This is how enterprises can protect their IoT devices from cyber threats

The Internet of Things (IoT) is touching every part of our lives. As per one estimate there are 18 billion IoT devices in the world! IoT/ M2M (Machine to Machine communication) impact personal, professional and business areas as data centric lifestyle and business evolve. IoT/ M2M connect and integrates different types of control systems and sensors with enterprise systems, business processes, analytics and people, transforming the whole society. As billions of objects get connected via the internet, the probability of chaos increases an attack on an industrial IoT system results in damage to the environment and loss to human life. So these risks have to be taken seriously and the security mechanisms should be put in place to prevent rogue elements from interfering.

Device security, authentication, authorisation, communication security, application security, data integrity, data privacy and lawful interception etc. are the essential requirements for IoT/ M2M deployments. It is necessary to have a standardised robust security framework.

Trust is the foundation of security. The interplay between security, trust and ICT (Information and Communication Technology) infrastructure is the CIA security Triad. CIA (Confidentiality, Integrity and Authentication) triad is a common model that forms the basis for the development of the security system.

- Confidentiality: Only authorised users should be able to access or modify data.

- Integrity: Data should be maintained in a correct state and nobody should be able to improperly modify it, either accidentally or maliciously.

- Authentication: Authorised users should be able to access data whenever they need to do so.

The additional pillar of security is non-repudiation which essentially means that someone can't falsely deny that they created, altered, observed or transmitted data. The difference between integrity and non-repudiation is integrity ensures a message of transaction has not been tampered with. Non-repudiation provides evidence for the existence of a message and ensures that its contents can't be disputed once sent.

Various attributes of trustworthiness

1. Ability/ capability: stability, reliability, scalability, safety, robustness

2. Integrity/ Honesty: accuracy/ correctness, consistency,certainty, recency

3. Benevolence/ co-operation: assurance, credibility, relevance, availability, cooperation.

The cyber environment includes users, internet, computing devices, applications, services and systems that can be connected directly or indirectly to the internet. It also includes the software that runs on computing devices and the information stored, transmitted and created on these devices.

ITU-T X.805 addresses eight security dimensions (access control, confidentiality, integrity, authentication, non-repudiation, communication security, availability, privacy), the three security layers (network layer, applications layer and user information layer) across three security planes (management plane, control plane and end end-user plane) in an end to end manner.

The new age IoT enabled societies are a complex web of devices and applications. There are threats around the ICT world for IoT devices & applications. So trust provisioning in the ICT world for IoT devices and applications is critical to orderly growth. Trust-centric network domains can limit access to devices and applications based on trust index.

TEC's (Telecom Engineering Centre) technical report on IoT/ M2M security in 2019 mentions three important attributes:

l Device security: There is a need for Root of trust (ROT) based Identity. Root of trust is the first step in creating a chain of trust. It is the building block for securing IoT devices. It is the critical anchor for authenticating a device's identity. Incorporating immutable Root of Trust in IoT devices is a critical key to protect them from cloning, counterfeiting and reverse engineering. If identity is not tamper resistant, then any aspect of trust is automatically compromised.

ESIM (Embedded SIM) can act as a Root of Trust to secure IoT applications.

- Registration & certification: There is a need for Identity registration and authentication for ensuring the security of IoT devices.

The Certifying Authority (CA) in our country issues Digital Signature Certificates (DSCs) for electronic authentication of users.

- Use case classification and security compliance: We can't have the same security parameters for all the use cases. So use cases require classification in this regard.

TEC has endorsed the One M2M standards as National standards for IoT/ M2M security.

The Service Provider role in IoT and ICT security enablement in India is globally acknowledged as the best practice. India has an IT act and Root Certification Authority and only few countries have them. The combination of Indian Certificates and Service Provider enabled Trust is ideal for IoT security.

One M2M standard

Two hundred member organisations support the OneM2M standard. It was created in 2012. It is a global partnership project and constituted by eight of the world's leading ICT standard development organisations including TSDSI (Telecommunication Standards Development Society of India). It published three releases so far. Six interop test events, several developer events and hackathons are conducted.

OneM2M standard allows any IoT application to discover and interface any IoT device. This is ideal for threat mitigation in distributed and cooperative solutions in areas such as smart buildings, smart cities and intelligent factories. This standard is based on the Common Service Layer.

One M2M is a standard for a middleware platform and sits between applications and processing/communication hardware. It is there on sensors, actors, gateways and cloud. It does Authentication, Authorization and Encryption. This standard connects producers and consumers securely. This standard is agnostic to technology, hardware and software. It interworks with many standards including 3GPP. It controls when communication happens. Increases efficiency of data transport. Enables storing and sharing of data and supports access control. Notifies about events and talks to a group of things at one point of time. Manages devices and life cycle on a large scale.

Via its capabilities to abstract, one M2M hides from the App Developers the complexities involved to interact with the diversity of IoT devices.

The main security functions supported by one M2M standards are:

- Identification and Authentication:

- Identification: checking if the identity of the request originator provided for authenticating is valid.

- Authentication: validating if the identity supplied in the identification step is associated with a trustworthy credential.

- Security Association Establishment:

- Establishment of a security context between communicating entities to provide confidentiality (encryption) and integrity.

- Range of authentication options supported.

- Authorization/Access Control)

- Authorising services and data access to authenticated entities. One M2M has a robust authorization paradigm based on RESTful architecture (REST stands for REpresentational State Transfer). REST APIs (Application Programming Interface) handle CRUD+N (Create, Retrieve, Update, Delete and Notification) operations on a resource.

- OneM2M service layer supports configurable access control policies that define clear rules dictating, for each resource WHO is authorised to access, WHAT operations are allowed and under WHICH conditions (e.g. time, location of entity).

- Remote provisioning One M2M security framework

- One M2M provides a common set of security capabilities to secure IoT devices and applications and prevent/ mitigate attacks

- One M2M exposes an abstracted set of security related APIs to help simplify security for IoT devices and applications.

Way forward

India is in the forefront of IoT developments and it has been a very impressive example of integrating IoT into everyday life. With the collaboration with one M2M standard, the IoT growth will be very positive in our country. One M2M is a global standard not controlled by a single private company. This standard is internet friendly for human interaction. Annotation of data with semantic descriptions for sharing information is allowed.

National Security, human life security and money security should be given priority in that order. Earlier only data theft was the security issue. If we lose data, privacy may be lost or money may be lost but life threatening problems may not be there. With the proliferation of IoT devices, Process Interruption may cause much more severe problems like loss of lives, for example IoT operated aero planes getting process interrupted. Such security threats have to be mitigated.

(The author is a former Advisor, Department of Telecommunications (DoT), Government of India)