Securing the IoT Edge (Part 1)
Written by Jason Shepherd, LF Edge member, VP of Ecosystem for Zededa and active leader in Project EVE
This post originally ran on the Zededa Medium blog. Click here for more articles like this one.
IoT adoption by the enterprise is on the rise. Yet despite interest in the space accelerating, organizations of varying sizes and verticals have run into several roadblocks in implementation. Previously, we discussed why IoT needs edge computing to realize its full potential. In this two-part blog series, we will review the unique security implications of a distributed edge and how organizations can secure the edge.
Over time, software-defined edge computing is only expected to become more sophisticated and we will begin processing more and more critical information in distributed locations. Many edge computing systems host their own web servers for remote maintenance and logins, making them a prime target as attack surfaces, especially for bad actors who could input or extract data and disrupt an entire ecosystem from a single unsecured system. Users need solutions to deliver new applications to the edge that drive efficient business outcomes while also maintaining an appropriate security posture.
Not all edge locations are created equally when it comes to security. Practices for securing deployments at the cloud edge and within secured telecommunications infrastructure (e.g., cell tower facilities), modular data centers, etc., tend to be quite similar to traditional data centers. Meanwhile, as edge deployments get closer to the physical world — in locations such as the factory floor, inside wind turbines, on trucks, or within rooftop HVAC systems, to name a few — unique security challenges are introduced. As we dive into what this entails, let’s take a look at what makes security for the distributed edge unique.
Scale: Part of IoT’s value stems from having numerous devices connected in order to understand the holistic picture of your operations. Over time, we will see device deployments scale to the trillions, which is numerous orders of magnitude larger than the volume of deployments in centralized locations. This translates into an unwieldy number of distributed edge assets that an organization must secure and manage. Solutions oriented towards securing and managing datacenter infrastructure typically aren’t set up for this kind of scale, which is why we can’t simply copy/paste them to solve the problem.
Lack of physical and network perimeters: Another key challenge for securing distributed edges is that there are often no physical (e.g., the four walls of a secure data center) or network perimeters. In operations out in the field, it is very common to rely on a backhaul network and parameters (such as NATs and proxies) that are owned or managed by someone else when not practical to create your own network (e.g., cellular backhaul). In general, solutions should not rely on having an owned network or firewall to protect them.
Heterogeneity: The IoT edge is inherently heterogeneous, comprised of a variety of technologies including sensors, communication protocols, hardware types, operating systems, control systems, networks, and so forth. Skill sets spanning IT and OT (e.g., network and security admins, DevOps, production, quality and maintenance engineers, data scientists, etc.) are necessary to realize IoT as a convergence of the physical and digital. Security solutions need to accommodate a wide variety of technologies and skill sets in order to be effective.
Varying priorities: In the IT world, it is typically acceptable to immediately shut down access to the network to isolate an affected system in the event of a security breach. Meanwhile, the impact due to information loss (e.g., credit card data or IP) plays out over a long period of time. In contrast, in the OT world, a security compromise can lead to immediate loss of production and risk to safety, so any issues need to be addressed gracefully. As such, your security solution needs to recognize these different priorities and strike a balance.
Constrained devices: Many IoT sensors and devices are too constrained resource-wise to employ security measures such as encryption. The same goes for legacy systems that were never intended to be connected to broader networks, let alone the internet. In order to protect these devices, we must rely on more capable compute immediately upstream to serve as the first line of defense, providing functions such as root of trust and encryption.
As we seek to reap the benefits of edge computing, we must realize the nuances it requires of our security approach. It can’t be the same as what we’re used to in data centers; instead, we must consider the edge’s characteristics to bolster a distinct approach. In part two of this series, we will share a foundational strategy for securing IoT edge deployments.