IoT Security

Forbes estimates that cybercrime will cost approximately $6 trillion per year on average by 2021.

By 2024, there are expected to be more than 22 billion connected smart devices in the world. This vast opportunity brings vast risk. How are billions of devices kept secure? What about the networks they run on? How do you make sure the data from all these devices isn’t compromised?

IoT security cannot be an afterthought or an add-on. Security must be built in from the beginning.

IoT security requirements are unique. Connecting devices is different from connecting individual people and personal computers. Different sensors being brought into your organization may expose network vulnerabilities. Let Citykinect help you design a digital security strategy for your organization to ensure any IoT sensors brought in adhere to your corporate policy.

Citykinect can help you establish a holistic IoT cybersecurity strategy, from business readiness to technical approach. Being technology-agnostic, we won’t push you to any particular security solution, rather we’ll help you clearly see security vulnerabilities, and plan your approach.

IoT Security Challenges

Security in an IoT network is similar yet different to other computer networks, and in many cases far more complex.

With IT networks, it’s about data and information. But with IoT it’s about the physical world. Instead of manipulating data, malicious parties can manipulate the physical world.

This is why any IoT project should involve someone with proven experience and expertise (like us!) 

Software Updates

Some IoT devices are never updated because they are in use 24/7. Updating devices means one must temporarily shut down a critical system like an assembly line. It’s also possible that a device is too old and doesn’t receive any updates from the vendor.

Physical Safety

Compromise of an IoT device could result in injury or impact the environment. For example, a compromised device could impact railway signalling and make two trains collide.


Some environments (like a power plant) are closed systems so data confidentiality is critical.

A Proper IoT Security Strategy

A properly designed IoT security strategy needs to take these three items into account:


Confidentiality ensures that data is only visible to authorized users. It's achieved by encryption. One needs to consider the type of data IoT devices will transmit and define the requirements for that data. For example, a temperature sensor data in a factory might not require encryption, but a temperature sensor data from a device in a nuclear power plant should definitely be encrypted.


Integrity is important to ensure data is not manipulated while in transit, only by authorized users.

  • Incorrect data can influence a control application (fake data from a smoke detector could trigger all lights to come on and disable the elevators, or could cause a motor to keep running and break down).
  • Incorrect data can influence your analytic application.

Integrity is maintained with checksums and hashing algorithms.


Availability takes priority over everything else—an IoT network often impacts the capability to generate revenue. When the IoT network of a factory is down, resources are wasted:

  • Loss of production goods.
  • Wasted employee time.
  • Wasted raw materials.
  • Possible penalties for failing to meet customer SLAs.

Proper network design and redundancies are key.

LoRaWAN Security

LoRaWAN™ utilizes two layers of security: one for the network and one for the application. The network security ensures authenticity of the node in the network while the application layer of security ensures the network operator does not have access to the end user’s application data.

Accordingly, the LoRaWAN specification defines two layers of cryptography:

  1. A unique 128-bit Network Session Key shared between the end-device and network server.
  2. A unique 128-bit Application Session Key (AppSKey) shared end-to-end at the application level.

Data over LoRaWAN is encrypted twice; sensor data is encrypted by the node, and then it is encrypted again by the LoRaWAN protocol; only then is it sent to the LoRa Gateway. The Gateway sends data over normal IP network to the network server.

The network server has the network session keys (NwkSkey), and decrypts the LoRaWAN data. It then passes the data to the application server which decrypts the sensor data, using the application session key (AppSKey).

This is important since LoRa gateway operates over open frequency so can receive data from any sensor in the vicinity. Thus, it becomes important that the LoRa gateways not have ability to decrypt sensor data.

It’s important to note that it is the LoRaWAN communication protocol that adds the encryption. LoRa transmissions by themselves are simple radio wave transmission and cannot be encrypted.

Talk to Western Canada’s IoT security experts.