The key to IoT cybersecurity is in the devices

The IoT device is by far the most vulnerable element in the entire security chain. And the main reason is the lack of firmware updates.

Cybersecurity

IoT cybersecurity

IoT cybersecurity is one of the biggest concerns that companies in industrial sectors have when it comes to tackling an IoT project or deployment. And it is not an unfounded concern.

Companies are exposed to a multitude of cybersecurity threats that can cause irreparable economic damage (if you are interested in going deeper into the subject, we recommend that you download our Guide to Cybersecurity in the Industrial IoT in which we tell you in more detail, among other things, what these types of attacks are)

Industrial IoT Cybersecurity Guide - Barbara IoT

Discover the state of Industrial IoT cybersecurity, regulation, standards and best practices with our guide.

DOWNLOAD

But to talk about IoT security is to talk about cybersecurity in each of the elements of its value chain. And to do that, the first thing to do is to understand what the IoT value chain is.

This chain is far from standard and something that everyone agrees on. The very immaturity of the IoT market means that there is not yet agreement on this. However, there is some consensus on the three levels at which the IoT value chain should be considered:

- The "edge" or local plane: this is the level closest to the physical world, the "T" in IoT: the devices. This includes both the set of sensors and actuators that interact with the physical world, as well as the gateways, hubs and other IoT nodes that communicate locally with the former. (It should be noted, however, that the term "edge" is not always equally understood in all industries. This is especially noticeable in the telecommunications industry, where the "edge" is often literally the "edge" of the network, rather than an element of the local plane).  

- The communications network: It is the highway that connects data from the local to the remote plane and vice versa. It links the physical world with the digital world of the Internet.

Recommended reading: Vulnerabilities in the industrial environment. The industrial cybersecurity crisis.

- The cloud or remote plane: this is what makes the "I" in IoT make sense. It collects, processes and exploits the data it receives (here it is important to note that it is very common for part of the processing and intelligence on local data to be done at the edge - known as "edge computing"). The IoT cloud encompasses the set of servers, databases and remote analytics and visualization platforms that give meaning and value to the data. It is usually also the main communication interface with the human consumer of this data.

To talk about security in IoT is therefore to talk about security at each of these 3 levels and all are important to ensure the integrity of the data exchanged and of the systems, remote and local, involved.

Both communications networks and cloud elements are traditionally much more and much better protected. And that's precisely why the vast majority of cyberattacks and security threats are focused on IoT devices.

The IoT device: the weakest link in the cybersecurity chain IoT

Safety chain

The IoT device is by far the most vulnerable element in the entire cybersecurity chain. And the main reason is the lack of updates to its firmware.

As users in sectors as mature as personal computers and mobile telephony, we are more than used to receiving notifications of new versions available, security patches, etc. This means that our smartphones and laptops are always up to date and protected against the latest vulnerabilities that have been appearing on the market. However, in the IoT world this is far from being the norm.

Most IoT devices, once deployed in their physical environment, are rarely updated, which greatly increases the risk of becoming a victim of a cyberattack.

There are mainly two realities that explain why IoT devices are not being updated in the same way that our phones and computers are:

  • The immaturity of the industrial IoT market: the fact that we are in the "adolescence" of IoT means that cybersecurity is not perceived as a primary need. If we were to put all the needs that motivate a company to undertake an IoT project into a sort of Maslow's pyramid, there are other concerns that come before cybersecurity and that support this pyramid. And precisely therein lies the problem: worrying about IoT security when you have already developed the project, instead of doing it from the design stage, prevents it from being done correctly.
  • The complexity of managing a distributed, remote and tremendously heterogeneous environment: The very concept of IoT is based on the existence of a multitude of distributed "things". Being able to ensure the updating of all these devices in an efficient and scalable way makes it essential to have a secure remote management system. Otherwise, the cost of having to periodically update IoT devices locally would make any project of a certain size unfeasible. In addition, the lack of standards (de jure or de facto) in the development of IoT devices complicates this management, and leaves it up to each provider to respond (or not) to this need.
Interview with David Purón on the relationship between Edge Computing and Industrial Cybersecurity.

How to cybersecure IoT cybersecurity devices

Nothing is forever cybersecure, and IoT devices are no exception, so the keys to ensuring their integrity are, in our opinion, as follows:

  1. Use as a basis solutions that include security from the design stage. Cybersecurity should be conceived from the outset, not as an add-on or an optional feature that can be added later.
  2. Have control over the entire lifecycle of devices. This allows the ability to update all IoT devices in an efficient and agile way, and manage their operation at all times.
  3. Professional support. Having someone who is concerned about generating security patches with sufficient consistency so that IoT devices are properly protected at all times is key. It is common to use free software that has no associated maintenance, which makes it very costly or even unfeasible to protect IoT devices at all times.

Barbara and IoT cybersecurity

At Barbara IoT we believe in these principles, and our value proposition is based on them. Our operating system, Barbara OS:

  • is created with the security from the ground up. It has been created including a number of security features that protect the integrity of IoT devices and the data they manage.
  • allows you to perform the life cycle management complete IoT device lifecycle management. Through a management panel, you have at all times controlled equipment, you can change its configuration, update them
  • is maintained with regular updates. Our development team is continuously integrating not only functional improvements but also all the security patches that are available at any time to solve public vulnerabilities.

If you want to know more about the state of Cybersecurity in the industrial IoT, we recommend you to download our new guide