6. Encrypt all data in transit

Encrypt all data in transit, including sensor and device data, administration, provisioning, and deployments.

Nearly all modern IoT devices have the power to perform encryption of network traffic, so take advantage of that and protect both the data plane and control plane communications. This not only ensures confidentiality of the data, but also the integrity of monitoring signals. For protocols that can’t be encrypted, consider if a second device closer to the IoT asset can accept the communication and convert it to something more secure to then send outside the local perimeter. Some additional considerations include:

• Protect the confidentiality and integrity of inbound and outbound network communication channels that you use for data transfers, monitoring, administration, provisioning, and deployments by selecting modern internet native cryptographic network protocols.

• If possible, limit the number of protocols implemented within a given environment and disable default network services that are unused.

• If over-the-air updates are implemented, network-related vulnerabilities that affect the integrity of the over-the-air process should be addressed first.

• If possible, implement mechanisms to identify when an insecure network environment is being used. For example, if the certificate used for TLS encryption doesn’t match a known certificate on the device such as in a man-in-the-middle event.

Supporting AWS resources

AWS provides the following assets, capabilities, and services to help you encrypt your networks:

• AWS IoT SDKs – Help you securely and quickly connect your devices to AWS IoT.

• FreeRTOS libraries – Provide additional functionality to the FreeRTOS kernel and its internal libraries.

• AWS Certificate Manager Private Certificate Authority – Provision your own certificates.

• Security best practices for AWS IoT SiteWise

• Security Pillar of AWS Well-Architected and IoT Lens