The core value of an Internet of Thinks device is Data. So all the existing security features in information and Internet technology can be used in the IoT spectrum also. One of the major principles guiding the security space is CIA triad. CIA in this context does not mean Central Intelligence Agency. It is an abbreviation for Confidentiality, Integrity, and Availability. The CIA principle is simple but widely used and is a must for all secure devices.
Let us understand the different components of CIA.
Confidentiality is a about not disclosing the information to an unauthorized party. This is one of the obvious aspect of the CIA model but also most attacked. Just like the OTP(One Time Password) you receive on your registered mobile number for “forgot password?” in any website. If that information is hacked your account can be hacked. Then like when you login to your bank account your user name and password is passed to the server from your web browser or mobile app, if hacked in the middle your account is compromised. There are both symmetric as well as asymmetric cryptography technique which are implemented when information is sent from one system to another.
Integrity is about the certainty that data is accurate and not changed on its journey from the original sender to the intended receiver. One of the most common attack, called man-in-the-middle attack, intercepts the data in the middle, makes changes required for the hack and then sends it to the intended receiver. To avoid this kind attack cryptographic signatures are required.
Availability of information refers to ensuring that authorized parties are able to access the information when needed. Information has no meaning if it is not available to the authorized user at the required time. Denying access to the information is very common nowadays. We hear about DDoS(Distributed Denial of Service) happening on reputed web servers. There can be other reasons of non availability like power outages or natural disaster. So doing backup at every stage of your IoT architecture is very necessary.
IoT systems mostly on public networks, but these networks are not secure most of the time. As we know that IoT brings in more capabilities and services along with an increase efficiencies and flexibility due to the connectivity of different ends which where closed, it also allows attackers to get access to those systems from the outside world. Reverse engineering techniques are often used to find out software vulnerabilities, which can be exploit further hacking the device for sabotage and espionage purposes, creating counterfeit products and for even stealing sensitive data.
It can be understood by now that CIA is mainly build around cryptographic operations. And as it is said that a crypto system should be secure even if everything about the system, except for the key, is public knowledge. This comes down to encryption and decryption of the information using the key.
In the world of cryptology there are many methods to do so, you have DES, AES for symmetric cryptography and RSA, ECC for asymmetric cryptography. It should be noted that these cryptographic technique are very much in the public domain, but the key remains secret which solves the purpose.
The big question still remains is how to implement these complex security tools in your IoT systems. We have to use technology which creates secured code and licenses which together with the secure element in the target system ensures that the code and the licenses can only be used on and individual device/system. This again can be integrated with existing ERP or e-commerce platforms bring in new business models like pay-per-use licenses or time based use in IoT domain, all in all creating a much secured system in the domain.