The question of whether to use hardware or software to secure Internet of Things (IoT) devices and networks is by no means new, but it is an increasingly interesting debate as both new technologies become available and traditional IoT technology continues to age.
I recently sat down to interview Lin Nease, a Chief Technologist for IoT at Hewlett-Packard Enterprise, to learn more about what organizations that use IoT devices as part of their operations need to know.
As more organizations consider outfitting existing operational technology with IoT-like functionality or launch new types of technology with embedded IoT features, the security of the data transmitted by these devices becomes increasingly important.
Here's what Lin had to say on the topic.
🔎 Related Articles: Your Ultimate Guide to Mobile Device Security
Software for IoT Security
What are the typical methods for using software to achieve IoT security?
Lin: A lot of security technology comes down to observing behaviors on a broad scale and trying to find suspicious behaviors that are indicative of some sort of intrusion or malfeasance.
The network is the place where this type of broad-scale anomaly-detection software is deployed because for anything to do damage, it's going to typically happen over a network.
We think of these solutions as “software,” although they are technically enabled by hardware in underlying layers. Also, software monitors the software state of the systems connected to the network, looking for vulnerabilities that need to be fixed, and applying these fixes (i.e. “patches”) to those systems as part of an ongoing process.
In this case, the software for security is typically focused on, “How do I find anomalies and vulnerabilities, how do I signal to the appropriate audience the need to address them, and how do I potentially fix them?”
Hardware for IoT Security
What does it mean to use hardware for IoT security?
Lin: The hardware side is more what I would regard as the “keep bad things from happening in the first place” approach, particularly hardware associated directly with communicating endpoints.
In this case, hardware for security is looking to provide a guarantee that the conversation happening between two entities, or devices, over a network is only between these two entities and no one else. It also serves to “attest” to the identity of each entity in the eyes of the other.
Hardware, as a means for security, looks to provide this attestation of identity, as well as encrypt and protect the payloads that are being sent back and forth across the network, ultimately preventing hackers from getting into a system in the first place.
Comparing Hardware vs. Software for IoT Security
So it isn’t really a conversation of one vs. the other, but a question of what combination of the two approaches makes sense for your application and needs?
Lin: Yes, I would broadly categorize hardware as “preventing bad things,” and software solutions as trying to “detect bad things,” and remediate them on a broad scale.
Similar to how you might view health, hardware and software play two very different roles in IoT security.
Looking at the health metaphor, you have two ways in which you control or influence your physical health. Diet, exercise and lifestyle -- similar to the hardware approach for IoT security -- create a preventative barrier for health issues. The healthier you live, the less likely you are to invite illness or problems into your health.
On the other side, the medical industry seeks to come in from the outside, recognize when you have signs of illness and help you treat or remediate that illness. This is similar to the software approach to IoT security.
In each case, one approach is meant to prevent problems in the first place, and the other approach is meant to catch the problems that do arise and help get rid of them.
Just like with your health, a good approach balances the use of both methods. Certain situations or goals will dictate which method will be more effective.
🔎 Related Articles: Your Complete Guide to Building an NSA CSfC Approved Solution
Benefits of Hardware for IoT Security
What are the benefits of using hardware for IoT security?
Lin: Hardware is critical to securing devices, the endpoints on the network.
Hardware, especially hardware that lends itself to trustworthiness, is incredibly valuable and it goes beyond just reducing the risk of bad things. It is capable of changing business processes.
For example, if I feel like I can trust an endpoint, it can completely change the nature of what I ask that device to do, and it changes the overall cost and efficacy of the process in significant ways.
The hardware allows me to definitively identify who I'm talking to in a conversation over a network. That's called the root of trust, and the root of trust, if I have that and I can count on that, it completely changes the process I build around that conversation.
Hardware actually prevents attacks in the first place and creates a root of trust.
Lin: Let’s use NSA-developed technology as an example.
I'm on a public network. I want to put my laptop on the network and access some pretty sensitive data. If I have a hardware solution -- and only if I have a hardware solution -- it allows me to build in a lock and key that reduces my risk dramatically.
Once I know that this is someone who is authorized to access this data, and I have hardware protection behind it, that changes the ability to even allow that process to happen in the first place.
A hardware solution will be more likely to work with legacy equipment or networks.
Lin: A hardware-based approach is extremely important because, in most industrial environments where people are trying to build these IoT solutions, they're trying to automate or collect data about systems and processes that in the past were managed manually and relied on older technology.
Now they're trying to connect those systems and collect data about them.
Now we’re exposing the entire operation to all these bad actors out there.
Meanwhile, the operational systems we're talking about are, in many cases, quite old technologies. It's virtually impossible – not to mention impractical – to secure these systems from the network side.
To even consider adding IoT functionality to these systems, they have to be somehow locked down in their communication, and a hardware-based solution is pretty much the only means to do that.
A hardware solution helps to secure both the device itself and the network on which it communicates.
There are two very important reasons why hardware is useful in a situation where you are relying on legacy technology.
- First, you may not be able to find software that can work with the old equipment and the old network, as described above.
- Second, not only are you protecting the endpoint itself when you connect a hardware-based security solution to it, but you're protecting the entire network. In many cases, this will be the first time that the network is suddenly accessible from the outside.
Lin: It's critical for these systems to continue to be inaccessible from the outside, even once they are hooked up and communicating internally. You need to know, and very finely tune, what the devices and networks can connect to.
You need precise granularity in controlling which devices can communicate and how. This is what hardware enables.
A hardware-based solution comes with less “maintenance.”
The software approach to IoT security means lots of monitoring, maintenance, and updates. This means you need a team in place to do that.
Lin: When I have a hardware solution that allows me to very tightly secure endpoint devices, it makes life a lot easier for the software that's trying to look for problems, because there is a much lower percentage of those communications that have to be scanned and tracked and monitored.
Overall, a hardware-based solution may be able to provide greater ROI.
Lin:To justify the cost of implementing an IoT solution, you need a compelling reason to pay for the cost of connecting these systems.
For instance, if I'm doing condition-based monitoring of some asset, and I could double the useful life between maintenance events of that asset, then the ROI becomes the reduction in maintenance costs, minus the IT costs I've added to connect it. The more expensive it is to get devices on the network, the lower the odds that this will be a successful project.
How do hardware-based solutions help lower costs?
Hardware-based solutions can help keep costs down in a few ways:
- They may extend the useful life of assets you’ve already invested heavily in. Legacy technology that can only be secured through a hardware-based solution may have required a significant investment. Replacing it with something new that can be secured with software is usually not as cost-effective (or even fiscally possible in some cases) as the cost to connect a hardware-based solution.
- They can reduce your maintenance and management costs as you will likely need less manpower to run the solution long-term.
How should I decide what to use for my IoT deployment?
Many projects will use some combination of both hardware and software-based security to achieve their end goals.
There are definitely certain types of projects that fit better in one camp or another, but you’ll have to really sit down and understand the scope of your project and what you are hoping to achieve before you can truly answer that question.
Are there certain project types that lend themselves better to hardware-based solutions?
Lin: There is a whole class of assets that are a strong fit for hardware-based security.
They include human-machine interfaces, control systems that are connected to conventional networks, historians that are used to collect data from a process manufacturing operation over time, and supervisory control and data acquisition systems (or SCADA).
These systems are historically not connected to other networks, so if I want to take their data and send it to a data lake for some analytical treatment, the ability to have a hardware solution that secures those systems is of great value.
Really, if there's any type of control system in the world -- whether it's a building HVAC system, a machine that's cutting diapers in a large plant, or a machine that's processing chemicals in a refinery -- any of those connected assets could benefit from a hardware solution.
Are there certain project types that lend themselves better to a software-based solution?
Lin: Well, there are many projects where the buyer is someone who's making a decision about corporate-wide security or distributed, replicated sites -- like a dozen factories -- and they're all networked together with some hub and spoke topology, and they want to try to secure them all at once.
It's quite an undertaking to try and go and put a hardware-based security apparatus at each of a large number of distributed end devices.
In fact, it's impractical to embark on such a project, but it's not impractical to think about a software approach to looking for anomalies across a set of networks in a company that represents thousands of endpoint devices.
It comes down to the scope and goals of the project, who the decision-maker is, and what they have the budget to address.
What is the most important takeaway someone should think about when deciding how to address security for their IoT deployment?
Lin: You have to be concerned with both hardware and software security at all times.
You have to have a plan and you need to have the right people with the right skills to both design and implement and execute that plan.
And keep in mind, that the plan will inevitably change.
You need both the ability to secure old legacy technology or current existing devices that might not even be connected to networks today.
You will need this. As your company goes through digital transformation, you will need these capabilities.
I think everyone understands the software side. What people probably don't understand is the opportunity to use hardware components to make their life easier in the near term.