The ‘Internet of Things’ (or IoT) industry has grown substantially over the last decade. Developing from a buzzword to a vital part of tens of thousands of businesses, the industry is set to become worth $12.6 globally by 2030.
Essentially, as a result of the IoT industry, ‘data’ is being created everywhere, from traffic and footfall flows to CO2 emissions, and a vast network of sensors can capture that data. Once all of the data is gathered, it can then be analyzed – a job that is much easier to do now that cloud computing gives anyone access to the capabilities of a supercomputer. Devices can then make changes as needed.
The industry is already powering ‘smart cities’, however, it is only now that organizations are starting to utilize data to its full potential. In fact, IoT is now a key component in Industry 4.0 (‘fourth industrial revolution’) a term used in manufacturing in which every component in a production line exists as much in the digital as the physical world. This works by 5G networks constantly exchanging data to make factories more efficient and proactively address maintenance problems. Therefore, combined with robotics, autonomous systems and 3D printing, a factory or warehouse would, in theory, be able to run without any help from humans.
However, it is important to step back and assess the security threats that exchanging data at this scale, through internet-connected components pose for potential vector for attack. This can be exemplified when looking at ransomware software, which can have devastating consequences in industrial settings. However, imagine what could be achieved by bad actors if they gained access to an IoT network within a factory, oil refinery or energy production facility, for example. By just increasing the amount of torque a robotic screwdriver uses they could ruin whole batches of products, or by turning off heatsinks they could start a fire. It is important to note that this is not a worry of the future: IoT systems have already been hijacked and turned into huge botnets. This could mean that tens of thousands of smart devices could be turned into spam email servers, or they could flood targets with traffic in Distributed Denial of Service (DDoS) attacks.
Securing IoT through unique ID
In a business system, everything is connected to everything else, therefore meaning one wireless thermostat with an unpatched vulnerability could theoretically provide access to an entire network. Although, because cryptographic keys exist, businesses rarely need to worry about this occurring. For example, if you imagine this in terms of physical security: if a thief wanted to enter a high-security building they might find an unlocked door or window, but they could quickly be identified by the lack of a unique security pass. If everyone in the building carried the same ID badge, it would be simple for the thief, however if they are unique to each person, for instance, personalized with a photograph for instance, it becomes much harder to successfully enter. A similar principle applies in IoT security.
It is possible that by 2025 there will be 38.9 billion IoT devices, with every single device needing a unique ID in the form of a serial number from its manufacturer. Returning to our analogy of a thief in a building, if they knew that somebody authorized to be in the building was named John Smith, they could easily claim to be him if confronted unless there was another way to verify who is and isn’t John Smith. Indeed, serial numbers could be faked in much the same way as this, which is why when you log into sensitive accounts, there often needs to be a second form of identification that is much more difficult to determine in order to guarantee that each IoT device is unique.
Public Key Infrastructure (PKI) is already used across the internet to create a ‘root of trust’ between devices, applications and people, and it can be used to secure IoT. Key injection is a technique used to place a private key known only to the manufacturer into each device and generate a public key that everyone in the supply chain can use to check the identity, and therefore the authenticity of each device.
Protecting supply chains using public keys
Many components make up the IoT devices that companies use, and given supply chain problems and global shortages of microchip components, this poses a question as to the authenticity of products. Consequently, a counterfeit component could allow an entire network to become exposed to hacking, and this could be a major problem in applications like networked vehicles. Therefore, components need to be constantly exchanging, checking and re-checking private keys, and manufacturers need to have the hardware in place to make this possible. Hardware security modules (HSMs) are where key injection starts: these are offline components that can’t be interfered with remotely. They are also far more efficient than software solutions when it comes to creating random numbers – true randomness in computing is a more difficult process than you might realize.
As soon as businesses adopt these public keys, IoT security becomes much less of a concern. These same principles can help to secure data in transit between devices, preventing hackers from tapping in, and allow secure cloud-based systems that are increasingly part of IoT solutions. Each component can identify itself as authentic and unique, and as PKI encryption is extremely difficult to crack it becomes much harder for bad actors to establish a secure position in an IoT network.
The importance of creating an interconnected security infrastructure for IoT is crucial. In a world where everything is communicating with everything else it is not just business critical but vital that everything from smart city networks down to individual smart devices is secure.