Securing IoT Edge Devices

It certainly isn’t any secret that the industry continues to be challenged when it comes to adopting and implementing practical IoT security solutions. However, it is important to understand that IoT edge devices typically only have basic resources, such as reduced CPU processing power and a minimal amount of RAM and flash memory. This means there are limited compute capabilities available for security solutions. For example, a typical smartphone processor scores 5000-10,000 on the industry standard Embedded Microprocessor Benchmark Consortium (EEMBC) CoreMark benchmark, while an average smart meter processor scores only 10-300. Most smartphones use at least 1GB of RAM, while only 50-500KB of RAM is available in the average smart meter.

OEMs and service providers also have a complex ecosystem to contend with, which starts with the integration of the chipset firmware and third-party libraries and involves a number of stakeholders and steps along the way. These include OEMs, electronics manufacturing services (EMS), IoT platform providers and security and key management providers. This complexity has the potential to increase the attack surface, with layered vulnerabilities that are difficult to identify before deployment and detect after deployment.

Device management and budgetary challenges
Onboarding and managing the lifecycle of millions of devices also presents a particularly daunting scalability challenge for both OEMs and service providers. Let’s take a closer look at what manually onboarding IoT devices involves. Firstly, the device must be configured. Then, device credentials are provisioned and linked to the device registry in the cloud. Moreover, it can take up to 20 minutes to onboard a single device; 33 hours for 100; and 138 days for 10K devices. Let’s think about this in the context of onboarding and managing the lifecycles of 27.5B devices by 2020!

Meanwhile, device cost consideration and time to market (TTM) pressure means OEMs typically only implement and utilize limited device security measures. Why? Well, let’s take a closer look at an estimated average security cost breakdown. Device security hardware and/or firmware at $1-2 per device; credential provisioning at 10 cents per device; client and cloud integration, as well as non-recurring engineering (NRE) costs of $300K. Now, what about TTM? Well, for client and cloud security integration you are looking at a 6-month investment for each, which can add up to a total of one year in terms of TTM impact.

Securing the edge: A practical approach
Fortunately, there are a number of practical approaches to IoT security. As we noted earlier, IoT devices are somewhat constrained by limited device resources (CPU/RAM). Nevertheless, device manufacturers can choose IoT processors that include integrated security hardware to reduce CPU load, RAM usage and code footprint. Meanwhile, the complexity of the IoT ecosystem (device to cloud) can be simplified for both OEMs and service providers by adopting an integrated chip-to-cloud solution – rather than stitching together multiple, discrete components. In addition, service providers can utilize a scalable over-the-air (OTA) secure provisioning solution to more easily manage device onboarding and lifecycle. Lastly, since most chipset vendors do not charge extra for using available security hardware resources, OEMs can choose a chip-to-cloud solution that leverages existing chipset security capabilities to mitigate device cost limitations and TTM pressure.

Conclusion
IoT edge devices typically have only basic resources, such as reduced CPU processing power and a minimal amount of RAM. This means there are limited compute capabilities available for security solutions. In addition, OEMs and service providers have a complex ecosystem to contend with, such as securing hardware, selecting cloud infrastructure and integrating security for the client and cloud. Fortunately, there are a number of practical approaches to securing IoT edge devices and their service, including selecting a comprehensive chip-to-cloud solution that leverages existing chipset security capabilities to mitigate device cost limitations and time to market pressure.