Getting IoT Security Right: Lessons from Other Security-Conscious Markets

by Christopher Schouten | Sep 27, 2018 | IoT

“IoT security” has long been a hot topic, with many articles and conferences insisting that the biggest single obstacle to growth in this industry is the lack of a comprehensive solution to secure IoT devices and ecosystems. But in many ways, the challenge of IoT security is not a new one, and there are clear parallels between IoT security and other industries that have needed to secure their critical assets and business models.  Understanding the technical and commercial structure of these approaches provides excellent guidance for IoT device manufacturers on how to address their security needs as well.

The focus of this article is on the global pay television market. Like many industries leveraging the Internet of Things, pay-TV involves high-value business models (more than US$200 billion in annual revenues), vulnerable edge devices subject to attack (set-top boxes), and a quickly evolving threat landscape that requires an active and dynamic approach to security.

A Short History of Pay-TV Security

From the very beginning of digital pay TV’s launch in the 1990’s, service providers turned to a small group of specialized Conditional Access System (CAS) companies whose expertise was in securing the pay-TV business model against piracy using smart card-based solutions that they either developed themselves in-house or customized based on available industry chips. Smart cards were the technology of choice for pay TV because they provided a hardware-based root of trust, securely storing the keys necessary decrypt access to pay-TV services. Smart cards also allowed service providers to implement and manage a single security solution across a variety of different set-top box vendors and devices, as well as offering the advantage of being replaceable, enabling service providers to “swap” cards in case of security issues.

By defining this “intermediary” role for CAS vendors in between the device manufacturers and the pay-TV operators who used those devices, it not only allowed each party to focus on their core strengths and business activities, but it also created a clear definition of who was responsible for the security lifecycle management of pay-TV services. And considering the average life of a set-top is almost 10 years and that CAS systems are under constant attack, that role is a critical one in order to create a sustainable pay-TV business model.

This is very important to consider when we think about IoT device security. The question of “who is responsible for what” is one that needs to be unequivocal.  In the world of pay TV, this was a byproduct of the fact that the companies providing CAS technologies were effectively different companies than those providing the devices themselves. Therefore, security responsibilities were clearly defined, and when breaches occurred (as they inevitably did), pay-TV operators knew exactly to whom they could turn for support. As a result, this successful model still remains dominant today in broadcast pay television, and the technology provided by CAS vendors has continued to evolve over time to fend off wave after wave of pirate attacks.

Becoming a Trusted, Strategic Security Partner

As CAS vendors become the trusted security experts in pay TV, operators also began to ask for their help with the end-to-end definition of their security architectures and choice of other technologies, like chipsets and set-top boxes. In fact, CAS vendors ultimately took responsibility for certifying the end-to-end implementation of pay-TV security, with the other parties in the chain required to submit their technologies for evaluation and approval. As the industry evolved further and new video distribution methods (namely the internet) and devices (like PCs, tablets and smartphones) became popular, CAS vendors were called on to adapt their security technologies to this environment as well. This role in helping design security into new devices, adapting it to new networks and evolving it over time is critical to IoT as well.

In addition, as pirates started to leverage the internet to distribute content illegally in new ways, CAS vendors were called on to provide managed anti-piracy services. This included both monitoring the internet and dark web for piracy as well as the response measures required to actively manage it. Today, CAS market leaders like Kudelski Group’s NAGRA are able to cover the entire end-to-end security needs of their customers, helping them to design, integrate, certify, run and sustain high levels of security over time, protecting their critical assets and business models. This same breadth of products and services is also important to consider when selecting an IoT security vendor.

Other Industries Embrace Similar Models

Pay TV is not the only industry to embrace the model of an independent security partner. Others as varied as banking, telecommunications and IT, all of which involve billions of dollars in revenue at risk of fraud, have also turned to trusted third-party security providers as well, also frequently using smart cards. This technology has protected a wide range of different types of businesses:

• Banking applications, where smart cards have been used as payment and credit cards
• Telecommunications, where smart cards (in the form of SIM cards) have been used to secure the secrets required for phones to access mobile networks
• Corporate IT, where smart cards give secure access to company networks and resources

Smart card-based systems for all these industries are designed to resist attacks from even the most determined hackers and pirates, and as a consequence, these industries have resisted sustained efforts from organized criminals to undermine their businesses. As a result, the technology has evolved and flourished.  Smart cards have been so successful because they provide a secure device for storing data and executing security functions that need to remain “secret”, preventing counterfeit and pirate solutions from becoming widespread.

Whom Do You Trust?

Fast forward to IoT and many device manufacturers seem to be repeating mistakes that were already made and solved in these other industries many years ago. The worst mistake is that many IoT devices seem to be designed without any security at all, or with security only as an afterthought. Many IoT silicon vendors – whose real expertise lies in delivering functionality and connectivity – see this as an opportunity to position “security” as a selling point for their chips in the hope they can differentiate their products in what is often a low-margin business. But designing security into IoT chipsets is not enough to secure end-to-end security lifecycle management provided by the specialized security vendors like the ones mentioned above. The key question is whether or not the security provider is committed to the long-term protection of the end customer’s business model and has the infrastructure and operational experience to be the long-term guarantor of end-to-end IoT security.

What Does Good IoT Security Require?

Let’s assume for the moment that device manufacturers and service providers embrace the concept of identifying a partner to be responsible for security. What should they look for?

• Deep relationships with key chipset vendors and the ability to influence their designs are required
• The flexibility to deliver a root of trust using a variety of different protection methods (integrated secure element, SIM card, TEE, etc) in order to achieve maximum device reach.
• The ability to provision devices with secrets, either in the production process or over the air (OTA) based on close collaboration with these chipset vendors.
• The ability to quickly update code on deployed products in case of hacking
• The ability to constantly monitor (via in-field diagnostics) any deployed products to anticipate potential security compromises (by using techniques such as artificial intelligence-based behavioral monitoring, for example)
• The presence of proprietary security mechanisms embedded into the silicon in order to activate countermeasures (as has historically been done with smart cards) in the event of a security breach
• Cryptographic algorithms and other security elements should be changeable in the field on deployed products to counteract piracy on deployed devices.

Most of these things require a strong collaboration on design between IC vendors and security vendors in order to align with the required features. Is such collaboration likely to happen? In industries like pay-TV, it has become the norm. Whether it becomes the norm with IoT will depend greatly on the decisions made by device manufacturers when they chose their security partners and IC vendors. Sometimes at the outset, it may appear efficient to select a “one-stop shop” solution, but a judicious reflection needs to consider the long term, and a key question is “who do I call when bandits knock at my door?”

Final Key Questions

In summary, IoT device makers and service providers are invited to consider two very important questions that are critical to IoT success.

1. Does your security provider have the technical ability and operational experience to help you withstand both basic and advanced attacks?
2. Is their commercial business model aligned with your needs for long-term security lifecycle management, keeping your IoT products secure over the long term?

Selecting a trusted, strategic security partner who has the ability and relationships to execute on the required technical features and services to enable sustainable business models is crucial. Once these types of questions become seriously considered in the IoT market, we will be able to make progress on removing “security” from the list of barriers holding back the full potential of the Internet of Things.