IoT Security - a primer

Security is a crucial requirement, a core building block, a success criterion, and an enabler for IoT at the same time. With scalability and extensibility, security represents an important quality attribute within the overall IoT architecture. Linking a vast number of devices and inter-connecting networks leads to complex systems that needs to be protected comprehensively and holistically.

Security impacts all layer of the IoT architecture. It starts with the security of the endpoints and impacts the data and processes in the cloud. Of course, the security of the network connecting all nodes is imperative to the success. In this regard, IoT security comprises the security of the network as well as the security of the connected devices, intermediate subsystems, such as gateways, and systems consuming the data finally. Beside connectivity and communication, security is important for all deployment and management processes.

First of all, there is no silver bullet, no unique approach to implement IoT security comprehensively. Beside all the technical requirements, there are always constraints and side effects such as cost pressure, time schedules, available resources, expertise and so on. Nevertheless, there is a set of essential requirements which must be considered from the beginning.

Objectives and Key Requirements

The overall goal is to protect the entire system which represents an IoT installation. The more granular security requirements, often called security attributes, are confidentiality, availability, integrity, and privacy. The relevance of these core attributes depends on the system, the environment, the actuators and their functions. In an installation where customer data is used, confidentiality and privacy are especially important. A smart meter installation would be a perfect example. Data management, processing, and distribution are becoming increasingly important for customers who want to control and ensure their privacy. In several countries, this is already regulated by law. Technologies and procedures to protect end user’s privacy are evolving. Anonymization of user data is only one approach. More advanced technologies follow an approach to conceal user identities and their network activity from surveillance and traffic analysis by separating identification and routing.

In the industrial environment, availability and integrity are high priority. Furthermore, safety cannot longer be separated from security. In some scenarios, IoT systems might be part of the critical infrastructure which even raises the bar for security. In these domains, security appliances and functions must not hinder the performance of the critical applications.

The following table contains the four key attributes:

Requirement / Attribute	Objective
Availability	Ensures that data is timely and reliable available to authorized entities when it is needed
Integrity	Protect data from modification without authorization to ensure accuracy and completeness
Confidentiality	Protect disclosure and data access from unauthorized entities
Information and Data Privacy	Management of data according to legal regulations and public expectations From an individual perspective, privacy is the right to control what information may be collected, processed and stored and by what entity, and to whom that information may be disclosed.

The recommended approach to identify the essential requirements is a risk-assessment of all assets that are part of the given IoT system. Depending on the outcome which is impacted by financial, safety and other consequences, requirement documentation can be compiled. In addition, requirements derived from regulations, policies and standards will complete the specification.