Ensuring a Secure Internet of Things (IoT)

Thought provoking article by Stefanie García Laule, published in SAPinsider. If you are considering any IoT work this is definitely worth a read.

The biggest challenge presented by the Internet of Things (IoT) is maintaining the integrity, authenticity, and privacy of critical business data. Security teams are faced with the daunting task of verifying that data sent from a multitude of devices are both accurate and safe. Learn what crucial security measures are needed for the age of IoT and how SAP HANA Cloud Platform for Internet of Things can provide a standards-based approach to secure authentication between devices and help companies better protect themselves.

Cloud-based solutions have changed the way we conduct business, fully mobilising workforces, expanding the global reach of organisations, and lowering costs. The cloud enables organisations to streamline and improve business processes, such as customer service and the supply chain, with anytime, anywhere access to applications and data. And now businesses find themselves at the doorstep of the next level of cloud-based connectivity: the Internet of Things (IoT), where Internet-enabled devices — such as cars, compressors, turbines, and household appliances — communicate with one another (either directly or via the cloud) and deliver data-driven intelligence that enables organizations to optimize their products, services, and operations, and support new and enhanced processes.

And make no mistake, IoT is more than just a concept; it is a reality and a significant opportunity across a variety of business sectors — from manufacturing to utilities to healthcare to retail — to access unprecedented insight into customers, products, and operations. Gartner estimates that there will be 25 billion internet-connected things by 2020 and that IoT will produce close to $2 trillion of economic benefit globally.1 With significant opportunity often comes significant risk, however, and IoT is no different: The exponential growth of connected devices translates into an exponential increase in potential attack surface — a surface that goes beyond servers and applications to individual devices, each with their own protocols and varying levels of security in their makeup.

The combination of rapidly changing technologies, a growing number and variety of devices, and an increasingly interconnected landscape means that security teams are faced with a daunting challenge and that the implications of a security failure can have disastrous effects that ripple far and wide. This article takes a closer look at the security aspects that are crucial for IoT and demonstrates how SAP ensures that the IoT solutions its customers use to protect against these risks.

The Rewards and Risks of IoT

Imagine you are a car manufacturer. In your production line, you need to produce the roof for a particular car model. To do this, you use a press to form the metal of the roof, which in turn requires a compressor to create the pressure. If this compressor fails, the production line comes to a halt, which can translate into an enormous financial loss for the business. IoT can help you avoid this scenario by enabling you to use sensors in combination with a solution, such as SAP Predictive Maintenance and Service, to monitor the compressor and predict when it will wear out so that you can ship and replace the compressor with minimum downtime before it fails. (For more on SAP’s IoT-enabled offerings, see the sidebar “SAP Solutions for the Internet of Things.”)

SAP Solutions for the Internet of Things

SAP Predictive Maintenance and Service is an integration solution that combines data from SAP ERP and SAP Customer Relationship Management (SAP CRM) systems with data from machines. It allows equipment manufacturers and operators to monitor machine health remotely, collect sensor and telemetry data, and merge it with business data such as maintenance records, and then analyse this data for patterns and root causes for failures to predict when a device will fail and proactively apply preventive measures.

SAP Networked Logistics Hub (formerly SAP Connected Logistics) is a cloud application that connects data from multiple infrastructure sources to optimise inbound, outbound, and hub-internal traffic with role-specific user interfaces. It includes logistics maps for use in ports, at airports, and in logistics hubs.
SAP Connected Manufacturing comprises software that supports the Internet of Things for the manufacturing industry, including SAP Manufacturing Execution, SAP Manufacturing Integration and Intelligence, and SAP Plant Connectivity.

SAP augmented reality apps (including SAP AR Warehouse Picker and SAP AR Service Technician) use visual 3D models, voice recognition, and gesture control to enable hands-free work using wearable devices.

SAP HANA Cloud Platform for the Internet of Things is a portfolio of solutions — including SAP HANA Cloud Integration and a set of Internet of Things services for SAP HANA Cloud Platform — that enables capabilities for device management and remote control, data and metrics, device modelling, and application development and deployment.

But what happens if the sensors deliver the wrong data, such as the wrong temperature, or if the wrong service life statistics for the compressor components are delivered? Imagine what might happen with a faulty temperature reading or component failure with an oil pipeline. The damage inflicted by faulty data from devices can be considerable — and in some cases, it can be catastrophic — and this could happen if an attacker gains access to a company’s system and manipulates the data being sent from devices to the IoT solutions monitoring those devices.This is just one example of why security plays a crucial role in IoT scenarios to prevent manipulation of the reported sensor or telemetry data, or data leaks, or denial of services attacks, for instance. While a device might seem to be only a little thing, it can cause significant losses for your business, and it is critical to ensure the protection of the data it transmits. Two items are essential to this protection:

• Strong authentication to ensure that a device is the one it claims to be
• The use of encryption and digital signatures to ensure the authenticity of the data source and privacy for the transmitted data
• So how does SAP address these essential items for IoT solutions? It starts at the very foundation.

A Secure Foundation with SAP HANA Cloud Platform

To truly pave the way to a secure IoT landscape, security needs to be built in at the foundational level. Through SAP HANA Cloud Platform — SAP’s platform-as-a-service (PaaS) offering for building and extending cloud-based business applications — SAP provides an infrastructure that enables businesses to securely tap into a network of millions of connected devices: SAP HANA Cloud Platform for the Internet of Things (see Figure 1).

Figure 1 — SAP HANA Cloud Platform for the Internet of Things

Introduced at SAPPHIRE NOW in May 2015, SAP HANA Cloud Platform for the Internet of Things is a solution portfolio that enables the collection, integration, and analysis of data from devices and from business systems such as SAP ERP and SAP Customer Relationship Management (SAP CRM). Connectivity to back-end systems to access business data is provided by SAP HANA Cloud Integration via SAP Process Integration; access to machine data is provided by a set of IoT services. While there are three options for connecting the IoT services to networked devices — via an IoT connector included with SAP HANA Cloud Platform for the Internet of Things, via a third-party gateway solution, or directly through the device’s built-in connectivity — the IoT connector offers several advantages, including protocol translation between various devices and SAP HANA Cloud Platform, and automated, secure onboarding of devices that paves the way to edge computing and device management.

The IoT services for SAP HANA Cloud Platform are key to facilitating the management, administration, and processing of IoT data. These services support the implementation of IoT applications — including SAP applications, partner applications, and custom-developed applications — on SAP HANA Cloud Platform, and provide secure interfaces for:

• Registering devices and their specific data types
• Sending data to a database running on SAP HANA Cloud Platform
• Storing and accessing data on SAP HANA Cloud Platform

The IoT services are enabled via the services tab in the SAP HANA Cloud Platform cockpit, which is the central tool for managing applications deployed on SAP HANA Cloud Platform.2 Subscribing to the IoT services provides access to the Internet of Things Services cockpit (see Figure 2), which you use to securely register devices, specify the supported message types for sending data from these devices to SAP HANA Cloud Platform, and manage the IoT connector.

Figure 2 — The Internet of Things Services cockpit

So how do the IoT services ensure that IoT applications deployed on SAP HANA Cloud Platform provide the two items — strong authentication for devices and the secure transfer of data — that are essential to a secure IoT landscape? By using trusted security standards.

Standards-Based Authentication and Authorisation

The IoT services use the Open Authorisation (OAuth) Framework (version 2.0) and X.509 certificates to secure communication between IoT devices and SAP HANA Cloud Platform via the Transport Layer Security (TLS) protocol (see Figure 3). With OAuth-based communication, you generate an individual OAuth authorisation token for each IoT device using the Internet of Things Services cockpit and then transfer that token to the corresponding device. With X.509-based authentication, an X.509 certificate must be issued for each device. The IoT connector included with SAP HANA Cloud Platform for the Internet of Things facilitates the generation of these tokens and certificates as part of a secure onboarding process for devices. The authentication method is specified as part of the device type configuration using the Internet of Things Services cockpit.

Figure 3 — The IoT services for SAP HANA Cloud Platform use trusted standards for secure authentication and authorisation

OAuth is the de facto standard for protecting APIs based on the Representational State Transfer (REST) architectural standard, commonly used for providing synchronous access to back-end SAP systems from cloud-based systems via the TLS protocol. To secure this access, OAuth authorises the application that calls the API, known as the API consumer. The API consumer uses a credential — the OAuth access token — for the authentication. This token represents an authorisation issued to the API consumer by SAP HANA Cloud Platform. OAuth uses various mechanisms for obtaining OAuth access tokens, including authorisation grants, which are supported by SAP HANA Cloud Platform (specifically, SAP HANA Cloud Platform supports the authorisation code grant and client credentials grant types). OAuth is a lightweight but secure credential for authenticating devices in an IoT scenario.

X.509 certificates enable secure authentication between web applications and back-end SAP systems. Based on the X.509 public key infrastructure (PKI) standard, these certificates use a public/private key pairing to establish trust and allow access, where a digital certificate containing identity information in a public key is validated against a stored private key. The main components of the PKI are the registration authority (RA) for verifying the identity of the certificate’s owner and the certificate authority (CA) for issuing the certificates, maintaining revocation lists, and so on. With the automated, secure on-boarding process for devices provided by SAP HANA Cloud Platform for the Internet of Things, SAP HANA Cloud Platform serves as the RA and CA for issuing and verifying X.509 certificates. X.509 certificates can also be used to generate digital signatures to protect data against tampering.  Note that with X.509 certificates, for privacy protection, the network communication between the IoT connector and the IoT services running on SAP HANA Cloud Platform must be secured with a mutually authenticated TLS connection.

Let’s take a closer look at authentication in action in an SAP HANA Cloud Platform for the Internet of Things scenario by stepping through an example that uses X.509 certificates with the IoT connector.

Behind the Scenes: Ensuring a Secure Device Connection

Returning to our car manufacturer example, suppose we are using SAP Predictive Maintenance and Service and we want to collect data from an IoT-enabled compressor on the manufacturing assembly line so we can monitor the compressor and proactively address any necessary repairs. To enable communication between the compressor and SAP HANA Cloud Platform, where SAP Predictive Maintenance and Service is running, the device (the compressor) must be issued an X.509-based registration certificate with a key pair by a trusted CA.

In this scenario, after configuring the X.509 authentication requirement for the device type using the Internet of Things Services cockpit, the registration certificate is issued to the device (the IoT-enabled compressor) automatically by SAP HANA Cloud Platform as part of the automated, secure onboarding process. The car manufacturer performs a test run of the manufacturing assembly line, and the self-registration process for an individual X.509 device certificate is automatically initiated by the IoT connector. The IoT connector generates public and private keys on the device, along with a registration certificate and a request for an individual device certificate. The registration certificate and the device certificate request (including the public key) are sent to the IoT services running on SAP HANA Cloud Platform. The registration certificate is then used to authenticate the device to SAP HANA Cloud Platform.

After successful verification of the registration certificate, the individual device certificate is issued by SAP HANA Cloud Platform and sent back to the device via the IoT connector, which then deletes the registration certificate and corresponding private key from local persistence to prevent leaking the manufacturer’s registration credentials to the customer. Going forward, the individual device certificate and key pair are sufficient for secure authentication between this device and SAP HANA Cloud Platform. Options for adding an even higher level of security include adding firewalls between the IoT connector and the IoT services, as well as delivering X.509 certificates and their corresponding keys on personalized industry computers with trusted platform modules (TPM) — that is, computers with standards-based cryptographic keys built directly into the hardware to secure the device.

Of course, the very nature of an IoT landscape means that there will be changes to manage in your secure runtime environment — in particular, devices will need software and firmware updates delivered by manufacturers. To securely handle these updates, the IoT services running on SAP HANA Cloud Platform automatically check the digital signature of the update package, delivered by an X.509 certificate, to verify that it is, in fact, from the manufacturer and has not been altered during the transmission over the network. The verification results are logged by SAP HANA Cloud Platform and stored on the device.

SAP HANA Cloud Platform for the Internet of Things gives SAP customers a set of IoT services that provide a standards-based approach to secure authentication between devices and SAP HANA Cloud Platform.

Summary

The biggest challenge in an IoT scenario is protecting the integrity, authenticity, and privacy of the data that is collected from devices, transferred to a central system and integrated with business data for analysis. SAP HANA Cloud Platform for the Internet of Things helps SAP customers meet this challenge with a set of IoT services that provide a standards-based approach to secure authentication between devices and SAP HANA Cloud Platform, enabling IoT applications running on the platform to provide insight based on integrated machine and business data.

The ability to get up and running with an IoT landscape both quickly and securely will allow you to get started capitalising on the opportunity instead of spending time playing catch-up, and with security built in at the technology foundation, SAP helps its customers do this with minimal risk.

Also, take a look at our introduction to IoT