The Internet of Things (IoT) industry overall is booming, while the global market for IoT-focused satellite services is forecasted to grow to $5.9 billion by 2025. The U.S. and Canada are seeing more coverage and reliable satellite-compatible solutions in conjunction with a dramatic reduction in operating costs. A wider range of industries across the continent are now able to deploy IoT devices for remote use cases that were previously cost-prohibitive and limited by short-lived batteries.
Whether IoT devices are in space or on Earth, they have the potential to present a great amount of risk if they are unsecure. Unsecure connectivity could lead to entire national infrastructures being hacked with catastrophic results.
Governments across the world are looking at potential risks and are trying to mitigate them. For example, in 2020 the US government introduced a bill, Internet of Things Cybersecurity Improvement Act of 2020, which became law, requiring that IoT devices purchased with government money must meet minimum security requirements addressing the current supply chain risk to the federal government.
Which begs the question: how do we “ensure communication security” for the future of IoT?
1. Privacy
With maintaining privacy, it’s important that third parties cannot determine the identity associated with over-the-air transmissions or be able to decipher whether messages are sent from one device or multiple devices. There should be no discernable association between messages and devices (to prevent “metadata attacks”). While the use of strong cryptographic principles is relatively well-adapted for encryption and integrity, many systems still send identifying data. Cryptographic approaches can equally provide privacy, but by taking these precautions, organizations will also prevent targeted fraud attempts, which can thwart hackers’ efforts to attack a particular user or device.
2. Scalability
IoT has the potential to connect billions of devices and must be scalable to not only ensure future success, but also to ensure security. Effective privacy and security IoT network infrastructures must be in place even if the device is using low-cost and low-power IoT connectivity. . The IoT industry must cater for exponential growth while supporting lower-power and low-cost solutions. Forward security measures need to be implemented so that upgrades and improvements can be deployed, and to provide methods that address the device security issues already in the field.
If the industry doesn’t get IoT security right, hackers will have the potential to control incredibly sensitive personal, commercial or national information with devastating consequences. The risks and consequences are enormous, and it’s important that the industry gets behind initiatives like the Internet of Things Cybersecurity Improvement Act .
3. Integrity
It is vital that an attacker cannot successfully tamper with or forge messages. Such attempts should be detectable by the network. There should also be no ability to replay a recorded message and have it successfully authenticated. Strong cryptographic approaches, such as hash-based message authentication, can provide these protections, and should be used to ensure data integrity.
4. Confidentiality
Third parties must not be able to identify any data sent over the network, this is a basic requirement of all communications systems. All data should be encrypted from the point it is generated to wherever it is transmitted. End-to-end encryption should be performed using strong, well-vetted and standardized cryptographic primitives, with unique key material. The Zero Trust principle is set up so that even if an eavesdropper has access to “the pipes,” so to speak, end-to-end encryption ensures confidentiality. Systems should make it easy for users to use encryption by making it default.
5. Zero Trust
The traditional approach to network security has been to control access, but it assumes the interior of the network is a “safe place.” This has been continuously proven to be a bad assumption. The Zero Trust approach by contrast replaces blind trust with verification and strong cryptographic guarantees. The goal is to maintain security, integrity and privacy even in the event that the underlying infrastructure is compromised. Zero Trust affords no special status to the network and treats it the same as if it were “in the wild” on the public Internet.
