3 simple steps to data security within a custom IoT solution
A question we get all the time: how is my data protected within the solution you provide? That’s a smart point. And obviously we have a clear answer, as we design and develop custom IoT solutions for a wide range of clients in the industrial space.
Since our clients require highly specific solutions, we usually cannot use sensors or products off the shelf – thus we design them on demand. This very custom approach allows us to have a deep understanding of the solution as a whole, and by that identify the real threats it is facing.
Although the data collected and analyzed in industrial IoT solutions may not always be critical (as it could be for banking information for example), it is still important to implement security measures from the very beginning. A robust data security plan will help to mitigate risks and protect sensitive data from cyber-attacks, unauthorized access, or any other threats.
Keeping in mind that, in industrial IoT, most of our clients simply want to obtain more insights from their assets in an efficient way, so we try to keep the security layer as simple as possible while mitigating the risk. Keeping the “security layer” as what it should be, without over-complexification and in function of the reality of the risk, is part of our know-how.
1. Data encryption from head to tail
We encrypt the data from the sensor up to the cloud through AES encryption. AES (Advanced Encryption Standard) encryption is a widely accepted and secure method for protecting data in an industrial IoT solution. It uses a symmetric key encryption algorithm that has been approved by the National Institute of Standards and Technology (NIST) as a secure method for protecting sensitive data.
When AES encryption is implemented, data is encrypted before it is sent over the network, and only those with the appropriate key can decrypt the data. This makes it extremely difficult for unauthorized parties to access and read the data, even if they intercept it during transmission.
Another advantage of AES encryption is that it is fast and efficient, which is crucial where data is often transmitted in real-time. The encryption and decryption processes can be performed quickly, ensuring that there is minimal delay in the transmission of the data.
Beyond encryption, we also secure our microcontrollers with read-protection. So the moment someone has physical access and would want to communicate with the microcontroller to obtain the certificates or software, it completely erases the software on the microcontroller unit.
We also need to mention that there is no encryption that is 100% effective against brute-force attacks (if time is not the limiting factor). The larger the keysize, the harder to brute-force. So the objective is to find the sweet spot between the keysize and the efficiency of the solution.
2. Finding the sweet spot between data security and energy consumption
Additive data security layers and encryption require more processing power and communication bandwidth, which in turn increases energy consumption. In the end, it can reduce the battery life and efficiency of an IoT solution.
The encryption process requires extra computational power, which can increase the energy consumption of the device. Encrypted data is typically larger than unencrypted data, which can increase the amount of data that needs to be transmitted, further increasing energy consumption. In a typical IIoT solution, a lot of sensors are working on batteries, because they have to be placed in or on machines, outside, or they have to be mobile.
Furthermore, excessive data security measures, such as constant authentication checks or overuse of encryption, can cause unnecessary communication between the IoT device and the network, which can consume additional energy. This can also result in latency issues, which can reduce the efficiency of the system.
To mitigate these issues, it’s important to strike a balance between data security and energy consumption. We can achieve this by using efficient encryption algorithms, optimizing the design of IoT devices to reduce energy consumption, and implementing security measures that are tailored to the specific requirements of our client’s IIoT solution.
By adopting a holistic approach from the very beginning of the conception, that considers both factors, it’s possible to develop a solution that is both secure and energy-efficient.
Use case: automatic door manufacturer
Among our clients, we are cooperating with a manufacturer of automatic building doors. This is a sensitive issue as it provides security to the people who work in the building, and make sure no people enter the building if not allowed.
An IoT solution for measuring automatic doors can collect various types of data about its condition and usage (frequency, time of the day, status…). In our case we installed vibration sensors. Data gathered can inform us about the usage and ultimately, thanks to an algorithm specifically developed, alert when the door will possibly fail.
The final objective of analyzing this data is to help building managers and facility operators optimize the performance of the automatic doors, reduce energy consumption, and improve the overall user experience. They can identify potential issues and schedule maintenance proactively, reducing downtime and repair costs.
Even in this particular case, the security layer doesn’t differ from other clients and sectors: a solid encryption from the beginning to the end. The vibration sensor won’t open the door, even when it’s access code has been breached. The main risks for the client aren’t at this level, but more in the access to its in-house software, like the building management solution.
3. The human operator as main weak security point
Once we covered the technical aspect of data security, it is worth mentioning where the risk threat lay. There is not a lot to gain in accessing the raw sensor data of a vibration sensor, especially when it is far easier and profitable to access the company’s most sensitive data (banking, accountancy, CRM, industrial plans).
Because errors, negligence, and lack of awareness can lead to security breaches, human beings are often considered the weakest link when it comes to data security. Employees may fall prey to phishing scams or social engineering attacks that trick them into divulging their login credentials or clicking on malicious links. They may also use weak passwords or reuse passwords across multiple accounts, making it easier for hackers to gain access to their accounts.
It is therefore crucial to provide regular training and education on security best practices, as well as to implement strict security policies and procedures. This can include measures such as multi-factor authentication, regular password changes, and limiting access to sensitive data only to those who need it.
Conclusion: data security in IoT
By this point you probably understand that data security isn’t the most complicated part of designing an IoT solution. However, it is a critical element you need to get right.
To make sure other areas of the business are also secured well, we always ask our clients what the real risk is of someone getting into their code; from the sensors to the gateway. Is it possible for a hacker to manipulate it? In most cases it comes down to the fact that it won’t be a critical issue threatening the company’s activities.
“Hackers” want to gain access to sensitive information, including intellectual property, financial data, and customer information. An IoT solution usually is not the best approach to get this.
It is far simpler and easier to access from the “tail” than the “head”. The most significant risks therefore come from accessing the company’s cloud data by entering an employee’s credentials.
Implement data security in IoT predictive maintenance solutions
Do you want to discuss an idea for IoT development and how to set up data security? Get in touch with us.
We empower forward-thinking industrials.