Internet of Things (IoT) Security
Twenty-six billion: that’s the number of devices Gartner predicts will be connected to the “Internet of Things” by 2020. Cisco projects the figure even higher at 50 billion by 2020. While mobile technology in general has revolutionized the way millions of people work, most of the billions of IoT devices used operate in highly accessible locations with little to no physical security. And ironically, IoT devices are often used for confidential data transmission. A recent Hewlett-Packard study showed that of the most commonly used IoT devices, 70% contained vulnerabilities including encryption, personal security and personal data issues.
Unsurprisingly, these conditions highlight the critical need for strong IoT device security protocols, which has only grown in public awareness with recent developments such as corporate espionage, covert surveillance by government entities and the Stuxnet virus.
However, security today is not just about encryption, data integrity, or even just having a secure connection. How can you ensure that all devices accessing wireless networks are properly authenticated and permitted the “right” type of access? The best way to do this is to consider physical, rather than virtual, ways to secure and authenticate network connections. Typically, the closer you can get to the network physical layer (or Layer 2), the better, such as with MACsec. Layer 2 security offers the best possible option, in terms of device and link authentication, since it’s not just securing a virtual Layer 3 circuit within that connection. Let’s look at why.
As background, the OSI protocol stack can house security protocols at various levels. In fact, many applications have their own security protocols for encryption at the respective application layer. This is largely driven by government regulations such as Sarbanes-Oxley, HIPPA, PCI, Basel-II, etc., requiring strict, near-military-grade confidentiality for medical and financial information. Two such examples are HTTPS and SSH, which operate at Layer 4 of the OSI stack and above. IPsec, which works at Layer 3, is commonly used in routed networks.
Ethernet networks work at Layer 2 and have their own encryption protocol defined in the 802.1AE MACsec standard. And with IoT network communications increasingly standardizing on Ethernet, Layer 2 encryption is the ideal choice. Why? There is a direct correlation between the strength of the security solution and the layer at which security is implemented. Typically the closer you can get to the network physical layer, or Layer 2, the stronger the security will be.
However, as noted above, encryption is but one aspect of security. While it often tops the list of security discussions, encryption only addresses information confidentiality. It does not, however, prevent an untrusted device from gaining access to a trusted network. This is a real possibility when a hacker configures a device they bought on EBay to mimic a trusted device on a secured network.
To thwart these types of intrusions on IoT network security, authentication of devices themselves and links to the devices is imperative. Equally critical is establishing the right access and communications policies for all device types that are attached to the network. In the IoT world, device authentication and authorization are equally if not more vital than encryption.
Fortunately, the KeySec protocol, defined in the 802.1x standard, makes authentication, authorization and accounting capability possible in Ethernet. With a combination of 802.1AE MACsec and 802.1x KeySec, Ethernet can tackle several security requirements including:
–Authentication, authorization and accounting — by using 802.1x via a Radius authentication server, this ensures that all parties can verify who originated the secure data.
–Data integrity — using the 802.1AE MACsec Integrity Check Value field precludes modification, replacement or delays in the data beyond a known bound. Hacks into an Ethernet payload will change what the ICV field looks like.
–Confidentiality — use of 802.1AE MACsec AES encryption, either 128- or 256-bit, ensures that only your intended recipients can access the secure data.
Compared to IPSec, the MACsec protocol is relatively simple. Typically PHY-port based, it minimally expands the payload header and easily supports upgrades. MACsec additionally supports high-speed connectivity ranging from 1G to 100G at low power and cost. And in contrast to IPSec, MACsec doesn’t need a dedicated security processor and can be easily implemented as a line card add-on. MACsec’s other key advantage is that it scales linearly — with the number of links in hop-by-hop scenarios, or with the number of endpoints for end-to-end applications. An IPsec engine, on the other hand, is highly capacity-specific, supporting only a certain number of tunnels per port.
We expect that the ability to support strong 256-bit and 128-bit encryption will be a key requirement for IoT devices. With 1,038 more key possibilities than 128-bit encryption, 256-bit encryption is the focus of the 802.1AEbn standard for enhanced confidentiality. Certain government agencies, such as the U.S. National Security Agency, already demand compliance with this standard.
Analysts generally forecast continued strong growth for the IoT. No doubt, Ethernet will experience similar growth as the preferred network backbone for IoT, due to its maturity and versatility as a technology, along with the benefits it brings with strong economies of scale. However, to realize its full potential, the IoT will need strong security. The good news is that several Ethernet security standards, such as MACsec and KeySec, already exist and are readily deployable into today’s IoT networks. Network planners, take note — it’s time to call upon AAA.
Martin Nuss, Ph.D. is VP, Technology and Strategy and CTO at Vitesse Semiconductor. Dr. Nuss has over 20 years of technical and management experience. He is a recognized industry expert in timing and synchronization for communications networks. Dr. Nuss serves on the board of directors for the Alliance for Telecommunications Industry Solutions (ATIS) and is a fellow of the Optical Society of America and IEEE member. He holds a doctorate in applied physics from the Technical University in Munich, Germany.
Editor’s Note: Welcome to our weekly Reality Check column where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.