GlobalSign Blog

30 Aug 2016

What is an IoT Gateway and How Do I Keep It Secure?

Imagine the operating functions of a modern day logistics company. You have a fleet of vehicles all tracked using IoT devices. You have warehouses with stock tracking and machine operated production lines creating the products, which are packed and transported to stores worldwide. On the production line, IoT devices and sensors are measuring the performance of production and machines. You have IoT devices and sensors measuring stock and telling the production line how fast to go based on this data. You even have IoT devices sending signals to drivers to tell them when there needs to be a pick up and only signalling the cars which are closest to the warehouse at the time.

In this scenario there’s a lot happening that can’t be seen with the naked eye - devices communicating with each other using various protocols over various networks such as Wi-Fi, Ethernet, Z-Wave or ZigBee, devices and sensors communicating with the cloud and even the cloud communicating with critical systems. It all gets a bit overwhelming and IoT gateways solve a number of challenges that this outdated model has.

What is an IoT Gateway Device?

An IoT gateway device bridges the communication gap between IoT devices, sensors, equipment, systems and the cloud. By systematically connecting the field and the cloud, IoT gateway devices offer local processing and storage solutions, as well as the ability to autonomously control field devices based on data input by sensors.

An Edge Gateway sits at the intersection of edge systems, between the external internet and the local intranet that is being used by the other devices in your ecosystem. Thus it is the key access point for network connectivity, both inside and outside your device ecosystem.

IoT Gateway

Figure 1 http://www.alleantia.com/en/iot-gateway/

How Does an IoT Gateway Device Work?

As the abilities and needs of devices proliferate, it is often not possible to have them communicate directly with systems. Some sensors and controllers don’t support energy-intensive protocols like Wi-Fi or Bluetooth. Some devices aggregate data so that it is overwhelming and invaluable in its raw form and they are all connecting to a variety of public and private networks.

An IoT gateway performs several critical functions from translating protocols to encrypting, processing, managing and filtering data. If you imagine an IoT ecosystem, a gateway sits between devices and sensors to communicate with the cloud.

IoT Gateway Network

Figure 2 http://internetofthingsagenda.techtarget.com/feature/Using-an-IoT-gateway-to-connect-the-Things-to-the-cloud

Why Use an IoT Gateway Device?

Bridging the Gap Between OT and IT

IoT gateways help to bridge the gap between operations and IT infrastructure within a business. They do this by optimizing system performance through the operational data they gather and process in real-time in the field or at the network edge.

IoT gateways can perform a number of enhancements on the OT and IT silos:

  • High Scalability – they are able to take intelligent data from the datacenter or cloud and push into the field or network edge.
  • Lowering Costs – end-point devices needn’t have as high processing power, memory or storage since the gateway does this all for them.
  • Faster Production – an accelerated and more advanced production line can decrease time-to-market significantly.
  • Reduce Telecommunications Cost – less M2M communication means a smaller network and (WAN) traffic.
  • Mitigate Risks – gateways can isolate devices and sensors that aren’t performing before they cause bigger problems for the production line.

Adding a Layer of Security

As the number of devices and sensors grow, so does the number of communications that will take place over a combination of public and private networks. Communications between the ‘things’, the gateway and the cloud therefore must be secure in order to prevent any data tampering or unrestricted access.

This will usually happen through a PKI infrastructure, whereby every ‘thing’ that communicates is given an identity, that is, a pair of cryptographic keys (or Digital Certificate) which allows communication to be encrypted. This can be quite a handful to manage without the help of an IoT gateway.

Assuming you have a tool which manages all of your device certificates, you need the gateway to help mediate the on-boarding of devices (installation of certificates and provisioning of identity). More details on this at the end of this post.

Real-Time Updates in the Field

Imagine you notice a vulnerability in your devices, or you notice that one of the sensors is telling you that the warehouse is too hot. Without a gateway device, you would have to make manual fixes because your devices and sensors are too small in computational power to perform such tasks themselves.

With a gateway, the data is sent to the gateway and the gateway is configured to send firmware updates to all devices (i.e. smart air vent dampers) when the data shows the warehouse is too hot.

What to Look Out for in IoT Gateway Manufacturers

Now you know what an IoT gateway is, you’re probably just as convinced as I am of its application in your own IoT ecosystem. Once you have managed to convince the right people in your business of the benefits of an IoT gateway, the next step is actually purchasing one.

There’s a few things you need to consider about your IoT gateway device before purchasing one. These are also well listed on Prokarma’s blog.

Network Security

Strong security should be provided to the communicating channel and encryption for the transmission of the IoT payload.

Downtime

There should be a plan for when you have a low network connection speed or you are being charged by the amount of data that passes through from the gateway to the cloud. Prokarma advises usage of protocols such as CoAP, MQTT or UDP over TCP.

Connectivity Issues

What happens when you have no internet connection? You can never be sure that you are always going to have a smooth running operation. The software in your gateway should mitigate this by running without connectivity. It should also use caching and queuing of data in case this lack of connection happens for a longer period of time.

Remote Updates

Your IoT gateway will inevitably require over-the-air (OTA) updates and so it will need an OS (like Linux, amongst others) which supports this.

Power

A gateway device must survive unpredictable power cycles such as power overloads or power outages. At the very least in these states it should be able to provide minimum functionality and still talk to the cloud so that it can restore itself.

How to Secure an IoT Gateway

There are three key core principles of security - confidentiality, integrity and authentication. You will need to ensure that all communications between the gateway and devices are meeting each of the three principles while communication is happening in the internal and external networks.

It is also worth noting that the gateway is often the first to be attacked because of two reasons:

  1. It has a higher processing power, which it can use to run more intensive applications. More power means better software, but better software means more vulnerabilities for a hacker to exploit.
  2. Because of its location as an Edge device between the internet and the intranet, the gateway is the point of entry for any threat vector (as well as a system’s first line of defense).

My recommendations on securing an IoT gateway device involve three steps.

Step 1: Identity for the Gateway Device

The first step would be to give your gateway device an identity (by using an X.509 Digital Certificate). Any external entities connecting to the gateway will now be able to verify the identity of the gateway which is now enabling HTTPs or NTLS protocols. Commands being issued to devices or sensors in the field are now coming from a trusted device.

Step 2: Enable ‘Strong’ Identity for the Gateway Device

Because your gateway device is vulnerable to physical tampering, private keys can be extracted and cloned leaving your gateway device vulnerable to spoofing, or even man-in-the-middle (MITM) attacks.

In order to prevent this, you would have to use extra security measures, such as embedding a Trusted Platform Module (TPM) device into your Gateway, using a PUF (Physical Unclonable Function). This would securely store the private keys of all Digital Certificates, making sure they never leave the gateway.

Step 3: Use the Gateway to Provision Identity to Your Ecosystem

Now that you have enabled strong identity in your gateway device, you need to think about having strong identity for the devices and sensors in the field. Because some of these are likely unable to connect to the internet, provisioning identity through a Certificate Management Service without a Gateway will be difficult.

Instead, we can use the gateway as a trusted security mechanism to secure anything that is connected to the gateway (on the intranet). The gateway acts as a proxy between the platform (CA Services) and the devices in the field. As with the device itself you would expect this to happen using the standard PKI infrastructure, that is, an X.509 certificate through a private hierarchy.

Now the gateway and devices are secure and therefore all the communication in your intranet is secure. So you have security, confidentiality and authentication, allowing your IoT ecosystem to be end-to-end secured using a PKI infrastructure.

The IoT is booming and before we know it, we’re going to have IoT ecosystems in every business. Now is the time to think about security over convenience. We recommend managing device identities and security through GlobalSign’s Public Key Infrastructure and Identity and Access Management Solutions.

Share this Post

Subscribe to our Blog