Closing the gaps in IoT security

Huawei Hub Editor Huawei Hub Editor

Read more posts by huawei-hub-editor

The article explores how the organisations can improve their Internet of Things (IoT) security standards and enable the rapid development of the IoT industry.

 

The security of the Internet of Things (IoT) is critical given the potential damage hackers can cause by hijacking huge numbers of networked objects and creating zombie botnets. Yet, awareness of enterprise IoT security is generally very poor. In fact, IoT products from many companies have zero security protocols.

HP’s Security Research Cyber Risk Report shows that 27 per cent of IoT control systems have been compromised or infected and 70 per cent of device communication processes are not encrypted. Also, many IoT communications protocols also lack security mechanisms, according to the report.

This reality has allowed a successive spate of attacks targeting or originating from IoT devices in the past few years, including an Internet outage in Australia, a simulated attack on a Tesla car, and a power blackout in Ukraine.

The large-scale Australian Internet outage on April 2017, was one of the biggest attacks in the country’s history. The attack targeted Melbourne IT’s domain name system servers Net Registry and TPP Wholesale. This saw approximately 500,000 Australian websites go down for up to 90 minutes. In addition, the 2016 Census was compromised by a DDoS attack, which overloaded the site and shut it down for 40 minutes.

 

 

There are two major challenges facing IoT security.

  1. The first is complex deployment environments and network structures. This includes access and data processing for massive numbers of devices, complex network structures, and excessive numbers of communication protocols.
  2. The second is limited computing and network resources. IoT sensors and some gateways have tight cost and power consumption constraints plus limited computing power and storage capacities. As a result, it’s difficult to run complex security protocols on them. Furthermore, their network bandwidth tends to be limited, with many local networks only offering tens of kbps of shared bandwidth.

3T+1M architecture security

The security requirements of IoT devices, networks, platforms/clouds, applications, and privacy compliance are much higher than they are for traditional networks. The key to IoT security lies in building device security and protection capabilities. IoT devices can be roughly divided into two categories based on their features: weak devices and strong devices/gateways. Each face different security threats and demands.

Access and data processing for massive numbers of devices, particularly in high concurrency access scenarios such as surge attacks, is a huge challenge for IoT networks and platform security. In scenarios with massive numbers and amounts of devices and data on the network and platform side, it’s critical to be able to quickly detect malicious device behaviours like DDoS attacks and malicious tampering. This must be followed by fast threat diagnosis and response in the form of warning and isolation processes.

Protecting data such as user location, consumption data, and health data has much higher privacy compliance requirements for cloud-based IoT platforms, especially in verticals like electricity and the Internet of Vehicles (IoV), which have high certification requirements.

The cloudification of IoT services brings greater challenges for end-to-end (E2E) security operations and management such as smart security inspections and situational awareness in visual security.

Huawei developed its 3T+1M (technology + management) security architecture with the following in mind: IoT security threats, IoT application scenarios, and specific IoT security requirements. 3T+1M architecture encompasses devices, pipes, clouds/platforms, data security, privacy protection, and E2E security O&M.

Ways to ensure IoT security

1.     Device and cloud anti-attack measures

Building a device security system is the first line of defence in ensuring IoT security. The security capabilities of devices need to be configured to match their functions and computing resources, including memory, storage, and CPU.

For weak devices, such as NB-IoT water and gas meters, where resources are limited and cost and power consumption are issues, basic security capabilities are a must. These include basic two-way authentication, DTLS, encrypted transmission, and remote upgradability. Scenarios like meter reading, where power consumption is a key factor, best suit lightweight, optimised, and secure transmission protocols.

Strong devices with more powerful computing capabilities that don’t have power consumption constraints and are operationally critical, such as industrial control terminals and car networking equipment, require advanced security capabilities, including trusted devices, intrusion detection, secure start up, and anti-virus protection. Device chip security and security for lightweight operating systems such as LiteOS need defence capabilities in line with the functions of strong devices.

Cloud is also an essential piece of the security puzzle: Coordinated device and cloud defence systems will enable security situation awareness, monitoring, and device upgrades to be carried out on the cloud.

2.     Detect and isolate

To quickly detect and identify malicious behaviour in massive numbers of IoT devices and carry out isolation and warning alarm processes, network and IoT platforms require malicious terminal detection and isolation technologies.

First, the network side needs to have surge and DDoS attack protection capabilities. Second, the network must be able to coordinate with the IoT platform to identify malicious devices using rule matching, big data analysis, machine learning, and other rapid detection analysis algorithms like device behaviour traces, traffic anomalies, and packet analysis. The IoT platform also needs to be able to quickly diagnose and respond to device behaviour according to the application scenario and specific situation based on device behaviour detection results. Responses include early warnings, observations, isolation and forcing devices offline, and instructing networks to take appropriate measures. This is the second line of defence in IoT security.

3.     Platform and data protection

The requirements for cloud platforms and data protection are much higher for IoT, including the platform’s own security, data storage, processing, transmission, and sharing functions. As well as cloud native security such as WAF, firewalls, and HIDS, data privacy protection, various other measures are required to meet specific IoT data protection requirements; for example, data lifecycle management, data API security authorisation, tenant data isolation, and encrypted video data storage, plus compliance with national IoT data privacy compliance requirements. This is the third line of defence in IoT security.

Security operations and management

Establishing O&M system tools and the operating capabilities of O&M personnel is critical to IoT security O&M. For the coordinated handling of layered device-pipe-cloud architecture, O&M system tools provide E2E whole network visual security situation awareness, daily security assessments, O&M security reports, and smart security inspection. Providing security O&M guidance for IoT O&M personnel and standard security operating procedures for O&M operations enables O&M personnel and policy makers to perform service management. This improves the capability of the whole IoT security system, from preventative early warnings and detection and analysis to dealing with events after they occur.

When building a 3T+1M IoT security defence system, it’s crucial to develop key support technologies. These include lightweight security protocols, lightweight device system security, malicious device behaviour rapid detection algorithms, and visual security situation awareness.

The security ecosystem is essential

The IoT security ecosystem must focus on device security, but the technological capabilities of many IoT verticals in device security are very limited. With this in mind, Huawei’s various OpenLabs are designed to help industry partners develop device security capabilities.

OpenLabs provide E2E IoT security testing and verification services for devices, networks, and platforms, with security features comprising a key part of IoT partner certification. The lab provides partners with technical specifications and test cases for IoT device security to develop corresponding black box testing tools to ensure the access security of different devices.

To build a healthy and open IoT security ecosystem, Huawei has opened its IoT network and platform security capabilities and O&M tools to carriers and vertical industry partners.

With research on IoT security ecosystems and standards development just getting underway, Huawei believes in collaboration, combining the strength of upstream and downstream manufacturers to lead trials and experiments that will drive the maturity of key technologies, solutions, testing and verification, and industrial applications in IoT security. Huawei will also encourage industry standards organisations to develop and improve IoT security standards as quickly as possible, and regulate IoT security certification to enable the rapid development of the IoT industry.

Back to posts

Subscribe to receive new content