An IoT gateway bridges the communication gap between devices, sensors, equipment, systems and the cloud. By systematically connecting the cloud, IoT gateway offer local processing and storage, as well as an ability to autonomously control field devices based on data inputs by sensors. IoT gateways also enable customers to securely aggregate, process and filter data for analysis. It helps ensure that the federated data generated by devices and systems can travel securely and safely from the edge to the cloud.
The biggest challenge lies in enabling interoperability by supporting multiple connectivity sensor protocols, like Z-Wave, ZigBee, BLE, Wi-Fi, BACnet etc. The connected sensors and devices, in an IoT ecosystem, should be able to seamlessly intercommunicate with other devices through the Gateway or send the required data to the cloud.
The following functionalities are essential in an IoT gateway solution:
Security should be an integral component in any IoT ecosystem. Active and passive network attacks, including device monitoring, eavesdropping, man-in-the middle and jamming are few common examples of attacks. The need here is to safeguard the IoT assets, through the use of complete IoT device life cycle management controls and a layered security approach. Layered security should include network security, application security, device security and physical security. Security strategy should ensure secured connectivity to IoT gateway along with payload encryption, device identity using certificates, and encryption of data at rest and in transit.
One of the biggest challenges for a large scale IoT solution, using gateway, is the continuous availability of the gateway, without any downtime and security breaches. An ideal scalable solution would be to deploy many gateways in the IoT network and to enable a peer-to-peer connectivity between those gateways, a concept similar to cloud networks. This constitutes an IoT Gateway Clustering. For example: In the case of an industrial plant, data generated from different IoT devices can be very high. (Know about the role of Universal gateway in Building Automation). IoT gateways can provide a secure connection between cloud and devices for data storage and analysis. To ensure high availability of gateways, all the gateways can be enabled to communicate with each other through a common communication bus. At eInfochips, we term it as CIBTM (Communication Interface Bus) – a combination of multiple OT (Operational Technology) buses that results into a cluster of gateways. Know more on IoT gateway clustering.
In a cluster, OT buses enable intercommunication of gateways and IT buses for the cloud connectivity of the gateways. If one of the gateways goes down or encountered security breache, it can then transfer the running application configuration and device data to the geo-correlated gateway (neighbor gateway). Cluster manager, operating from the cloud, can pre-configure the gateway cluster with geo-correlated gateways.
Check out Snapbricks IoT Gateway Framework video to know more
Horizontal scaling is the ability of an IoT framework to add more gateways to an existing mesh network. To enable that, gateways need to be interconnected through a common communication bus. With OT bus connectivity, any new gateway can be added without modification to the existing network of devices.
Any functional capability increment with memory, device software, OS, hardware, device configuration and APIs constitutes vertical scaling. Microservice application based architecture for gateways allow vertical scaling options. This enables you to add as many devices, resources and microservices to the gateway as your requirements change.
To avoid overloading of a single gateway, you can use a cluster manager to define the threshold occupancy of each gateway, and the data is distributed to different gateways in the cluster for faster response and balanced load distribution. When a gateway load goes beyond the set threshold, it will transfer the excess load to a nearby gateway automatically.
Interoperability is one of the characteristic of an IoT gateway that allows it to connect with various number of devices & diversity in connection protocols and standards like ZigBee, Z-wave, Bluetooth, BACnet, BLE, LPWAN, Wi-Fi etc.
Physical Attack: Unauthorized access to gateway hardware, and unauthorised geographical movement.
Software Attack: Virus, Trojan, Worms, Denial of Services, Jamming. Safety-critical information such as warnings of a broken gas line can go unnoticed through DDoS of IoT sensor information.
Network Attack: Node Capture, Node Subversion, Node Malfunctioning, Message Corruption, Routing Attacks, False Node.
Cryptanalysis Attack: Cipher text only, Known-plaintext, chosen plaintext, Man in the middle attack.
Side Channel Attack: Micro Probing, Reverse Engineering.
DDOS is abbreviated term for Distributed Denial of Services, caused when many infected (can be Trojan) sources are used for attacking a system. In the case of an IoT gateway network, attacker tries to send multiple unauthorised and malicious requests or messages to gateway, which then leads to a gateway responding multiple denial requests and jamming other critical processes of the gateway.
The most prominent way to secure IoT gateway from DDOS attack is the introduction of an anti-jamming layer, that is an algorithm for limiting the gateway response capabilities which mitigates the issues of access requests and jamming from malicious factors.
Hardware security can be achieved in an IoT Gateway Solution by the introduction or adoption of TPM (Trusted Platform Module) and TEE (Trusted Execution Environment). TPM is a hardware or a chip that is installed at the endpoint, nearby to the CPU. It is used for mainly cryptographic operations like creating key, saving key, and storing data and similar operations. TEE is a separate execution platform which differentiates the operational functionality from the security functionality. It consists of APIs, kernel, and trusted OS that runs security checks, parallel to the normal OS.
For More Info on Hardware Security: How to Secure an IoT Gateway?
It is a microprocessor that integrates with system hardware on a gateway to perform crypto operations, such as key generation, key storage and protects small amounts of sensitive information, such as passwords, measurement data for boot software and cryptographic keys to provide hardware-based security.
TPM is often built into a system to provide hardware-based security. It is a combination of hardware and software to protect credentials when they are in unencrypted form. TPM is based on a trusted execution environment (hardware root of trust) that provides secure storage of credentials and protected execution of cryptographic operations. It is isolated from the main CPU and implemented either as a discrete chip, a security coprocessor or in firmware.
The TEE is an insulated and secure area of the main processor providing security functionality for application integrity and confidentiality. The TEE differentiates between security functionality and operational functionality.It mainly consists of three parts: Trusted OS, internal micro-kernel, and APIs. Used for security check parallel to standard OS.Common security functions include isolated execution of security operations, the integrity of code loaded and data stored and confidentiality of data stored in the TEE. It protects data-at-rest and data-in-use within the TEE.It also provides higher performance and access to a large amount of memory.
Secured Boot: It is a security standard verified by the trusted OEMs that ensures authenticity and integrity of a device’s boot.
Measured Boot: Measured boot is generally used for integrity protection. As anti-malware software has become better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection.
Attestation: In cloud computing scenario, attestation is an essential and interesting parameter, often rooted in having trusted hardware component to build trusted system. It is basically used in the process of validating integrity in terms of software and information for securing embedded systems. Attestation uses cryptography identity techniques that confirm the identity and authentication credentials of remote devices, without revealing the devices and their own identities.
This technology can be used for authentication in IoT networks as it uses a “micro-ledger” as an evidence for peer-to-peer communications. Blockchain can record the communication history of two IoT gateways or devices. Once an action (or “transaction”) gets stored in a micro-ledger, then it cannot be altered in the future. While certificate-based encryption technologies can be forged, Blockchain has the advantage of being distributed.
The biggest challenge in an Industrial IoT solution is to collect data from legacy devices and digitizing them according to the technology trends. Gateway connectivity to legacy devices enables secured data processing and real-time analysis.
Consider a particular industry unit that has many gateways working at various parts due to a number of smart devices and machines. All these gateways are connected to each other by forming a mesh network and enable a peer-to-peer communication. Gateways situated nearby or Geo- correlated gateways can be pre-configured as a cluster of gateways that can solve the issue of IT/OT Convergence.
This clustering enables distributed edge analytics. The distributed edge nodes allow processing of data at the edge before transferring it to the cloud. This reduces latency. The edge-filtered data can be sent to the fog node or cloud directly for post-event processing. Further, the individual cluster creates a fog node, and a combination of fog nodes allow distributed fog computing. It gives the benefit of fast and real-time data analysis in any large industrial area, enabling faster fault response time.
Smart grids consist of two ends, consumer, and utility. There are gateways connected at both the levels – consumer (AMI) and Utility (Substation). At AMI level, the gateway allows distributed edge computing and forms fog computing nodes at substation level. When these gateways are clustered it allows the utility companies to develop a distributed fog computing network. Clustering of gateway also enables inter-gateway communication, providing benefits of horizontal and vertical scaling. For example: If one gateway that is associated to a grid substation fails due to the excess load or any other malfunction, it can transfer the running application container to another substation gateway. This results in the reduction of system failures. Fault identification and solution for the same can be done in minimal time period. That enables dynamic control on the substations at bigger levels – like city, state or may be at a country level for the better grid system.
It enables predictive maintenance of the system. It sends a notification to utility companies on the faults identified in the system that would need a quick response. Gateway enables interoperability, providing a wide range of protocols that ensure connectivity to most of the grid components.
The most common types of attacks targeted are IP addresses, Fully Qualified Domain Names (FQDNs), and malicious URLs. There are many frameworks that can identify the cyber threats and mitigate them, including the Collective Intelligence Framework (CIF), Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information Expression (STIX). Such technological frameworks continuously analyze data, creating a chain of messages. In the STIX framework, for instance, whenever a user asks for specific data, the system provides information on cyber risks, threat actors, a recommended course of action and other information. For building a chain of trust, it is important for IoT devices to share threats and other pertinent information with the nearby devices that are on the same network.
Internet of Things (IoT) generate a huge amount of data or big data. Managing the flow and storage of this data is a tedious task for enterprises. Cloud computing with its different models and implementation platforms help companies to manage and analyze this data, enhancing the overall efficiency and working of IoT system. DLM, AEP, and Digital Twins are some of the solutions better leveraged through cloud platforms like Amazon Web Services (AWS) and Microsoft Azure.
Cloud computing helps in the storage and analysis of data produced by Internet of Things so that enterprise can get the maximum benefit of an IoT infrastructure. IoT solution should connect and allow communication between things, people, and process, and cloud computing plays a very important role in this collaboration to create a high visibility.
With cloud computing, organizations do not have to deploy extensive hardware, configure and manage networks and infrastructure in IoT deployments. Cloud computing also enables enterprises to scale up the infrastructure, depending on their needs, without setting up an additional hardware and infrastructure. This not only helps speed up the development process, but can also cut down on development costs. Enterprises won’t have to spend money to purchase and provision servers and other infrastructure since they only pay for the consumed resources.
Enterprises create applications and software through cloud services (SaaS), which can connect devices and enable device registration, on-boarding, remote device updates, and remote device diagnosis in minimal time with a reduction in the operational and support costs. Cloud introduces DevOps within the IoT ecosystem, which helps organizations automate many processes remotely. As more and more devices get connected, the challenges with data security, control, and management become critical. Cloud services enable IoT remote device lifecycle management that plays a key role in enabling a 360-degree data view of the device infrastructure. Certain cloud providers offer multiple IoT device lifecycle tools that can ease the update and setup of firmware and software over the air (FOTA).
Device shadowing or digital twins is a technique to create a replica or digital model of applications, systems, and processes in IoT. It represents how different elements in the IoT operates. In Digital Twin, developers can create a backup of the running applications and devices in the cloud to make the whole IoT system highly available for faults and failure events. With this technique, they can access these applications and device statistics even when the system is offline. Organizations can also easily set up the virtual servers, launch a database, and create applications and software to help run their IoT solution.