Securing Data-Centric vs. Action-Centric IoT
In 2008, the number of connected devices surpassed the number of humans on Earth, and now, in 2020, analysts predict the exponential growth of the Internet of Things will cross the 50 billion devices mark.
This unprecedented explosion of IoT adoption (five times faster than the adoption of electricity or telephony) coincides with an era of mounting concern around cybersecurity and data privacy, creating a challenging climate for IoT’s growth. My friend Andy Ellis recently joked in a tweet on an article about 5G and IoT, “your periodic reminder that the ‘S’ in ‘IoT’ stands for security,” which, of course, is a tongue-in-cheek jab at the pervasive lack of security in today’s connected devices.
Data-Centric vs. Action-Centric IoT
It’s easy to intuitively know the security risks of digital signage displaying the price for a Pepsi isn’t the same as those affecting, for example, an infusion pump in a hospital. If we start to dissect what an IoT system is doing, we’ll soon see whether the data is simply being analyzed to inform better decision-making, or if data analysis is being used to automate an action without human intervention.
The former structure is considered data-centric IoT and the latter is action-centric IoT. We can further break this down, and I think HPE chose memorable alliterative language in their whitepaper on “The Intelligent Edge” when they defined the 3Cs of Connectivity, Compute, and Control. Here are my own definitions and examples.
The 3Cs of IoT
- Connectivity: Networking of “things” such as devices, machines, and people to facilitate the exchange of data. Examples: management of an internet-connected thermostat, a connected digital price tag, a connected temperature sensor, or a connected pressure sensor.
- Compute: Using data gathered for analysis and non-real-time decision-making. Examples: evaluating data from internet-connected thermostats for the purpose of predicting power consumption demands over time; evaluating data from weather sensors to correlate purchases of beverages to temperature over time; and evaluating data from a pressure sensor in conjunction with other readings to determine a required maintenance schedule for a system.
- Control: Application of computed or analyzed data for real-time or near-real-time control or action on a system. Examples: dynamic adjustment of connected thermostats to control power consumption during risk of a regional brownout; dynamic adjustment of the price of beverages based on outdoor temperature (e.g., increasing price during hot weather); or dynamic control of an actuator to open a flow control valve based on pressure readings.
Thinking about IoT in terms of the 3Cs, an obvious pattern emerges with easily discernible lines between data- and action-centric systems and the varying needs for security in each. The more critical the system or data, the more stringent the security should be. The more latency sensitive, the higher the availability requirements.
Applied Security in IoT
Data- and action-centric systems have differing security requirements, and any good IoT security framework will present considerations and controls in terms of impact on the integrity, availability, or confidentiality of the system.
- Integrity ensures data is accurate and going to and from trusted sources. In the world of IoT, this involves everything from basic authentication to cryptographic functions for data integrity checks. Considerations and concerns include secure provisioning, proper device identification, and protection for over-the-air management. Integrity plays a big role in both data- and action-centric IoT applications, with a heightened requirement in action-centric where automated commands may impact systems and directly or indirectly lead to loss of life (e.g., traffic systems, wastewater facilities, and healthcare).
- Availability ensures the system, its components, and/or data are accessible when needed. Considerations specific to IoT include physical security since the devices are small and distributed, mitigations for DoS and DDoS attacks (e.g., against RF jamming or buffer overflow attacks), and secure and authenticated provisioning to ensure malicious attacks via unauthorized endpoints or through man-in-the-middle attacks don’t render a system unavailable. Battery life in small form factor IoT devices also plays a role in availability, where polling for tamper protection and positioning are restricted. Availability is of less concern in data-centric IoT models, where a temporary loss of communication doesn’t impact the overall analysis of data, whereas availability in action-centric IoT systems is arguably the most critical of the security considerations.
- Confidentiality protects both data and management communications through encryption, which plays a role in integrity and availability as well as data privacy. Most compliance regulations outline detailed requirements for confidentiality of specific data types (e.g., PCI for card data, HIPAA for patient data, CJIS for criminal data). Considerations and challenges in the IoT space are related to limitations in compute and storage in today’s shrinking form factors. Lightweight encryption protocols are being developed, but with few standards and regulation around IoT, these devices often lack even the most basic crypto features. Confidentiality is important in both IoT models, but the case could be made that confidentiality of the larger data sets and analysis in data-centric models is one of its most critical security components. Conversely, in most action-centric systems, availability (along with speed) are paramount.
Applying the 3Cs of connectivity, compute, and control models in IoT helps us clearly delineate data-centric vs. action-centric IoT systems, and apply the right levels of controls for integrity, availability, and confidentiality to secure these systems.