nCipher Security Blog

Building a foundation of trust for the Internet of Things

In the digital transformation era, companies across all sectors are using next-generation technologies to streamline their operations, deliver value to customers, and gain a competitive edge. Invariably, Internet of Things (IoT) strategies form the backbone of those efforts.

Building a foundation of trust for the Internet of Things

Enormous quantities of data can be generated by and collected from a wide variety of IoT devices. The goal is then to analyse it and take impactful action. But with great power comes great responsibility - if you can’t trust the data and the devices producing it, then why undertake the massive effort required to collect and analyse the data, or even worse, make business decisions based on it?

Building a foundation of trust is therefore essential to ensuring that the IoT reaches its full potential, but unfortunately many IoT devices simply were not built with security in mind. The introduction of connectivity to legacy devices where it was never the original intention, or to newer devices whose designers lacked expertise to develop for widely networked environments, can result in the introduction of new and unanticipated vulnerabilities. And those vulnerabilities can be exploited by attackers to use an IoT device as a point of entry to a network that they can then leverage to go after higher value systems and data.

The diversity of IoT devices and lack of standardisation also poses challenges. With consumers in particular prioritising convenience and functionality over security, it's down to manufacturers to ensure security is embedded into devices from the point of creation. Finally, it looks like progress is being made in this regard, with the UK Government launching a “Code of Practice” to secure the ever-expanding ecosystem of connected devices. Though the initiative is currently voluntary, this kind of collaboration between governments and private sector manufacturers is key to making progress toward doing a better job of preventing potentially catastrophic cyber attacks.

However, proven security strategies – adapted to the IoT environment – are also crucial to meeting these challenges head-on and enabling a secure and scalable IoT.

Digital certificates to uniquely identify devices can form a root of trust for IoT systems, and investment in this protection is projected to grow even further. According to research from the Ponemon Institute, almost half (42 per cent) of IoT devices will use digital certificates for authentication in the next two years. In particular, PKI-based (public key infrastructure) solutions are supporting an ever-increasing number of applications, with the IoT showing faster growth than any other application over the last three years.

Firmware signing is also key to ensuring that devices can verify the authenticity and integrity of updates and security patches that eliminate discovered vulnerabilities. Just recently, researchers found that a popular Internet of Things real-time operating system – FreeRTOS, run by AWS – was riddled with serious vulnerabilities. The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over. Authentic, secure patching ensures that manufacturers can mitigate security issues before cyber criminals can act.

Finally, it is difficult to underemphasise the importance of encryption to protect sensitive data collected by IoT devices. This too is being increasingly adopted, according to our 2018 Global PKI Trends Study, with 49 per cent of respondents either extensively or partially encrypting their IoT device data. Encryption, backed by strong encryption key management, is the best protection for sensitive data, whether it is personal information, customer information, or any other data whose owner wishes to keep private.

Security is seen by some as a barrier to their IoT projects, but its role, if done correctly as an inherent aspect of system design, can be exactly the opposite. Security teams should get a seat at the table from the very inception of IoT projects, and should help their IoT project constituents recognise and embrace its role as a key enabler of IoT, navigating the vast ecosystem of connected products and platforms, and developing ways to ensure and maintain customer trust.