Internet of Things - Security in an IoT Solution

Internet of Things

Security in an IoT Solution

Rocco Gagliardi
by Rocco Gagliardi
time to read: 10 minutes


This is how you secure the Internet of Things

  • There is no simple solution
  • Many partial solutions is the way to go
  • Split the system in smaller components
  • Adopt different best-practices for each specific part

You have to build an IoT solution, how would you start implementing security measures? There are a lot of standards, best practices, checklists – But when you have such complex systems, there is no ready to go solution.

For an IoT system, there are a lot of technologies involved across the line connecting EDGE with CORE computing. There is hardware to develop, tiny computer to program in order to read measures and react to, transmit data from different continents, collect, analyze, and redistribute the data with confidence, integrity and availability. So, where should you start?

Reduce the Problem

Start reducing the system into smaller components, identifying the key assets.

As example, the IoT solution can be reduced to:

Component Description
CORE The CORE provides the virtual infrastructure (ex. AWS), to run containerized (ex. Docker) applications (ex. Java/Spring) and data storage (ex. Oracle, Hadoop). Applications are primarily responsible for the storage, analysis, and presentation to the users of the measures received from EDGE.
Communication Communication between EDGE and CORE use asynchronous protocols (MQTT). Communication must assure confidentiality, integrity, and availability of the data.
EDGE The EDGE is an ad-hoc designed and engineered component, filling the gap between the hardware (sensors and actuators) with the upper layer protocols. Must assure Availability and Integrity of the processed data, be resistant and easy to install and maintain.

Once the system key components have been sketched, you can start applying a security framework to the system.

Choose a Good Cyber Security Framework

Choose a good framework that fits in your environment. We have many years of experience with the NIST Cyber Security Framework (NIST-CSF) and, if you do not have any external constraint, we strongly encourage you to adopt this framework.

The NIST-CSF has 5 main functions (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER); just follow the framework and go through all questions. It measures the quality of each function’s implementation with the Tiers: Partial, Risk Informed, Repeatable, and Adaptive. You can start using the framework and reiterate the process to correct or perfect some items. Refer to how to use the framework on the NIST CSF page, in this article I just present some starting point we used during our projects.


The main goals of the Identify function is to understand the business context, the resources that support critical functions, and the related cyber-security risks. This enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

A possible approach consist to identify the data, make a CIA classification, and list the assets involved in the data management:

Data C I A API MVC Component Container VM Backup
Login Info H M L Logon Logon component Logon Container, User DB Apache Pool, DB Pool DB
Admin Profile
Sensor Information

Recursively apply the classification to the different solution’s parts, until you have a big picture of the parts and their interconnections.

Start designing a minimal risk assessment, specifying some detailed use cases, probability, and impact. This will help you to better understand your organization, the business, and prioritize the tasks.


The Protect function supports the ability to limit or contain the impact_ of a potential cyber-security event.

The protection measures may vary based on the risk assessment, but we can divide them in two main categories:

Category Description
Baseline Baseline protection measures are all modern standard security measures, like OS hardening, use of encryption in communications, secure storing procedures for passwords, defensive programming, etc. CIS, OWASP have a good set of ready to use policies. Use them since testing phase.
Ad-hoc Ad-hoc protection measures are stronger or additional (multi-layers) procedures for specific solution parts, like FIPS, WAF, journaling, etc. Carefully check your design and requirements, remember that each layer adds an intrinsic threat: The complexity! the solution becomes bigger/complex/harder to understand and maintain. So, be careful.

Apply different measures to the different components:

Component Security Measures
Login Info Ad-hoc
Admin Profile Ad-hoc
Sensor Information Baseline

Start implementing hardening in the testing phase. It does not make a big difference if you invest a couple of hours engineering a robust template for your Docker files at the beginning. The big difference is if you must retrofit security in base assets like a container.


The Detect function enables timely discovery of cyber-security events.

Every time I mention Detect, the answer is: “At the moment we are focused onto develop and build the system, detect is planned in version two.” Wrong!

If you don’t add Detect since the start, you will miss all positive feedback in the development, like definition of useful log information necessary to efficiently monitor the application behavior. Having someone defining a set of information expected by the detection function will force developers and systems engineers to create the logging framework necessary for any components, check if the data (date, hostname/fqdn, messages) are normalized, and if they are useful for the final use cases. It is easier to implement changes during the development process (as example tuning an auditd policy) than add them after the first version is complete.

Respond and Recover

The Respond function supports the ability to contain the impact of a potential cyber-security incident. The Recover function supports timely recovery to normal operations to reduce the impact from a cyber-security incident.

The last two functions are mainly focused on procedures, so you can really start developing them in a second phase. But you must still have at least defined and tested a recovery strategy, to check if will basically integrates in the final system.

Tools and Documents

Below is a list of useful documents to read.


ENISA and NIST have very good documents for specific aspects, like firmware updates, refer to Cloud Security Alliance (CSA).

Risk Assessment

I would also recommend the ENISA Looking into the crystal ball – A report on emerging technologies and security challenges



If you have a complex system to secure, do not wait to implement the measures. Split the system and start applying security to the different parts as soon as possible, even if they will cause problems. Developer and systems engineer will start considering the security a necessary measure. In the long run the problems will be reduced and the security will be drastically increased.

We use NIST-CSF for different customers (banks, insurances, hotels, industry, small business) and different systems with good results (increase of the customer’s security and awareness). Take a look at them, go through all questions and try to give and answer. It is a good starting point.

Remember: Nothing is written on a stone! You can start writing something and, as long the structure is good, iterative correct or add pieces.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.


You want to bring your logging and monitoring to the next level?

Our experts will get in contact with you!

Enhancing Data Understanding

Enhancing Data Understanding

Rocco Gagliardi

Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi



Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here