That’s why security has been a key area of focus at Telit, which enables end-to-end IoT solutions with its wireless module technology, platform services, and connectivity. IoT Evolution recently interviewed Telit CSO Dr. Mihai Voicu about IoT security, why it’s so important, and what the company is doing to address it. Here’s what Dr. Voicu had to say.
Many companies today are in the experimental stage with IoT. When do they need to get serious about IoT security?
It’s important to bear in mind that privacy and security are issues of regulatory concern, but such regulations can be complied with if the data is secured end-to-end and can be proven to be secure.
How is IoT security any different than traditional security?
Worldwide spending on IoT security was forecast to reach $348 million in 2016, a 23.7 percent increase from 2015 spending of $281.5 million, according to Gartner.
IoT security is different from other security due to the sheer volume of IoT endpoints that exist, the wide array of different ‘things’ and connections that need to be secured, and the life-and-death nature of some IoT applications.
Those endpoints include IoT modules, sensors, and other equipment – which are expected to number in the billions. That will radically increase the threat surface organizations need to defend.
Organizations need to defend their IoT data, endpoints, and other infrastructure because if control of those resources falls into the wrong hands, it could have life-changing results. We now live in a world in which a tire pressure sensor on a vehicle can be hacked, enabling cyber criminals to gain control of vehicle systems. That could be a very dangerous situation, and it’s just one example of why IoT security is so important.
What are the three core aspects of IoT security?
The first involves securing endpoints. The second has to do with securing the control plane of IoT solutions. The third one, maybe the most important, secure the customer’s data.
What do we need to know about IoT endpoint security?
It’s the source of most IoT security problems today. That’s in part because many endpoints don’t feature baked-in security.
The good news, however, is that people with an interest in IoT are beginning to understand the importance of endpoint security, and companies like Telit are already addressing it. In fact, Telit has been working with the GSMA to create security guidelines for endpoint devices.
Telit has developed a secure boot capability that creates a trusted, secure environment when an endpoint’s communications module is booted. That means as soon as the chip fires up and the firmware initiates, every single line of code is assured to be from a trusted source. This secure boot capability is available today.
What needs to happen to secure the connectivity?
Cellular modules used by customers often involve a data subscription and a SIM card, and the subscription needs to be managed so the connectivity is attached to the proper carrier and proper module to ensure security is maintained. Telit provides such modules and SIM cards, as well as the management related to them to keep things secure.
What else needs to be secured in IoT deployments?
Beyond the module and the network, the next points of security weakness are the aggregation points at which data from modules are brought into the systems of an enterprise. First comes the gateway, but the major aggregation point is the IoT platform, which make the connection with the enterprise. This point of aggregation is where all the gateways connect and, from there, multiple ways of getting data out exist.
The data itself is coming in from a multitude of inputs. An asset gateway, for example, provides a gateway from a hardware perspective into the cloud. Telit offers an agent in specific gateways that creates a secure bridge into the cloud so the enterprise can receive information in a secure way.
An enterprise gateway can have a similar agent that securely connects into the cloud and puts data from it into enterprise systems such as ERP solutions. The gateway can enable a secure bridge from the cloud into the interfaces of each enterprise system.
What about platform security?
Telit’s deviceWISE IoT platform offers a variety of security features, but in some cases they are dependent upon the policies of the organizations using that platform.
For example, in the fleet management industry, the majority of customers own a fleet of trucks, but subsets of those trucks may be operated by different companies. So users want the ability to segregate those trucks based on which company is operating them so each organization can set its own policies relative to the level of security it desires. That’s why Telit offers so many layers of segregation and visibility. That way, the owner of the fleet can see all its trucks, but individual operators can only see the vehicles they manage. Access to data in this scenario is required for devices and humans, but it is only provided according to their roles and privileges.
Telit’s platform approach emphasizes the importance of being able to secure the control plane. For Telit, it’s critical how access to the underlying capabilities, rather than the platform itself, is given and managed. Totally different levels of segregation for user access are enabled as well as a very strict approach to what needs to be added with change management control in place. Requests, approvals, and execution are not performed by the same person, and it’s vital to ensure that the impact of infrastructure on operations from a security point of view is minimal.
To learn more about the security challenges facing IoT, download the Telit whitepaper: ‘How to Create, Deploy, & Operate Secure IoT Applications’ at info.Telit.com/iot-security.
Edited by Ken Briodagh