The Internet of Things can be interpreted as a system of intelligent objects that can interact with the environment and process digital information, as well as send it to other objects (and their users) via internet protocols. It is a combination of devices in a network that enables their decentralized communication with each other utilizing such technologies as LwM2M Server. This concept is based on constant technological progress and is related to the existence of a global network of many devices and sensors that can exchange information independently. With the growing number of smart devices, one has to wonder how we can control them and whether we can do it in a secure way. And while there are many answers to security in IoT, most of them are related to the devices themselves and their lifecycle.
The lifecycle of a smart device consists of four stages: provisioning, configuration, maintenance and decommissioning. While each stage is related to security, in this article we would like to focus on
the first two.
Provisioning of devices is an initial configuration of the device. This includes furnishing the device with various important credentials such as certificates, keys and basic configuration that will secure the device before it is released on the market. Sometimes, it is also called factory provisioning or factory bootstrapping and is usually done already by device manufacturers.
The second stage of the device’s lifecycle is called configuration or bootstrapping and it is the most important stage from the security perspective. There are many differences between factory bootstrapping (provisioning) and bootstrapping (configuration). First of all, the goal of bootstrapping is to allow the installation of your device in any place of your network and connect it to the central management system. To establish such a connection, the device needs to be authenticated by the system using the credentials provisioned in the factory bootstrapping stage. This can be done in a few ways. The traditional way is to configure the device manually. However, manual configuration of devices is time-consuming, costly and error-prone. In addition, you need to have at least basic configuration skills to perform the initial configuration of the device before it is connected to the system.
The best way of secure device bootstrapping is zero-touch provisioning. This feature can be found in network switches, wireless access points, SD-WAN routers, NFV platforms, and even in network firewalls. ZTP means that a new device can be delivered directly to the company’s headquarters, and then installed and commissioned by any employee – even someone who does not have any IT-related qualifications.
ZTP starts by assigning an IP address to a device. There are many ways to do that, but usually it is done via a Dynamic Host Configuration Protocol (DHCP), which also allows you to obtain a default gateway address and also passes the local domain name and DNS server addresses. Once a device has an IP address there may be some additional steps such as authentication of the PPPoE or PPPoA connection, but in general, the idea behind ZTP is to conduct the configuration without any human intervention and get your device up and running (and connected!) as fast as possible. ZTP technology is becoming an important function of new devices as manufacturers realize that their devices can be installed anywhere, and installation costs are in many cases a considerable expense. The technology is usually bundled with greater systems in the company’s network, such as LwM2M Server or other central management platforms. The benefits of using ZTP are obvious – significant reduction in order fulfillment time, less time spent on installation and fewer configuration errors which equals better security.
