IoT Security: Essential Requirements

One core requirement in IoT security is trust. Or, the other way around: We cannot trust an IoT device connected to the network unless we know exactly how it works. This is imperative! And it especially relevant with all the encrypted channels we see on the Internet. We might have MitM protection but we do not know what is on the wire and within the encrypted packages.

Real technology needs

There are lot of trends and buzzwords, AI is only one of them. But there are also other needs. One of them is usability in cyber security. Security is important and a critical success criteria for IoT. Security controls and technologies exist. But for an average user it is hard to comprehend and difficult to handle. This has direct impact on the posture of devices attached to the Internet. We definitely need much better usability in security for IoT. This encompasses the entire life cycle: installation, on-boarding, operation, and maintenance.

IoT Security - accept and handle failure

IoT as well as Industrial IoT (IIoT) present a couple of specific key requirements in order to build secure and reliable networks and systems operated in smart grid, smart city or manufacturing. Because of agility, size and the vast number of endpoints, automation and orchestration are important success criterions. But there is much more to consider: We need to accept and handle failure and security breaches. Survivability, resilience, isolation, and self-healing are essential characteristics and quality requirements for the underlying system architecture. Of course, network security is the sound basis for a scalable security architecture with strict network access control and secure onboarding as inherent features. This is the precondition for visibility and context awareness to address security intelligence in order to respond to threat automation and malware sophistication at all levels of the stack.

IoT Security - a primer

Security is a crucial requirement, a core building block, a success criterion, and an enabler for IoT at the same time. With scalability and extensibility, security represents an important quality attribute within the overall IoT architecture. Linking a vast number of devices and inter-connecting networks leads to complex systems that needs to be protected comprehensively and holistically.

Security impacts all layer of the IoT architecture. It starts with the security of the endpoints and impacts the data and processes in the cloud. Of course, the security of the network connecting all nodes is imperative to the success. In this regard, IoT security comprises the security of the network as well as the security of the connected devices, intermediate subsystems, such as gateways, and systems consuming the data finally. Beside connectivity and communication, security is important for all deployment and management processes.

First of all, there is no silver bullet, no unique approach to implement IoT security comprehensively. Beside all the technical requirements, there are always constraints and side effects such as cost pressure, time schedules, available resources, expertise and so on. Nevertheless, there is a set of essential requirements which must be considered from the beginning.

Objectives and Key Requirements

The overall goal is to protect the entire system which represents an IoT installation. The more granular security requirements, often called security attributes, are confidentiality, availability, integrity, and privacy. The relevance of these core attributes depends on the system, the environment, the actuators and their functions. In an installation where customer data is used, confidentiality and privacy are especially important. A smart meter installation would be a perfect example. Data management, processing, and distribution are becoming increasingly important for customers who want to control and ensure their privacy. In several countries, this is already regulated by law. Technologies and procedures to protect end user’s privacy are evolving. Anonymization of user data is only one approach. More advanced technologies follow an approach to conceal user identities and their network activity from surveillance and traffic analysis by separating identification and routing.

In the industrial environment, availability and integrity are high priority. Furthermore, safety cannot longer be separated from security. In some scenarios, IoT systems might be part of the critical infrastructure which even raises the bar for security. In these domains, security appliances and functions must not hinder the performance of the critical applications.

The following table contains the four key attributes:

Requirement / Attribute	Objective
Availability	Ensures that data is timely and reliable available to authorized entities when it is needed
Integrity	Protect data from modification without authorization to ensure accuracy and completeness
Confidentiality	Protect disclosure and data access from unauthorized entities
Information and Data Privacy	Management of data according to legal regulations and public expectations From an individual perspective, privacy is the right to control what information may be collected, processed and stored and by what entity, and to whom that information may be disclosed.

The recommended approach to identify the essential requirements is a risk-assessment of all assets that are part of the given IoT system. Depending on the outcome which is impacted by financial, safety and other consequences, requirement documentation can be compiled. In addition, requirements derived from regulations, policies and standards will complete the specification.