Building an IoT Device? Address Security from the Start
By Peter Winston | Wednesday, September 20, 2017
With the expansive Equifax breach still making news, the focus on cybersecurity is again intense. At ICS, security is always top of mind as we aim to build — and help others build — connected devices that integrate substantial security features.
In my last blog I framed the issue and offered a number of telling statistics. This week, I’m sharing some tips device manufacturers can follow to strengthen security, as well as some measures enterprises that rely on IoT devices can take immediately to better protect themselves. Though not intended as a comprehensive plan, these measures can have a dramatic, positive impact for your business and your customers.
The Manufacturer’s Role
Yes, of course most devices have at least some built-in protection. Still, patching an individual device is often difficult and time-consuming. Why? Embedded devices, for instance, often lack simple update mechanisms. That can mean regular on-site service visits to update firmware on the control panel of say a room-sized piece of heavy industrial equipment, or an implanted pacemaker or insulin pump. It’s not very convenient so updates are often delayed, even overlooked. Therefore, developers must focus on building security into IoT applications and devices when they design them.
80% of organizations do not routinely test their IoT applications for security vulnerabilities.
— IBM Security and Ponemon Institute
Device manufacturers typically test device security primarily during the production phase. But by that point in the development process, it’s too late to make any truly impactful changes. Instead, they need to adopt a more security-focused approach that protects data against malicious intent by adhering to the principles CIA: confidentiality, integrity, and availability.
And that process starts by building security into devices from the outset -- incorporating security into design and development, rather than handling it as an afterthought right before shipping.
What else can manufacturers do to bolster device security?
- Limit data collection to just that information required for the device to operate as intended. And only keep that data for the shortest amount of time as necessary.
- Prevent unauthorized users from gaining access.
- Design products to ship with unique credentials, or require users to set new credentials the first time they use the device. (According to IBM, most consumers don’t change factory settings yet many IoT devices are shipped with default usernames and passwords that can be found with a simple Google search.)
- Only allow devices to interact with each other after satisfying strong authentication requirements.
- Monitor the health of devices and quickly provide patches as vulnerabilities become known.
- Design devices so they’re capable of receiving software updates for their entire life span.
The Enterprise’s Role
Device owners, both consumers and businesses, need to move beyond simple reliance on the manufacturer for device security. While consumers should focus on simple tasks like changing factory-default passwords, enterprises are under pressure to identify vulnerabilities by finding and securing all of the potentially thousands of devices connecting to the corporate environment.
Fortunately, there are measures IoT-loving businesses can take to make sure the company's networks, devices and products don't become a target.
To address security in a logical manner, businesses should protect against vulnerabilities at a minimum of three basic levels: system, network and application. While a detailed IoT security plan is beyond the scope of this article, some of the general security measures to address include:
Find and secure all of the (potentially thousands) of devices connecting to your environment. Guard against attacks that could be caused due to physical (rather than remote) access to a device, and provide timely security updates.
Guard against an imposter device sending incorrect information that could corrupt application data. Pay attention to configuration, and closely monitor the network for vulnerabilities.
Protect against the invalid use of data or manipulation of analytical processes running in this tier. Penetration testing is one way to confirm you’re secure. The application layer includes any web, mobile or cloud-based application connected with the device so it’s most attractive to hackers. That’s why security for this layer in particular must be a strong focus during not only testing, but the design and development phases.
Additional security measures may include adding network layers (public, private, IoT), updating libraries, addressing buffer flow, remotely updating infected devices, replacing outdated network-connected routers, even disrupting command and control queries issued by attack variants of known threats like Mirai.
It’s impossible to build a 100% secure device — hackers are simply too clever, too motivated and too quick — so it’s up to device users (individuals and enterprises) to prioritize security. Close monitoring and extreme vigilance go a long way.
For businesses looking to actually build — not just use — IoT or IIoT devices, here’s some advice: only hire outside developers that adhere to your own strict security standards and focus on security from the start. Build security into your IoT systems and products so that they are, in the parlance of cyber security expert Symantec, secure by design.
ICS has developed and tested hundreds of successful IoT devices and IIoT industrial controls. If you’re thinking of building a connected or embedded product, get in touch.