These numbers appear incredible until we start to consider the volume of IoT devices that will drive smart streetlights, water, power metering, parking, padlock solutions and the myriad of other use cases that will impact, and indeed be critical, to the operation of cities in the future.
Use cases will increasingly become part of a city’s critical infrastructure and as such security and data integrity must be at the fore when deciding on and delivering an IoT framework.
If you think IoT security means payload encryption, think again
As with all technology the issue of security is not limited to a single sphere. In a recent conversation I overheard an animated dialogue about the need for security. One person explained that as long as the payloads are encrypted during transmission then “we’re all good”.
This is a long way from reality and we must consider security end-to-end and not limited to transmission. Any discussion about security must go beyond technology and also encompass policy and procedure framework, security across various types of use cases and, the most fallible of all in the chain, the human element.
Think security, think access
Security and data integrity go hand in hand along with data availability and accessibility. We cannot consider security without considering how this will affect access to data by the right people, departments and organisations. Taking this one step further, what should access be if data is compromised or if the integrity of that data is in question?
Cyber security and the question of machine-to-machine data is becoming integral to the operation of cities across the globe. Hacking may be a dirty word but it is a threat in all areas of technology. As critical infrastructure is exposed to a large number of disparate organisations, cities must have a way to secure devices, network, data and the output and controls of that data.
So, we have to think end-to-end and we have to think of how to secure the data while making it accessible and available to the people and organisations who need to make use of it.
Let’s start with the technology
Devices
The payload from every device does indeed need to be encrypted as a starting point. We must however go further to ensure we are handling keys and devices appropriately. Check the way device manufacturers are designing and implementing the software in their products to ensure the best methodologies are being followed, with dynamic keys for example.
Consider how devices are configured, how they’re mounted, and whether there is a possibility for tampering. The technology exists to protect the data but the protection of payloads is only one element. A few things you should ensure:
- Devices are not physically accessible.
- Device software is to standard and meets the carrier grade.
- Device certification by a reputable carrier ensures devices are checked prior to operating over the network, protecting the city, device owner and the network.
- Devices have met the local hardware and software standards, carrying certification such as RCM and N-Tick (NNNCo’s device certification program).
- Devices carry the encryption befitting the use case. For example devices not providing dynamic key exchange should be avoided.
Network
No matter what type of low power wide area network (LPWAN) chosen for IoT, there are important factors to consider when thinking about security. These include the decision between private or public networks, selection of communications between gateways and the network core, whether the network server manages the encryption keys to a standard which is sustainable, and finally where your valuable city data lands.
A few key points on network:
- Make sure your network provider meets Australian regulations. If you decide on a private network be sure that your provider actually delivers a network which can meet the scrutiny of a security audit. The advantage of selecting a licensed telecommunications carrier is accountability at the highest level with annual scrutiny of security policy and topology.
- Ensure the network operates to a standard which ensures availability and regulatory compliance thus reducing risk.
- Ensure backhaul is done using the highest standards, for example VPN connectivity between gateway and network server.
Data and device management
The management of devices and the data generated is central to the success of any IoT network and solution. Cities need to be able to take any device from any network and maintain integrity of the data for immediate and long-term use. This is best done using a central database which has the ability to deliver data to multiple end points while maintaining the city’s control of data.
Data sovereignty and city control
When designing an IoT network and solutions framework, a critical consideration must include who has access to the data collected, where and how this data is stored and for how long. I am seeing an increasing number of application providers who are willing to ingest the data from sensors and devices to provide a solution to a city including analytics, visualisation, and storage. The problem here is that the city is losing control of the data they are looking to gather.
Control of the management of data should lie with the owner of the device generating the data. If the owner chooses to allow a third party to access their valuable data this should be done with the degree of control and flexibility required by the city.
Our approach to this is simple – pass the data to whomever you choose but keep the control of this data in the hands of the device owner. For this NNNCo has built a data platform (N2N-DL) where the permissions and data access are managed via a tiered multi-tenanted environment where the city can control who accesses the data and when.
Finally, for IoT to realise the potential benefits, to people, the economy and the environment at scale, there needs to be a way to securely manage and share data with those who will bring the greatest benefit.
To conclude:
- Have a clear policy environment for the management of data with clearly identified policy goals.
- Pick your partners carefully. Look for organisations whose goals clearly align with the city’s desired outcomes and whose solutions have a proven and identifiable security focus.
- Choose your IoT technologies at every stage considering data integrity, accessibility and availability as key to the selection. All technology choices can be implemented effectively or poorly which will impact both security and data integrity.
- Ensure the city has control of and/or final authority over the allocation and distribution of data by maintaining a database where flexibility and sovereignty is as important as the data itself.