Published on 11/04/2016 | Operations
Last January 2016, I listed key challenges to be addressed in order to put Industrial IoT to work and as a third delivery, I am delighted to address the third identified challenge: the E2E SECURITY.
As soon as we consider Industrial IoT, we find ourselves asking about the ownership, accessibility, integrity and sensitivity of the data obtained & manipulated.
Addressing concerns ranging from traditional data security issues – confidentiality, integrity & availability – to questions of privacy, safety and legal jurisdiction, is essential if we are to make pervasive sensing and massive computing – the pillars of putting Industrial IoT socially and commercially acceptable.
Achieving these goals is not easy – the technologies may stretch from minute wireless sensors to massive data centers, and they may be distributed across the world, using open & public networks and physically exposed to potential attack. We face all the threats of the Internet while perhaps using devices that are restricted in power, memory and connectivity.
Of course, many of the standard security tools and models that apply to the Internet will also apply to the Internet of Things, and these are sufficient to allow millions of dollars of financial transactions to cross the network daily with acceptable levels of loss. But even within well-established (and well-monitored) communication paths, concerns about confidentiality, privacy, and misuse of data arise, as shown by continuous reports of data loss and fraud in the press.
Many of the controls and tools that make this possible also apply to IoT – secure communication using TLS/SSL, public key cryptographic management using X.509 can be supplemented with, for example, trusted hardware components in architectures such as ARM’s TrustZone or Imagination’s OmniShield.
These elements contribute to a secure environment, but meaningful security requires consistent security throughout a system – attackers otherwise have the option simply to try elsewhere. We thus need:
- End-to-end security policies & architectures that protect information in transit and at rest, and in aggregate as well as within isolated devices.
- Means to ensure that application level policies and processes for data handling can be implemented successfully throughout the system, down to individual devices if necessary
- Broad (but appropriate) deployment of hardware-supported security mechanisms & roots-of-trust
- High quality implementations of key software technologies (including TLS/SSL)
- Clear and effective policies for data exchange and retention, allowing users to understand and influence the use made of sensitive data. These should be supported by regulatory & legal frameworks.
- Government support for responsible use of data and widespread deployment of effective security controls.
These measures are likely to down the security risk and contribute to put Industrial IoT socially and commercially acceptable. However, even marginal, a risk will always exist. It's part of the life!!!
I do believe that, in addition to the risk mitigation, working hard on the value of the use cases will accelerate the social and commercial acceptability of Industrial IoT.
As long as the IoT benefit is higher than the security risk, the market is likely to tolerate failures in the E2E security. Isn't it ?