Earlier this month, Jeff Dorsch of Semiconductor Engineering wrote an article about securing the network edge. According to Dorsch, microcontrollers, sensors and other devices that “live” at the edge of the Internet must be protected against cyberattacks and intrusions just as much as the chips in data centers, network routers and PCs.
“[However], securing those edge devices presents a swath of unique challenges, including the cost and availability of technology resources, as well as varying levels of motivation to solve these problems by both vendors and end users,” he explained. “Security companies have been sounding the alarm for several years, citing statistics about the rising number of breaches and the increasing value of those attacks.”
As Dorsch notes, securing the edge has become ever more urgent as safety concerns move to the fore. For example, assisted and autonomous driving has transformed a vehicle into a network of networks. Indeed, real-time responsiveness is required for accident avoidance, while cloud-based connectivity is needed for such items as traffic reports, weather alerts and entertainment.
“Likewise, embedded systems are being used to monitor and control critical infrastructure and that data is being read by external monitors or devices at the edge of the network that are directly connected to those systems,” he added.
According to Asaf Ashkenazi, the VP for IoT security products at Rambus’ Security Division, more advanced edge equipment can help shield devices connected to them from remote attacks.
“[However], small and resource-limited IoT devices sometimes do not have the capabilities to provide strong security,” he elaborated. “[In contrast], the [more advanced] edge [equipment] can be used to shield these devices from the Internet, making sure they are not exposed to remote attacks. Products that provide strong connectivity security can protect other devices.”
As Ashkenazi emphasizes, the industry should be thinking about reducing the IoT device attack surface by implementing security at the design phase – essentially treating security as a primary design parameter rather than a tertiary afterthought.
“You also need early detection of compromised devices. Since no system is 100% secure, real-time detection of a compromise in an edge device can [prompt] patching and recovery of the infected device and other vulnerable devices,” he elaborated. “[However], once a software vulnerability is discovered and identified, quick action is crucial for limiting any damage to the edge device or any other devices connected to it. Fast recoverability can be achieved using over-the-air (OTA) recoverability mechanisms where security updates are pushed to the device via the Internet.”
As Ashkenazi points out, edge computing can be much more difficult to secure than other devices. This is because edge devices typically execute complicated tasks that aren’t performed by other standalone IoT devices.
“[This is precisely why] edge computing requires more CPU, memory and flexibility, which typically results in a larger attack surface. In many cases, edge devices also aggregate and process data from multiple devices connected to them,” Ashkenazi continued. “A compromise of an edge device can result in a compromise of the data collected from multiple devices connected to it. The combination of a larger attack surface, [along with] access to multiple connected end-devices, [increases] the need [for] protection, detection and recoverability [capabilities]. In addition, some edge devices might be required to handle the data of two separate users who do not trust each other.”
This, says Ashkenazi, requires the edge device to implement a secure data separation to prevent data leaks.
“The principles and security best practices of edge devices, such as routers, switches, or smartphones, are not really all that different from the ones used in other areas, like the data center or cloud computing,” he concluded.
Interested in learning more? The full text of “How to secure the network edge” by Jeff Dorsch is available on Semiconductor Engineering here.
