As new IoT security reports reveal staggering data points, it is becoming essential that the IoT community bands together to improve upon the security of IoT devices. Palo Alto Networks’ global threat intelligence team, Unit 42, recently published its 2020 Unit 42 IoT Threat Report. This report analyzed 1.2 million IoT devices to evaluate the full scope of the current IoT threat landscape, discovering that 98 percent of all IoT device traffic is unencrypted and 57 percent of IoT devices are vulnerable to medium or high-severity attacks. While these numbers may seem unnerving, there remains potential for proper widespread IoT security strategy and implementation.
At first glance, IoT security may seem daunting, however, it is possible to properly secure devices with the right protocols and cybersecurity measures in place. Any IoT security solution must be wholistic in its approach, and company IoT deployments must plan to implement security measures across multiple layers that include hardware, network and software security. Open Connectivity Foundation’s focus on the software application layer is a crucial first step in the IoT design process.
The OCF Security Framework, created with the security expertise of OCF’s extensive membership base, provides a simple foundation for developers designing an IoT security solution. This framework ensures that security isn’t an afterthought – and is instead integrated at the beginning of the development process.
OCF’s Security Specification outlines device-to-device authentication and encryption methods, ensuring that IoT nodes only communicate with authorized systems. OCF’s security model is exemplified through the below figure:
During interactions between devices, the Device holding and controlling the resources is referred to as the Server. The Server provides the Device, acting as a Client, access to those Resources. This access is subject to the set of security mechanisms and policies as defined by OCF. OCF’s security framework uses the below steps to ensure access is only granted to authorized entities:
- The Client establishes a network connection to the Server (Device holding the Resources)
- The Devices (Server and Client) exchange messages via a mutually authenticated secure channel between the two Devices
- The Client submits a request to the Server
- The Server receives the request
- The Server then consults the Access Control List (ACL), and looks for an Access Control Entry (ACE) matching certain criteria
- If there is a matching ACE, then access to the Resource is permitted; otherwise access is denied
- The Server sends a response back to the Client
In addition to device authentication, the OCF 2.1.2 specification added security logging capabilities, allowing an OCF platform to record Auditable Events. These Auditable Events can then be used for log analysis or real-time understanding of a system condition. More details on OCF security logging can be found in section 5.7 of the OCF Security Specification.
Above, we’ve briefly described how OCF provides the tools necessary for software layer security. For a fully secure system, the IoT device must also have a secure network connection and secure hardware. OCF’s coalition of 400+ member companies help to facilitate collaboration between IoT manufacturers, encouraging the creation of secure end-to-end products. A great example of this is Cascoda’s implementation of OCF-over-Thread, which combines OCF’s secure application layer and Thread‘s low-power and scalable IPv6-based network layer protocol. OCF-over-Thread deployed in Cascoda’s Chili2 module represents successful industry collaboration to develop a complete, secure IoT solution.
Security remains a cornerstone of OCF, and OCF will continue to encourage industry collaboration to develop and commercialize fully secure IoT products. As the IoT landscape quickly evolves, OCF’s technical engineers are continuously addressing security improvements and making regular updates to OCF’s IoTivity open source framework.
Those interested in learning more about OCF’s security architecture are encouraged to read the full OCF Security Specification, which includes detailed information on OCF access control and authorization mechanisms, onboarding steps, security provisioning, device ownership and more.