The IoT gateway next door
Internet of things products are small, networked and unfortunately have almost always little or no security. Sometimes this is down to a lack of willingness by the manufacturer but it is also partly due to the nature of the product – small and light also means that these devices have few resources for complex security features such as encryption and packet inspection. This leads to vulnerabilities, numerous attack vectors and ultimately to a bot device which can be abused by almost anyone. Following the latest large-scale attacks that primarily use IoT devices as a digital army there is a loud demand from those who want more legislation and governments to get involved. In a hearing before the Committee on Energy and Commerce of the US House of Representatives, the security guru Bruce Schneier stated that "catastrophic risks" would arise through the proliferation of insecure technology on the Internet.
Whether there will be such a catastrophe or whether the manufacturers of IoT devices will realize that the current way might not be the right one remains to be seen. But until then something must be done to improve security and at least for the problem of insufficient computing power there is a simple remedy: IoT Gateways. IoT Gateways have already existed for some time, albeit with a different focus. Until now they have been used primarily to link legacy devices that do not have a network interface to TCP/IP. Sometimes they are only used to control switching contacts via an IP address. In other cases, old machines or PLCs can still communicate but they have a proprietary rather than standard protocol such as Ethernet, Modbus or Profibus. In this scenario, the IoT Gateway acts as a local intermediate station, receives data from sensors and actuators, extracts any information needed and forwards datagrams. It is also possible to store data at the gateway and only provide it on request, for example via an embedded web server.
The evolution of the IoT gateways as a VPN client is a logical consequence of the well-known problem of insufficient computing power. NCPs IIoT Remote Gateway can be installed and used directly on systems or machinery, while the central IIoT Gateway encrypts data from the IIoT Remote Gateway for upstream processing. System manufacturers or operators benefit from more than encrypted communication: they gain back control over the configuration of security parameters and can commission systems more easily. Thanks to its multi-client capability, the management system is predestined for cloud environments or Industry 4.0 infrastructure which links several production sites or divisions via a a common platform. If several production locations use a common platform, administrators can only access the production sites they need to manage and cannot access external data or protected areas.
All connections between the end devices and the gateways are encrypted with advanced algorithms (for example using Suite B cryptography). For additional security, all machine certificates are managed in a Public Key Infrastructure (PKI). This ensures unique authentication for all end devices. During each connection, device certificates are checked for validity and trustworthiness (signed by a trusted Certification Authority[CA]) and whether the certificate has been blocked by an online or offline CA. If at least companies secured their IoT devices behind such a gateway, regardless of how powerful they are, governments could keep their regulatory watchdogs on a leash for a while.