRaWAN, most uses are informational (data collection only) and the encrypted data limits the dangers. However, security must be considered end-to-end to avoid any vulnerabilities within the system.
End-to-end security
It is impossible to ensure effective IoT security without a holistic view of the solution: from sensor to application platform, through network infrastructures.
Securitization starts with the sensors, both in their design and installation. They must first be designed by experts and manufactured with quality components. To enhance security in the most critical uses and limit access to direct connection ports on the sensor, a “secure element” is placed, which is natively integrated into the hardware. It is also essential not to forget to install the sensors correctly! It’s necessary to make sure they are correctly positioned and secured, even concealed if needed.
Then, the choice of communication protocol is crucial as it can incorporate a security layer through native encryption of all messages. For example, in the specific case of LoRaWAN, data is natively encrypted using AES128, the most used and secure cryptographic algorithm today. Thus, the LoRaWAN protocol includes a default security layer with a key management encryption mechanism.
Additionally, leveraging a network that is not directly IP accessible, avoiding a direct connection with the internet, is another security factor.
Security: an operator’s business
Nowadays, IoT telecom operators are firmly committed to increasing security measures. They notably use electronic vaults to host encryption keys, providing a protection level akin to banking security standards. In the case of the Objenious LoRaWAN network, encryption keys are hosted in a Key Management Server (KMS) system provided by specialists in these systems.
By utilizing pre-existing infrastructures like highly secured data centers or national backhauls (intermediate networks used for GSM, fiber, or ADSL data), the security level is further heightened to prevent hacking of Metadata used by the network for quality of service management.
Operators running a single global network with a unique core network also have the capability to act quickly across the network to address potential security flaws.
Nonetheless, some risk always exists, and in this complex landscape, it is not always easy to determine who is responsible for security incidents concerning an object. Initially, IoT operators must implement monitoring tools to detect abnormally high or unusual data traffic. Applying machine learning algorithms can also help in anomaly detection.
Regular security audits by expert firms or every time IoT data access platforms are changed are also necessary.
These principles are standards for Telecom operators who need to ensure user security for their solutions and offer industrial players the necessary security for the smooth running of their operations.
Securing large-scale deployments
However, large-scale deployments can complexify the task. When IoT is industrialized, an entire ecosystem must come into place.
For example, the certification of connected objects by the operator or independent entities helps ensure the correct use of security keys and control of these objects accessing the network.
In addition to technology-specific solutions, labels such as Ready2Service in the Smart-Building field (a label of the Smart Building Alliance) also play a significant reassurance role for clients, thus accelerating the adoption of new technologies.
Training experts
Finally, the challenge lies not in raising awareness among IoT players, who have already recognized the need to provide a high level of security, but in training IoT managers within companies. They are responsible for making optimal choices and building the right architecture, depending on the risk level of their own use cases.
Presently, as these professions are relatively new, and future professionals who will soon enter the market, as well as current IoT managers, will need to quickly undertake training.
Christophe Fouillé, Marketing Manager at Objenious