© 2019 Crypto Quantique

Crypto Quantique

Studio 601, 164-180 Union Street,

London, SE1 0LH

Problem

The IoT is under attack

“Through the first six months of 2019, SonicWall has registered 2.4 million encrypted attacks on IoT, almost eclipsing the 2018 full-year total in half the time.”

- 2019 SonicWall Cyber Threat Report

Device security is too often an after-thought – this must change

IoT needs Security 4.0

The "safe" element, the cybersecurity, is the Achilles Heel of Industry 4.0.  

 

Unless specifically addressed with radical approaches the consequences will be catastrophic given the mission and economically critical systems being developed in the Industrial IoT space.

 

Security is a collective industry responsibility.  Device manufacturers (especially at the low-cost end) need solutions that are cost-effective making it easier to make the choice to design their devices to be inherently secure.

The entire ecosystem must work collaboratively to ensure end-to-end cybersecurity

End-to-end Security By Design

One reason for the difficulty in securing connected devices is that many stakeholders, including OEMs, manufacturers, integrators, and designers are involved in developing and implementing the IoT.  Each stakeholder is faced with different threat vectors and thus has different security requirements.

Deploying IoT that is secure by design must be made less complex and more economical.

 

As with most things, cybersecurity is only as good as the weakest link. Some IoT networks do not even enforce security between IoT devices and communication gateways.  Protection of data is often just applied at the gateway, only protecting communications between the gateway and the receiving endpoint.

 

Securing IoT traffic all the way from IoT devices to their receiving endpoints is crucial to closing these holes and securing IoT networks.

Device Identity

There are two principle issues in providing practical end to end cybersecurity in the IoT:

  • The "root of trust" - the ability for a device to authenticate itself and be a trusted member of a network -  the trust anchor for the life-cycle management of the device and the whole service infrastructure in which the IoT device is integrated. 

 

The most important decision when designing an IoT device is the choice of a robust root-of-trust - this is a basic need and is today the weakest link.

 

  • The cryptographic and security foundation to enable safe data passage and functional operation of IoT networks. This relies on proving ownership of the root of trust. 

It is widely acknowledged in the security industry that strong security mechanisms have to be based on hardware because software can be always circumvented by software.

Lifecycle and Key Management

Key management in ‘end-to-end’ security by design must be economical and easy to implement

 

Device Identity and associated cryptographic keys must be managed for the whole life from birth to scrapyard.

 

To provide an on-going secure foundation for all its relationships, a device should always be able to identify itself with a cryptographic key derived from hardware which can never be compromised.

Regulations

A number of countries and economic blocs have instituted, or are in the process of instituting, tough regulations to govern cyber security of the IoT.

 

Europe is world leader in both data and cybersecurity protection laws. The UK and Denmark, for example, made the EU Network and Information Security Directive (NISD) law, and imposed heavy fines for no-compliance. Singapore is another notable example of a country that has enacted a tough Cybersecurity Act (CSA).

With cyber-attacks increasing exponentially year on year this is not before time.