IoT Security

Security applies to data both in flight and at rest.

The three basic principles of security are:

  • Authenticity – the source is authentic
  • Integrity – the integrity of the contents has not been compromised
  • Confidentiality – the contents have remained confidential

As a simple example, if you receive an email from your bank, you would want to ensure that:

  1. The email is genuinely from your bank – Authenticity
  2. The email contents have not been changed on their way to you – Integrity
  3. No one else has read the email – Confidentiality

The level of security required is of course highly dependent on your circumstances, environment and the level of the risk that you are comfortable with – there is clearly a different between the security requirements for a military drone and the soil moisture sensor in your garden.

Symmetric vs Assymetric encryption

Symmetric encryption uses a private key to encrypt and decrypt an encrypted email. Asymmetric encryption uses the public key of the recipient to encrypt the message. Then if the recipient wants to decrypt the message the recipient will have to use his/her private key to decrypt.

Image source: https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences

For an excellent description of the differences, see the Image source link above.

LoRaWAN Security & Encryption


Several competing IoT Security standards, kitemarks and processes are available, and at the time of writing (Jan 2021) none of them are finalised.

  • IoT Security Compliance Framework, IoT Security Foundation.

IoT Security Standards & Organisations

The IoT Security Foundation

IoT-Security-Compliance-Framework https://www.iotsecurityfoundation.org/best-practice-guidelines/

Key Standard: IoT Security Compliance Framework

2.1.1 Risk Assessment
In security terms, context is everything – each application differs in use-case and operating environment. It is the responsibility of the Framework user to determine their risk appetite within their stated usage environment and therefore the specific compliance class (section 2.2) of the security measures applied.

Product/Device Security classes – a device may be in different classes depending on the installed use case/environment:

Example Compliance Requirements:

https://www.iotsecurityfoundation.org/

https://internetofthingsagenda.techtarget.com/definition/IoT-security-Internet-of-Things-security/

https://www.gsma.com/iot/knowledgebase/iot-security/

https://www.intellectsoft.net/blog/biggest-iot-security-issues/

https://www.youtube.com/watch?v=uBTjsB4DQoM/

https://www.linkedin.com/pulse/securing-lorawan-secure-elements-johan-stokking/

https://lora-alliance.org/resource_hub/lorawan-is-secure-but-implementation-matters/

https://lora-alliance.org/wp-content/uploads/2020/11/la_faq_security_0220_v1.2_0.pdf/

https://manysecured.net/about/
https://manysecured.net/news/manysecured-gateway-project-applies-collaborative-artificial-intelligence-to-iot-cybersecurity/

https://iotsfconference.com/

https://www.linkedin.com/in/claredowell/?originalSubdomain=uk

https://aesin.org.uk/about/

https://www.kaspersky.com/resource-center/definitions/what-is-iot

https://www.prnewswire.co.uk/news-releases/increasing-need-for-device-management-security-pushes-iot-security-services-to-us-16-8-billion-by-2026-850037972.html

https://www.iotsecurityfoundation.org/best-practice-user-mark-badges/

https://www.youtube.com/watch?v=Nu_yZelDMZI

https://www.youtube.com/watch?v=_l97P00Nl-8

https://www.youtube.com/watch?v=S6nJzSc4iy4

https://www.refirmlabs.com/how-to-enforce-iot-security-standards-and-compliance/S

za

Application Key

Application Key

The application key (AppKey) is only known by the device and by the application. Dynamically activated devices (OTAA) use the Application Key (AppKey) to derive the two session keys during the activation procedure. In The Things Network you can have a default AppKey which will be used to activate all devices, or customize the AppKey per device.