Building a Robust and Extensive Security Architecture

Jun 21, 2018 - 3:33 AM

By Jiang Wangcheng, President of IoT Network Solution, Huawei



Challenges and Threats

The security of the Internet of Things (IoT) is critical, given the potential damage hackers can cause by hijacking huge numbers of networked objects and creating zombie botnets. Yet, awareness of enterprise IoT security is generally very poor. In fact, IoT products from many companies have zero security protocols.

HP’s Security Research Cyber Risk Report shows that 27 percent of IoT control systems have been compromised or infected, over 80 percent of IoT devices have weak passwords, more than 80 percent of devices retain hardware debug interfaces, over 70 percent of device communication processes are not encrypted and over 90 percent of device firmware updates are not signed or verified. A large number of IoT communication protocols also lack security mechanisms, according to the report. This has allowed a spate of attacks targeting or originating from IoT devices in the past few years, including an internet outage over a large swath of the U.S., a simulated attack on a Tesla car, etc.

IoT security faces two major challenges. The first is complex deployment environments and network structures, including the need to access and process data for massive numbers of devices, and the differing security requirements of different industries. The second is limited computing and network resources. Current IoT sensors and some gateways have tight cost and power consumption constraints, plus limited computing power and storage capacities.

3T + 1M Architecture Security

Huawei developed its 3T + 1M (technology + management) security architecture with the following in mind: IoT security threats; IoT application scenarios; and specific IoT security requirements. 3T + 1M architecture encompasses devices, pipes, clouds/platforms, data security, privacy protection and end-to-end security O&M.

Device and Cloud Anti-attack Measures

Building a device security system is the first line of defense in ensuring IoT security. The security capabilities of devices need to be configured to match their functions and computing resources, including memory, storage and CPU. For weak devices, such as water and gas meters, where resources are limited and power consumption and cost are issues, basic security capabilities are a must. These include basic two-way authentication, DTLS+, encrypted transmission and remote upgradability, as well as lightweight and secure transmission protocols. Strong devices with more powerful computing capabilities that don’t have power consumption constraints and are operationally critical, such as industrial control terminals and car networking equipment, require advanced security capabilities, including trusted devices, intrusion detection, secure startup, and anti-virus protection. Device chip security and security for lightweight operating systems such as LiteOS need defense capabilities in line with the security protections of strong devices.

Detect and Isolate

Network and IoT platforms require detection and isolation technologies for infected devices. They must quickly detect and identify malicious behavior across a massive number of IoT devices, then send alarm signals and isolate devices that could harm the system. First, the network needs surge and DDoS protection capabilities. Second, the network must be able to coordinate with the IoT platform to identify malicious devices using rule matching, Big Data analytics, AI-based machine learning and other rapid-detection analysis algorithms, such as those applied to device behavior, traffic anomalies and packet analysis. The IoT platform also needs to be able to quickly diagnose and respond to device behavior detection results, given the application scenario and specific situation. Responses include early warnings, observation, isolation, and forcing devices offline. The platform will also instruct the network to take appropriate action. This is the second line of defense in IoT security.

Platform and Data Protection

The requirements for cloud platforms and data protection are much higher for IoT, including the platform’s own security, data storage, processing, transmission and sharing functions. As well as native cloud security such as WAF, firewalls and HIDS, various other measures are required to protect the IoT platform from being attacked and to meet specific IoT data protection requirements, such as those for data privacy protection, data lifecycle management, data API security authorization, tenant data isolation and encrypted video data storage, and to comply with national IoT data privacy requirements (e.g., GDPR). This is the third line of defense in IoT security.

Security Control and O&M

Establishing O&M system tools and the operating capabilities and responsibilities of O&M personnel is critical to IoT security. For coordinated handling of layered device pipe cloud architecture, O&M system tools need to provide end-to-end visualized situational awareness across the network, daily security assessments, O&M security reports and smart security inspections. Providing security O&M guidance for IoT O&M personnel, and standard security operating procedures for O&M operations, enables O&M personnel and policy makers to perform service management. This improves the capability of the whole IoT security system, from preventive early warnings, detection and analysis to dealing with events after they occur.

The Security Ecosystem Is Essential

Huawei is committed to building an open ecosystem for IoT security. With this in mind, Huawei’s OpenLabs help industry partners develop IoT security capabilities. Huawei has shared its security capabilities in chips, networks and platforms, as well as its O&M tools, with carrier and vertical industry partners. The labs provide partners with technical specifications, guidance on security design and testing, test cases for IoT device security and end-to-end validation services, so that they can develop their own testing tools to ensure the access security of IoT devices.

With standard development and research on IoT security ecosystems just getting underway, Huawei believes in collaboration combining the strength of upstream and downstream manufacturers to lead trials and experiments that will drive maturity the key technologies, solutions, testing and verification practices and industrial applications in IoT security. Huawei will also encourage industry standards organizations like 3GPP, IETF, OneM2M, and 5GAA to develop and improve IoT security standards as quickly as possible. This will offer a guarantee of security to support the rapid growth of the IoT industry.

The MWC Shanghai IoT Summit will be held on June 28, 2018. Huawei will be presenting our views and strategies for IoT security in detail. We hope that everyone in the IoT industry will come and brainstorm with us about how to build a fully connected, intelligent world.

Link to Huawei MWC Shanghai:http://carrier.huawei.com/cn/events/mwcs2018