I recently attended one of a significant Cyber-security@ Internet of Things event which featured keynotes, speeches and presentations from CTOs/SVPs-Tech/VPs of major IT firms. Attending these presentations sometimes give you a feeling of being in literature or a rhetoric club where instead of hearing context oriented speeches you get to listen to a bunch of fairy tales with almost every sentence including overused adjectives like “trust”, “motivation”, “responsibility” and so on. An SVP of a major IT player was asked about the measure (technical) her company takes to ensure data integrity and prevent cyber-attacks. Interestingly, her answer to this was the statement that “they maintain a culture of trust in and around the company”. To me, it is like standing in front of a hungry lion and telling him that you believe in non-violence. Today in the age of internet and IoT, we have to deal with thousands of cyber criminals (hungry lions) who are waiting to penetrate the system and make most out of it. To keep them out you need a lot more than just “trust”.
On the same event, I had an opportunity to talk to many cybersecurity experts and companies, and I confronted them with a question of mentioning at least one relevant cybersecurity norm/standard/certificate pertinent for each major component in an IoT stack. Unfortunately, most of these discussions turned into some sales pitch. The question one can raise at this point is that is it so challenging to mention at least one “state of the art” cybersecurity measure for every IoT component? Or just that the topic is underestimated?
This blog is just an attempt to name a relevant security standard/certificate or measure for every major element in IoT stack (see below) without going deep into the details of each and very standard/norm or certification.
For this sake, we will assume a simple IoT stack as illustrated below :
Fig.1: IoT stack of a simple use case
In this use case, an industry sensor collects the physical parameters (temperature, pressure, humidity etc.) and transmit the values via Bluetooth/Wifi/wired connection to the gateway or edge device. The gateway device, depending on the type (simple or edge) perform a certain minimal calculation on the received data and push it into the cloud via a Wifi/4G connection. The cloud collects the data and uses this data to feed desired micro-services like analytics, anomaly detection etc. Cloud also offers an interface to the existing enterprise and resource planning (ERP) system to synchronize the running process with the current one as well to provide product /service related information over the IoT platform to the end user. What the user sees on his screen is then the dashboard of IoT use case which is a graphical representation of the micro-services running in the background.
As we can see, there are four to five main stages and at least three interfaces (sensor-gateway, gateway-cloud, cloud-user) in a typical IoT use case. These stages and interfaces are on the target of cybercriminals who try to hack into the system with the intention of either manipulating or hi-jacking the system. Safeguarding just the components is not adequate. The underlying IoT communication layer (Bluetooth/Wifi/4G etc.) need to be secured as well. Also, organisations running or involved in such IoT use cases must ensure safety and integrity of the process, technical as well as user data through a certain information security management system (ISMS) in place.
To sum up, we need security measures at a component, communication-interface and organisational levels. Now if I have to write state of the art or “best in class” security measure (excluding cryptography) next to each stage, communication type and interfaces in the diagram above, then the resulting picture might look like the one below.
Fig.2: IoT stack with relevant cyber-security measure
What, in your opinion, could be included/excluded or replaced in this diagram? Feel free to share your opinion.
