WHITE PAPER

Fog Gateways: The Cornerstone of IoT Security Fog Gateways: The Cornerstone of IoT Security By Nicholas Cravotta

The IoT offers tremendous value, safety. Utilities can dynamically change rates and shift loads—thus preventing overinvestment in power but also introduces major security generation. IoT-based medical devices can monitor challenges. Connecting previously offline patients continuously to identify trends and alert systems increases the attack surface for hackers— caregivers before an emergency arises. and the diversity of these systems makes it difficult to But all these benefits depend on secure data flow. deploy and manage consistent security. If the network is compromised, the result can be The nature of internal networks—such as the automation disastrous. For industrial applications, the cost could be networks that connect factory machinery—add to the the shutdown of operations or equipment damage. In a problem. Legacy networks provide minimal authorization, utilities environment, invalid data could result in black- little authentication, and not enough encryption. There outs and lost revenue. For retail applications, security is often no protection against intrusion, unauthorized breaches could halt sales and expose customer data. reconfiguration of edge equipment, or DDoS attacks. If an attacker gains access to these unsecure networks, the What Makes IoT Security Different entire organization can be at risk. In some ways, security concerns are nothing new. Most Fog computing can address these security issues today organizations already have security precautions in place and help you prepare for new challenges on the horizon. to protect sensitive IT systems and physical assets. But Fog gateways provide secure connectivity to local equip- the IoT introduces new threats that can catch businesses ment, intelligent data processing, and end-to-end off guard. manageability that extends into the cloud. With fog Particularly challenging is the way that the IoT merges gateways, developers can go beyond connecting the worlds of information technology (IT) and operations equipment securely. Now they can deliver high- technology (OT). By connecting physical assets to the performance, real-time computing at the network edge. cloud, the IoT exposes these assets to IT security risks. But operations typically doesn’t have a background in IT- Risks of Unsecured Systems style security (e.g., centralized policy enforcement). The IoT has proven its value in nearly every industry. Conversely, IT typically doesn’t have experience Manufacturers use it to manage factories in real time, with embedded systems and their hard real-time boosting production, equipment lifetimes, and worker

Fog Gateways: The Cornerstone of IoT Security 2 requirements. To assure both security and reliability, The network, data center, and applications all need pro- operations and IT need to align their goals and coordinate tection, too. Every time a device connects with another their efforts. device, especially with end-to-end access through the cloud, the communications link needs to be secured. At The IoT also increases the overall scope and scale of the the highest level, device monitoring and security analytics security challenge. As more assets connect to a network, also play an important role in assuring that the ecosystem hackers and viruses gain more potential points of attack. is protected.

These connected assets also generate an overwhelming One of the key capabilities for many IoT ecosystems is amount of data to process that can constrain available enabling users and administrators to directly and bandwidth, especially when processing is done in the remotely control devices. As an IoT ecosystem scales, cloud. This puts time-sensitive operations such as fault it becomes increasingly important to be able to apply detection and service restoration at risk, and potentially security policies consistently and easily. delays responsiveness to security events. Manageability and consistent application of security The Basics of IoT Security can be difficult to achieve. IoT ecosystems may comprise a wide range of different hardware, OS, networking, To achieve end-to-end security, secure capabilities need and other technologies. The rapid pace of innovation to be implemented at many levels in an IoT ecosystem. means IoT ecosystems also need to support multiple At the lowest level, individual devices must be secure. generations of technology. This includes protecting hardware from physical attacks and safeguarding software and data from unauthorized Furthermore, security is not a deploy-and-ignore modification (Figure 1). technology. Security must be kept up to date to address new standards and vulnerabilities.

Figure 1: Device-level security encompasses a range of hardware and software features.

Fog Gateways: The Cornerstone of IoT Security 3 Fog Computing and IoT Gateways enforcement and smooths integration across disparate IT systems. This also makes it easier to keep security up Fog computing is an approach to IoT design that adds to date and to scale as the ecosystem grows. a hierarchy of intelligence between the cloud and endpoints. Rather than directly pipe endpoint data Because security is implemented in gateways, legacy IoT to the cloud, fog computing places compute resources devices behind the gateway are inherently secure. Thus, near endpoints at the edge of the cloud or directly fog computing makes it considerably easier to secure on premises. legacy equipment.

In many systems, these fog computing capabilities Fog computing can also eliminate expensive endpoints are provided by IoT gateways. A gateway aggregates refresh cycles, since a well-chosen gateway can endpoint traffic and maps diverse local protocols to a accommodate generations of security updates. common IP backend. On top of this, fog technology provides compute-intensive cloud services like data Pushing compute resources closer to the edge also analytics locally (Figure 2). enables gateways to handle real-time/time-critical applications. This is an important benefit because many To accelerate development and adoption of fog tech- applications cannot tolerate the latency of pushing data nologies, created the Fog Reference Design (Intel to the cloud and waiting for a response. Intelligence in FRD). Built around Intel® Core™ i3/i5/i7 or Intel® ® the gateway also minimizes the compute power required Processors for high compute performance—along with in endpoint devices and in cloud. This can substantially Intel FPGA solutions for specialized functionality—Intel reduce the cost and complexity of endpoints. Just as FRD is a self-contained platform housed in an enclosed important, gateways can filter endpoint data and thereby chassis. This all-in-one test bed enables developers to optimize bandwidth requirements between endpoints experiment and demonstrate fog use cases across the and the cloud. spectrum of vertical segments. From there, developers can quickly move on to commercially available hardware to implement their designs. Boundary Security One of the ways fog computing can secure IoT ecosystems Security Through the Gateway is through boundary security. To illustrate the advan- tages of boundary security, consider the alternative of One of the primary benefits of fog computing is how it separately securing each subsystem. In this context, a simplifies security. Rather than address security across subsystem can take many forms. For example, it could be a large number of endpoints, fog computing aggregates a network of devices on a LAN or a suite of applications in and maps connections across a relatively small number the cloud. of gateways. Consolidation ensures consistent policy

Figure 2: Gateways are intermediaries between endpoints and the cloud.

Fog Gateways: The Cornerstone of IoT Security 4 The advantage of subsystem-based security is that IT can One example of boundary security technology is Vortex balance cost, latency, and other factors with the security Cloud from PrismTech, a subsidiary of ADLINK. Vortex requirements of each subsystem. But this individualized Cloud secures communications at the boundary between approach has a major flaw. When a subsystem connects subsystems and can be used with private, public, and to an external resource, this creates a weakest point of hybrid clouds (Figure 3). vulnerability. Specifically, the security deployed by the subsystem may be insufficient to protect data across Vortex achieves this through a boundary security approach that uses certificate-based authentication, the external connection. secures encrypted communications, and enforces Boundary security is a method for protecting data by access control rules between subsystems and individual securing the boundary between different subsystems. devices. Capabilities such as Discovery Service simplify Each connection to external resources is secured IoT ecosystem management by enabling devices to independently of the security within the subsystem. automatically find one another, regardless of This ensures that every external connection is secure, their location. and leaves no chance for an oversight by an endpoint to leave an opening into the network. The Intel® IoT Platform Using a boundary security approach, building a secure Developing a complete IoT ecosystem can be challenging, IoT ecosystem begins with the gateway. In addition to even before security is taken into account. The subtle providing WAN connectivity to the cloud, gateways complexities of IoT security can catch developers by protect all the IoT devices behind them. surprise, lengthening the development cycle and

Figure 3: Vortex Cloud secures the boundary between subsystems.

Fog Gateways: The Cornerstone of IoT Security 5 reducing overall profitability. Thus, developers should developer experience for designing and delivering consider building from a secure and proven foundation. reliable and scalable products. Doing so can significantly simplify development and accelerate time to market. The platform is secured using the Intel IoT Security Framework (Figure 5). This framework provides an The Intel® IoT Platform offers OEMs and ISVs an open, architecture for protecting, detecting, and correcting scalable approach to IoT (Figure 4). The platform is built threats to hardware, software, and data. With Intel IoT using reusable, integrated building blocks that secure Platform technology available from a wide ecosystem of and manage devices, gateways, and data from the partners, organizations can take advantage of existing edge to the cloud. With an open, standards-based ap- technology rather than developing their own in-house proach, the Intel IoT Platform offers a consistent IoT security expertise.

Figure 4: The Intel® IoT Platform provides security at multiple levels.

Figure 5: Intel® IoT Security provides an architecture for end-to-end security.

Fog Gateways: The Cornerstone of IoT Security 6 Intel® subsidiaries McAfee and Wind River contribute to address latency, bandwidth, cost, security, significant value to this framework through their duplication, corruption, and compliance issues. multilayered IoT security. For example, Wind River In addition to supporting the security stack incorporated offers secure operating system and virtualization in the Intel® solutions, while McAfee has solutions that can be IoT Platform, the EL1000 can be used with deployed on devices to enhance their security. Together Aruba ClearPass Policy Manager. This manager replaces with Intel’s technology, these solutions create a chain of legacy authentication, authorization, and accounting trust from device to network to cloud, providing end-to- (AAA) approach with context-aware policies. This gives end protection across the entire IoT platform. visibility, policy control, and workflow automation in a single cohesive solution. ClearPass also has a built-in profiling engine that helps IT understand which devices Intelligent Gateways are on the network, real-time analytics to track how the Security solutions that build on the Intel IoT Platform network is being used, and the tools to enforce smart and are available from members of the Intel® IoT Solutions secure policies. Alliance. These solutions leverage Intel’s hardware and software security technologies to enable trustworthy Cloud Security connections between devices and the cloud. Alliance members also offer a variety of cloud security For example, SBS offers the SEC-0600A, an industrial solutions. For example, the Amazon Web Services gateway based on the Intel ® processor E3900 (AWS) IoT Platform offers authentication, authorization, series (Figure 6). The processor E3900 offers registry, and virtual shadowing, among other capabilities (Figure 7). AWS IoT can scale to billions of devices and trillions of messages while securely controlling the flow of data and interactions between devices and applications.

Inside the cloud, all data is protected by AWS cloud security mechanisms as data moves between AWS IoT and other devices or AWS services. The AWS IoT platform offers many advanced security features— Figure 6: The SBS SEC-0600A leverages Intel® IoT Gateway including authentication and end-to-end encryption— technology. to meet individual application requirements.

As another example, Microsoft offers the Security ® numerous security features. The Intel Trusted Execution Program for Azure IoT that brings together a curated set ® Engine (Intel TXE) provides enhanced data and opera- of best-in-class security auditors. These auditors work tions protection, keeping data away from hackers even with OEMs to perform a security audit of their IoT if the OS is compromised. Secure Boot is strengthened ecosystems, find issues, and provide recommendations. with features like Intel® Boot Guard 2.0, and new cryp- tographic instructions like Intel® SHA-NI Extensions are Microsoft’s program works from the ground up, among the many security upgrades. considering every device, gateway, and communications link to the cloud. It can provide essential guidance for For IoT applications that require higher performance, OEMs that might otherwise delay employing IoT Hewlett Packard Enterprise offers the Edgeline EL1000 technology until security best practices and standards ® Converged IoT System. Powered by Intel Xeon have been established and proven. processors, the EL1000 accelerates compute at the edge

Fog Gateways: The Cornerstone of IoT Security 7 Figure 7: Amazon Web Services (AWS) IoT Platform offers end-to-end security.

Looking Forward with industry groups like the Industrial Internet Consortium (IIC), Open Connectivity Foundation (OCF), While IoT standards are being established, it is important and the OpenFog Consortium (OFC). These standards for OEMs to develop IoT ecosystems that can adapt to will help drive convergence on vision and implementation evolving standards and the rapid pace of innovation in IoT of IoT-based innovation and adoption. technology. When security resides simplistically in end devices, these devices will need to be refreshed with each This pioneering work means developers can use Intel new generation of technology and security standards. technology to confidently build scalable, industry- standard IoT systems. Not only can they be assured To aid in bringing unity across the IoT industry, Intel has of end-to-end security today, they can also count on a taken a leading role in driving IoT standards by working roadmap for future security requirements.

Request more information for details on the intelligent gateways, cloud security, and other solutions in this paper.

Fog Gateways: The Cornerstone of IoT Security 8 Nicholas Cravotta A veteran of the electronics industry, he has been technical editor for publications like EDN and Embedded Systems Programming. When he isn’t writing about engineering, he is an award-winning game designer focusing on innovative ways to engage people, including the home version of Escape the Room and Houdini, the reconfigurable disentanglement puzzle.

Copyright© 2017 Intel Corporation. All rights reserved. , Intel, the Intel logo, Intel Atom, , Intel Quark, Intel vPro, and Intel Xeon are trademarks of Intel Corporation in the U.S. and/or other countries. Other names and brands may be claimed as property of others.

Fog Gateways: The Cornerstone of IoT Security 9