Print Save PDF

About 7 minutes

Tips to Secure IoT Data

The Internet of Things is everywhere, whether the general public realizes it or not.

It’s embedded in home appliances, in the packaging of shipments that arrive at their door, and throughout their entire workplace.

It is omnipresent. Yet, it is entirely behind the scenes to most consumers. 

For businesses and enterprise companies, this is not the case. IoT is a valuable tool that allows them to keep up or take the lead over their competitors.

The gold rush is on, but this time, the commodity is big data. 

With any draw of big fortune, out will come the thieves. For big data, unfortunately, the thieves and saboteurs are coming on with the ferocity of the Huns.

So how are you supposed to secure all your IoT data

The IoT connects everybody to everything

The Security Stages of IoT 

There are four main layers of an IoT platform: the edge, gateway, server layers, and connected mobile devices. 

Edge devices include sensors, actuators, and microcontrollers. These tools send data to a gateway, which, in its basic application, connects edge devices to the internal network.

The server layer involves the storing and analyzing of data. In-house servers, cloud servers, and PaaS (platform as a service) are the 3 most common solutions for the server layer. 

Lastly, you have mobile devices, which are unique in their ability to function as or access any part of the IoT network.

They are edge devices that communicate with both the gateway and server layers, pulling up analytic information right in the palm of your hand. 

Each of these IoT layers present their own set of security challenges, requiring various means of protecting your data. 

Securing the Data Path from Edge Devices to the Gateway 

Edge devices are typically secured through encryption algorithms. It is relatively easy to qualify if you need to secure the data between the edge and the gateway.

If you have a sensor that’s pinging the pressure reading of a well 5 times a day, chances are you don’t have to worry too much about that data being intercepted.

However, things can quickly change with actuators and microcontrollers. 

At a recent DEF CON security conference, hackers found 47 new vulnerabilities affecting 23 common IoT devices such as door locks, refrigerators, thermostats, and even solar panel arrays.

The door lock hack is an obvious detriment, but think about the others. 

By manipulating thermostats, attackers can cause frozen water pipes and furnace failures.

Having access to a solar array can effectively shut down a small to mid-sized power generation facility. 

Also, consider that an ATM is a microprocessor – an edge device. It is an entryway into any financial institution.

The infamous Target hack occurred through an edge device.

A portal was left open, and thieves gained access to Target’s point-of-sale (POS) systems. 

The Protocols for Securing Your IoT Platform 

The two most common encryption protocols for securing the path from the edge to the gateway (and also the gateway to the server layer) are MQTT (MQ Telemetry Transport) and HTTPS (HTTP over SSL). 

MQTT is ideal for low bandwidth edge devices, providing a layer of security to the 3 parts of the MQTT control packet.

HTTPS consists of using a secure sublayer under regular HTTP, securing information from eavesdropping and man-in-the-middle attacks. 

With newer edge devices actually being “smart” devices, security can also be enhanced with Real-Time Identity Monitoring and Multifactor Authentication.

However, as the gateway is literally the entrance to your interior corporate network, true end-to-end encryption is the most solid way to protect your IoT platform.

Messages are encrypted in a way that only the unique recipient of a message can decrypt it. 

Your company’s firewalls also provide another level of security at the gateway, monitoring incoming and outgoing packet requests and blocking those from untrustworthy sources. 

Securing the Server Layer 

Between in-house servers, cloud servers and PaaS, there are a number of trusted vendors to provide security to your servers, such as IBM Watson.

They all feature the same encryption technology recommended for the edge to gateway path, but expand to include additional security roles. 

Besides secure transport, other security measures at the server layer include device authentication, authorization, API security, and security configuration.

Within the core network or cloud data center, your IoT platform additionally needs to be protected from impersonation, confidentiality compromise, and replay attacks. 

You can see the impact of replay attacks on social media, most notably Facebook.

Replay attacks happen when valid data is retransmitted or delayed by a hacker in order to gain access to an already established session.

On Facebook, this translates to getting a friend request from someone who you’re already friends with. 

The server layer is also what’s bombarded with DDoS attacks, malware, Trojans, and worms.

User error is another way into your network, so it’s paramount that strong password policies are implemented throughout the company, regardless of the company’s size. 

Additional security measures to utilize include storage virtualization and a strong disaster recovery plan.

Storage virtualization provides smart backup of your valued data in the cloud.

A solid disaster recovery plan can get your IoT platform up and running after a severe attack or disaster in a matter of sometimes minutes. 

Securing Mobile Devices 

With mobile devices everywhere security is imperativeThanks to smartphones, today’s employees are in constant connection with their companies.

While this is good for business, it’s bad for security.

With a supercomputer in everyone’s pocket, your IoT security can unfortunately boil down to how well an employee’s phone is protected from a breach. 

For this reason, it’s becoming more common for employers to offer their employees a company smartphone, covering the monthly bill so they can keep you in constant connectivity, as well as implement stronger security measures. 

The most basic security measure is once again having a strong password.

This is a policy your company needs to implement.

If you supply valued employees with smartphones, you have control over that device. You can also enforce local data encryption. 

Smartphones and laptops can be locked after a specified period of inactivity, shutting down these edge devices to help protect your data.

Devices can also be remotely wiped after a certain number of login attempts or if the device is reported lost or stolen. 

If you need more security for high-level or classified use, some companies choose to monitor and limit data roaming, manage applications by limiting access to only those that are certified and approved, and provide a backup/recovery service.

While some apps take care of backup and recovery already, for high security, it’s important to look at what smartphone manufacturers provide to determine if it’s adequate for your needs. 

There Is No Failsafe, but You Can Become Safer 

No IoT system is immune from harm, but by keeping up with security all throughout the IoT loop, you can drastically limit the damage from an outside attack.

The best thing to do is to figure out your security needs based on the data you’re collecting.

From there, you can formulate a security plan that balances security needs with the cost evaluation of your data.

Written by IBM BP Network