In every discussion about the Internet of Things (IoT) at every industry conference or event, the question of security always arises. And there’s a good reason for that. To embrace the IoT concept and position yourself to be on the receiving end of all its potential game-changing benefits, you have to connect many of your plant-floor devices to the Internet. And in doing so, you are potentially exposing your operations to every hacker in existence.
Viewed from this perspective, the cybersecurity challenges of the IoT seem overwhelming. And the ongoing rush of new security products and approaches—from embedded devices to in-depth IT policies and procedures—makes it even harder for many manufacturers to determine what to do first.
Alan Grau, president and co-founder of Icon Labs, offers a different view of the issue to help industrial companies approach the problem. “Part of the challenge is recognizing every IoT device requires a different approach to security,” he says. “So, how do you decide the correct level of security for your device?”
Grau suggests first recognizing the four device classes with common security concerns. He describes these classes as:
- Class 1—includes very small ZigBee, Bluetooth, and near-field communication (NFC) IoT devices often using 8 and 16 bit MCUs. Industrial examples of these devices include remote telemetry (often battery-powered), sensors, and other lower bandwidth sensors and devices.
- Class 2—these devices are typically small, low cost RTOS-based devices utilizing 32 bit MCU systems, such as medical devices, low-end network appliances, and telematics often paired with cellular or Wi-Fi connectivity.
- Class 3—this class of devices is exemplified by larger and more expensive medical and industrial automation devices, such as robotics and even smart automobiles, which are usually powered by 32 bit MPUs with Ethernet or Wi-Fi connectivity.
- Class 4—here, the devices run single or multiple 32 or 64 bit processors and use embedded Linux, Android, or a full-featured RTOS supporting multiple networking protocols. Gateways, high-end medical devices, and military devices are common examples.
By classifying devices on your network in such a way, it’s easier to address your IoT cybersecurity issues in more approachable segments, rather than attempting to secure everything at once.
“Obviously there is overlap among these [classes],” Grau says, “but this model allows some general assessment of security requirements. Determining the details of security capabilities and features to be implemented for a given device depends upon the available memory, processing power of the core(s), interfaces, attack vectors, threat analysis, and ultimately, business trade-offs.”
The Floodgate Security Framework offered by Grau’s company, Icon Labs, is designed to address the differing cybersecurity needs for the varying class levels of devices. To learn more about this Framework of security products, visit: www.iconlabs.com/prod/product-family/floodgate-security-framework.
