FEATURE THE INTERNET OF THINGS DATA SECURITY FOR IOT DEVICES
Alan Grau at Sectigo explores data protection for IoT devices and connected machines
I
oT devices generate and collect a tremendous amount of data, and this
data must be secured against tampering and discovery. IoT data security can only be achieved by building protection directly into the device itself. This provides a critical security layer as the devices are no longer dependent on the corporate firewall as their sole layer of security. In recent years, many embedded devices
have added support for secure communication protocols such as TLS, DTLS, and SSH. These protocols provide a critical first level of defence against cyberattacks but leave a number of attack vectors unprotected. Security protocols that are designed to
protect against packet sniffing, man-in- the-middle attacks, replay attacks and unauthorised attempts to communicate with the device, provide a good starting point for building secure devices. IoT devices, unlike enterprise servers,
are not locked away deep in a data centre. Many are located “in the field” with the risk of theft or physical attack. Any sensitive data stored on these devices should be encrypted to ensure it is protected from attempts to read from the device, either by copying the data from the device, or by physically removing and reading data directly from the flash drive. Many IoT devices don’t have the
computing power to support full disk encryption, but sensitive data such as credit card numbers or patient information should always be encrypted. Manufacturers need to take measures to
store the encryption key in protected memory on the device. Data at Rest (DAR) protection addresses this challenge by encrypting data stored on the device, providing protection for sensitive data stored on the device. Secure communication protocols, data
at rest protection, secure boot, and secure firmware updates all rely on encryption and certificate-based authentication. A device must have the ability to securely store the encryption keys and certificates used to encrypt data, authenticate firmware, and to support machine-to- machine authentication. If a hacker can discover the encryption keys, they can
22 DECEMBER/JANUARY 2021 | ELECTRONICS
by a trusted entity. My driver’s licence identifies me (Alan Grau), provides a picture to show that I am the proper bearer of the licence, and defines my permissions as a driver of a motor vehicle. I am authorised to drive any standard passenger motor vehicle, but not certain commercial vehicles. And the licence was issued by a trusted entity (the government of the State of Iowa)In many ways, a certificate is similar. A certificate is issued by a trusted entity (a certificate
completely bypass an otherwise robust security solution. Secure key storage can be provided using a TPM or other Hardware Secure Element. If the device does not have a hardware module available, a software based secure key storage method can be utilised.
CERTIFICATES AND DEVICE IDENTITY PKI (Public Key Infrastructure) is a set of technologies and services for managing authentication of computer systems. PKI is based on a mechanism called a digital certificate. Digital certificates are sometimes also referred to as X.509 certificates or simply as certificates. Think of a certificate as a virtual ID card. PKI provides the tools and methods
required to issue certificates to all IoT devices on a network and to manage those certificates throughout the life of a device. A certificate can be likened to a driver’s licence. It provides an identity and a set of permissions and was issued
Figure 1:
Any device or machine that is destined to be connected to the IoT needs to be protected before it even rolls off the assembly line
authority), contains permissions, and is used to identify the holder of the certificate. A driver’s licence contains information allowing the holder of the licence to be verified, just as a certificate contains the public key allowing it to be used only by the entity that holds the associated private key. Without getting into the details of the
Figure 2:
Data security requirements
public/private key cryptography technology that makes this possible, an IoT device can verify the certificate holder is the entity specified by the certificate. These services are enabled using public/private key cryptography providing the technical underpinnings of PKI. The result is that a device can verify, with cryptographic certainty, the holder of the PKI certificate is really who it claims to be and not an imposter. Data protection for IoT devices and
Figure 3:
A security framework provides an integrated set of security building blocks
connected machines is no longer a nice to have - it is essential. Cyberattacks are on the rise, cybersecurity legislation for IoT devices is becoming increasingly common (with more on the way), and network operators are beginning to require higher levels of security. To remain competitive, OEMs must address security in all of their products, no matter how small or complex. The new rule is that Security must be built into devices from the early stages of product design.
Sectigo
www.sectigo.com
/ ELECTRONICS
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46
