Securing IoE Gateways

When we talk about the , (IoE) we have come to realize that it will really be made up of a lot of different “things. It will envelope everything from home automation to intelligent vehicles, to wearables, to industrial applications, military, infrastructure. The list is almost endless. And there is a lot of discussion about securing these “things” on any number of levels. One of those levels is the gateway.

Figure 1. IoE gateway. Courtesy Nexcom

“Presently, there is a lot of existing infrastructure that is not connected — roughly 85%,” according to Craig Owen, software architect at . “And we think that gateways are an excellent way to bring connectivity and functionality to that infrastructure.”

However, it would be somewhat oversimplified to say that using gateways to connect that unconnected infrastructure is the answer. Doing a high-level flyover of the IoE, one begins to realize that all of these “things” are really part of any number of an almost infinite number of networks, each with its own security issues, some local, some global, some infrastructure and some because of the devices themselves.

And within these networks, infrastructures and devices exist any number of unique security challenges. While next-generation gateways promise the potential of some very sophisticated hardware that can address many of the challenges of complex and often convoluted networks, they will only be a cog in the intricate web of global interconnect.

Take wearables, for example. Wearables sometimes can be as simple as a pace counter that tracks your vitals as you run. Perhaps it will, simply, talk to the IoE to download comparison data or upload the data to your personal network. On the other end, with advances in telemedicine, there might be something like a wireless version of a Holter monitor that not only continuously monitors cardiac activity and uploads the data via the IoE, but may be connected to any number of emergency responder networks or hospitals, as well.

What both have in common, as will almost all the devices within the IoE, is that there will be gateways within the path.

“In terms of ‘things,’ whether it is deeply embedded applications or whether it is the next generation of wireless, single-chip radios, smart sensors have different forms of communicating from the sensor in the smart device to your personal network or the cloud,” said Andre Hassan director of field marketing and applications at Kilopass. “That, to a certain extent, influences the type of radio that is used with all of the security implications involved.”

There are more communications between things than you might expect, too. “If you look at today’s IoT stereotype, it’s usually a single-chip radio with some sensor — either integrated or sitting outside — to capture information and then communicates it somewhat,” Hassan said. “It does very little locally with that information, just maybe some filtering. This description would apply to today’s biometric wearables, for example, where they are measuring your statistics and communicating them to your phone. Then it’s up to your phone whether to communicate that to you either by buzzing or telling you something, or even communicating it to some application in the cloud. When we refer to the gateway, that’s dependent on the type of radio and the type of application.”

The gateway function
Fundamentally, the gateway is the “gatekeeper” of a network — the point where all traffic funnels through. Depending on the type of network, the gateway can have a variety of functions and various levels of sophistication. Gateways also can be integrated with other components, generally a router or switch, or both. In such a capacity the gateway will partition the network into two separate components – one that is trusted and secure, and one that is untrusted and unsecure.

The gateway of the IoE will, in its most complex form, will have sophisticated computing and networking capability. Some of which will include aggregating data from a multitude of devices, becoming the fabric switch to route device data, and providing security.

“However, one has to be careful with IoT/E access points and gateways, and they shouldn’t be looked at as what will solve the IoT/E security issues,” noted Patrick Nielsen, senior security researcher at Kaspersky Labs. That means the savvy security architect will have to look at the gateway as part of an overall solution when designing tomorrow’s networks.

That segregation and the understanding of the gateway’s role in the networks of the future become critically important going forward. With the IoE vision to expand connectivity throughout the world, components such as gateways will not only be connected to each other, but potentially to every other device on the IoE, as well. That means they will no longer be exposed to just localized threats, but threats from any network, anywhere, including the global network. Therefore, it will be vital to ensure the trustworthiness of the gateways, not only across networks, but also globally.

Next-generation IoE gateways
IoE gateways will be a different breed. There are new technical requirements that these gateways will have to employ. Among them:

• Mesh and edge and computing techniques. A lot of the data will be coming from the edge or fog and will need to be handled close to the edge to conserve bandwidth, power, and to reduce the time required to process it in the cloud.

• Advanced design to be able to offer flexible platforms. These systems will need to accommodate a large variety of interfaces and network protocols, as well as complex software and exposed deployments. These designs also must protect the connectivity so the gateway doesn’t permit malicious attacks.

• High levels of interoperability with standards support. That includes even legacy network protocol. All of this is necessary to provide the most flexible connectivity support among the pervasive various types of components and devices from a plethora of different vendors.

• Certifiable. Gateways must be capable of certification to a number of standards, both wireless and wireline, as well as other industry standards.

• Platform agnostic. Gateways need to offer services to applications across the board, from structured data subsets to raw physical data from a broad set of devices.

• Autonomy. New gateways will have to be ultra, reliable, self-configuring, and remotely reconfigurable.

The technology
To accomplish this, especially with the disparate environments the IoE will incorporate, requires a number of interconnect options. There are several manufacturers’ chipsets that can fit the bill. In general, interconnect solutions integrated into gateway chipsets encompass the following. Of course, depending upon application these will vary from design to design. But in most cases, next generation gateway solutions will have to support interfaces, including Ethernet, PCI Express, USB 2/3.0, SD/SDIO/eMMC, SPI, UART, and I2C/GPIO. It will also contain a variety of wireless interfaces, including Wi-Fi, Bluetooth, ZigBee, Z-Wave, Thread, and their low-power brethren, and 3/4/5G radio protocols.

Fog computing will entail a number of functions, mainly data analysis, event management and routing. For example, the gateway can analyze sensor data from edge devices and make deterministic decisions regardless of whether the data is authentic, meaningful, or requires further action. It also can aggregate this data and package, store or forward based upon a set of criteria from the application. Figure 2 is an example of what one of these IoE gateways is capable of.

At the edge
The edge and the fog will be pervasive in the IoE. In fact, edge and fog networks will be major elements of the IoE, and IoE gateways must be able to closely integrate with edge and fog networks.

Figure 2. IoE gateway. Courtesy of Nexcom.

The purpose of intelligence at the edge is to allow data to seamlessly flow between the cloud and end devices. Furthermore, for a time, there will be both legacy and new systems that will require integration, which is more efficiently handled close to the source. Kin-Yip Liu, senior director of systems engineering, and segment marketing at Cavium, supports that idea. “It doesn’t always make sense to send all the data to the clouded for a couple of reasons. First of all, it can sometimes be just too distant. Second, it can be a lot of data, or just data that needs to be consumed locally.”

This is generally called fog computing and much of it can be handled by intelligent gateways. “Fog computing is really just localized processing, and the gateway is a good place to do some of this,” Liu said.

Gateway intelligence
Really, intelligence simply means a menu of technologies coupled with code that analyzes conditions and applies the correct solution. It can be integrated into the hardware as IP or as a software stack. A simple example of that is the radio interface. Assume that the gateway has an integrated multi-band, multi-frequency RF modem capable of working on all the flavors of wireless. It is a simple matter to add code to analyze the signal and process it.

Other intelligence, such as determining the relevancy of data from an edge sensor for example, works similarly. A series of conditions is coded into the application that analyzes the data, if it meets certain conditions it is valid, if not it can be deemed an error, irrelevant or even routed for further analysis. AI and fuzzy logic can be used to “teach” the application, or the gateway, to make better decisions and improve the margins of error.

This will become more and more important as the IoE unfolds, simply because the massive amounts and diversity of data that will be part of the IoE. To be able to keep up with that, intelligent gateways will require advanced processors and specialized chips to handle the load.

Gateway security
The importance of gateway security cannot be over emphasized. The reason is that many of the IoE devices will be low-cost and low-tech—simple sensors that will be challenged to have anything other than the most basic of security, if that. One can argue this will change as technology advances, but the reality is that many common low-cost sensors will have razor-thin margins, and OEMs are reluctant to add the cost of security at these points. There is no indication this is changing, either. Therefore, the security burden falls on the other devices in the loop, and gateways are a good solution from a system perspective. At the higher level, IoE devices will have encryption by default so that issue becomes less of a problem for gateways.

Fig. 3: Courtesy of Lerablog.

But that doesn’t mean gateways don’t have vulnerabilities. “When one looks at the possible compromise issues of an access point, there are so many levels one can attack a device that is on it, wouldn’t be smart to disregard security at the gateway,” Nielsen said.

One of the relevant issues harkens back to legacy devices. Gateways must be able to pass a variety of data, and legacy devices generally use very simple protocols that can, easily be used as vehicle to “trick” gateways and other devices into allowing malicious software to get by. So gateways must understand the simple structures of legacy equipment, yet be aware of the vulnerabilities.

Another consideration for security gateways, according to Owen, is complexity. “Gateways are at a somewhat higher risk because they tend to run more complex software with raised levels of communications. They communicate not only with the IoE devices, but also have command and control capabilities.”

In that vein, the gateway is responsible for proving to the systems on the back side, with which it communicates, that it’s running authentic boot software, the right application stack, and that the data feeds passing through are verified. With gateways that is less of an issue than with many of the IoE devices because they are relatively high-end and can bear the cost of high levels of security. “Gateways can integrate high-end SoCs that have dedicated MCUs that do things like separate execution routines and do identity verification,” Owen said.

Another platform that works well with gateways is the firewall. “Firewalls have evolved significantly over the last 15 to 20 years, or so and the industry is staring to give firewalls some serious consideration,” said Steven Woo, vice president of enterprise solutions technology at Rambus.”

That is a good approach because gateways protect the perimeter, and firewall technology is an excellent platform to support that. For example, there is one area of advancement that is focusing on allowed and rejected relationships and transactions inside the firewall at very sophisticated levels.

“The advantage to that is when you have and highly defined criteria of what should, and can happen, then behavior outside of what is defined is quickly, and more precisely identified,” said Woo. That means the firewall itself can provide a significant layer of security within gateways.

Missive
Secure gateways will become a major player in the IoE infrastructure. The IoE will have so many devices, networks, and systems that perimeter security will become a principal elementand be implemented on a massive scale. Perimeter defense is emerging as an essential element in the overall security platform.

Securing devices is a given. But many of the generic, lower end devices will not have adequate security to prevent compromise. Next-generation gateways will be sophisticated devices that will integrate a myriad of technologies. To protect those technologies, they also will integrate a number of advanced security platforms.

Gateways are coming of age. They are taking on new roles and reach new heights of sophistication. As a tool in the security wheelhouse, they will play and integral part in the protection of the new IoE.