Can an Iot Device Ever Be Secure?

Ian Marsden, CTO at Eseye

The cyber threat has never been greater, with high profile DDoS attacks putting the issue high on the agenda for both businesses and governments. Only at the end of last year an attack which was reported to be the largest of its kind, brought down most of the internet across the UK and America. The growth of such incidents stems from the simple fact that more ‘things’ are now connected to the internet than ever before.

The continuing spate of attacks have therefore shone a bright spotlight on IoT security – highlighting it to be both weak and ineffective. It’s an issue which the industry has taken seriously for some time, but a sharp rise in both incidents and media headlines will naturally propel the problem further up the value chain.

The daunting task of security

The crux of the problem stems from the physical time and associated cost involved in IoT deployments around the secure provisioning of devices, and how we get a device onto the network. This has historically been a daunting task, often to the point of impossible.

Traditionally with any IoT deployment, someone has to physically go out and set devices up – even if that means climbing up a windmill in the rain. The uncertainty of custody, manual passwords and the need for onsite intervention throughout the product lifecycle then create security issues, which can often lead to that person having to go back out to climb the windmill.

However, the security fears over such antiquated inadequacies which have long plagued the industry can be solved, but to do so it must start with the IoT service piece, rather than at the device-end. From that starting point a circle of life can be created – ensuring seamless and secure connectivity in a way that means the person who was once climbing the windmill is now sitting comfortably in a chair.

The circle of life for IoT

A SIM, such as the AnyNet Secure, is specifically designed as an automated solution to enable connected devices to remotely and securely activate, connect, certify and authenticate.

This means when a connected-product (such as that windmill, or a smart toy) is created on the IoT service, it triggers a set of functions to set  up the policy and certificate for the device, which provide the security and identification material for the device.

That in turn is delivered to the cellular service provider, which provisions the subscription plan and networking connectivity of the device. More importantly, the security material is also then delivered over-air into the SIM within the device. No manual passwords or onsite intervention is required and the need for the release of third party security keys to manufacturers is also removed.

As a result, the device isn’t only remotely managed at installation but throughout the lifecycle of the product. This means that if the device has a security threat and it is decided to revoke or replace the certificate, it can be done from the console.

Similarly, if there’s a change in ownership (for instance, the windmill has been sold to someone else) the data might need to be re-provisioned. Without having to visit the site that data can be routed into a different place.

So the person who was previously climbing up the windmill is now sitting in a chair putting the identification material into the terminal.

Securing the future of IoT

50 billion devices are predicted to be connected to the internet by 2020, so it’s little wonder why McKinsey estimates the IoT market to grow to a value of $3.7 billion by that same year.

As the market grows however it will become more pivotal than ever to ensure businesses are equipped to grasp the opportunities, rather than unnecessarily wasting time and money implementing IoT projects – or climbing windmills in the rain.

Yet fears over the security of connected devices continue to dominate the headlines and are still widely heralded as a major reason why organisations do not even embark on M2M or IoT deployments.

In an industry which is at the forefront of innovation, the inability to defend against security threats simply cannot be allowed to hold back the potential benefits which could be yielded from IoT.

Ian Marsden, CTO at Eseye

The cyber threat has never been greater, with high profile DDoS attacks putting the issue high on the agenda for both businesses and governments. Only at the end of last year an attack which was reported to be the largest of its kind, brought down most of the internet across the UK and America. The growth of such incidents stems from the simple fact that more ‘things’ are now connected to the internet than ever before.

The continuing spate of attacks have therefore shone a bright spotlight on IoT security – highlighting it to be both weak and ineffective. It’s an issue which the industry has taken seriously for some time, but a sharp rise in both incidents and media headlines will naturally propel the problem further up the value chain.

The daunting task of security

The crux of the problem stems from the physical time and associated cost involved in IoT deployments around the secure provisioning of devices, and how we get a device onto the network. This has historically been a daunting task, often to the point of impossible.

Traditionally with any IoT deployment, someone has to physically go out and set devices up – even if that means climbing up a windmill in the rain. The uncertainty of custody, manual passwords and the need for onsite intervention throughout the product lifecycle then create security issues, which can often lead to that person having to go back out to climb the windmill.

However, the security fears over such antiquated inadequacies which have long plagued the industry can be solved, but to do so it must start with the IoT service piece, rather than at the device-end. From that starting point a circle of life can be created – ensuring seamless and secure connectivity in a way that means the person who was once climbing the windmill is now sitting comfortably in a chair.

The circle of life for IoT

A SIM, such as the AnyNet Secure, is specifically designed as an automated solution to enable connected devices to remotely and securely activate, connect, certify and authenticate.

This means when a connected-product (such as that windmill, or a smart toy) is created on the IoT service, it triggers a set of functions to set  up the policy and certificate for the device, which provide the security and identification material for the device.

That in turn is delivered to the cellular service provider, which provisions the subscription plan and networking connectivity of the device. More importantly, the security material is also then delivered over-air into the SIM within the device. No manual passwords or onsite intervention is required and the need for the release of third party security keys to manufacturers is also removed.

As a result, the device isn’t only remotely managed at installation but throughout the lifecycle of the product. This means that if the device has a security threat and it is decided to revoke or replace the certificate, it can be done from the console.

Similarly, if there’s a change in ownership (for instance, the windmill has been sold to someone else) the data might need to be re-provisioned. Without having to visit the site that data can be routed into a different place.

So the person who was previously climbing up the windmill is now sitting in a chair putting the identification material into the terminal.

Securing the future of IoT

50 billion devices are predicted to be connected to the internet by 2020, so it’s little wonder why McKinsey estimates the IoT market to grow to a value of $3.7 billion by that same year.

As the market grows however it will become more pivotal than ever to ensure businesses are equipped to grasp the opportunities, rather than unnecessarily wasting time and money implementing IoT projects – or climbing windmills in the rain.

Yet fears over the security of connected devices continue to dominate the headlines and are still widely heralded as a major reason why organisations do not even embark on M2M or IoT deployments.

In an industry which is at the forefront of innovation, the inability to defend against security threats simply cannot be allowed to hold back the potential benefits which could be yielded from IoT.