Building a secure IoT

IoT devices and the ecosystems they comprise are constantly exposed to a wide variety of rapidly evolving threats. By partnering with Kudelski, we are doing our part to build a secure, sustainable Internet of Things (IoT).

The Internet of Things (IoT) depends, by definition, on creating an ecosystem of distributed devices that are connected over a communications infrastructure. This infrastructure can be private; often, however, it is the open internet. Combining widely distributed and often low-cost devices with arbitrary network connectivity and cloud-based applications can lead to IoT ecosystems that are vulnerable to a wide variety of security threats.

One way to counter these threats is to ensure that the physical and digital assets of the ecosystem are properly protected. This means embedding robust security features in the IoT devices so that they can form the basis of a chain of trust, control, and integrity that applies throughout the resultant IoT ecosystem, throughout its lifetime.

Here are five key issues to address when thinking about how to secure such IoT assets:

ENFORCE UNIQUE DEVICE IDENTITIES: Any device in an IoT ecosystem that produces data or executes commands must have a unique identity that cannot be cloned. These unique identities form the basis for all other security functions.

CONTROL ACCESS TO DEVICE RESOURCES: IoT devices are often installed in uncontrolled environments, which makes them vulnerable. Hackers may access the unencrypted data the devices hold, upload malware for onward distribution, subvert the devices to carry out distributed denial-of-service attacks, or simply gain access to features for which they haven’t paid. This means it is important to ensure that device resources, such as CPU, memory, and connectivity, can only be used for their designated tasks.

PROTECT DATA INTEGRITY: The protection of data, at rest or in motion, is extremely important, to ensure privacy, confidentiality, and to meet general regulatory requirements, such as GDPR, as well as industry-specific rules such as HIPAA, the US health information privacy rules.

SECURE DECISION-MAKING: IoT devices and ecosystems must be able to rely on the validity of the input data they use to make decisions, whether those decisions are made using traditional logic or machine-learning algorithms. Decisions should be executed in a secure environment so that they are safe from tampering and intellectual-property theft.

AUTHENTICATE COMMANDS: It’s important to be able to validate that any commands sent to an IoT device (such as ‘inject insulin’, ‘open/close valve’, ‘apply brakes’ etc.) come from a legitimate source.

Securing IoT devices alone isn’t enough to enable more secure IoT ecosystems, unless it is matched by a more agile approach to security in the organizations that develop and deploy them. To do so, organizations need a clear understanding of the current and emerging threats to which their devices are exposed, in order to set up and sustain the necessary security processes.

In a recent white paper we authored with security experts at Kudelski Group, we provide the background, vocabulary, and key concepts necessary to develop and deploy IoT ecosystems that are resilient to evolving cyber-threats. The fruit of our partnership with Kudelski is an end-to-end security process that helps IoT device manufacturers design, test, and implement a security architecture that prepares their products for the diverse and constantly evolving threats they will face once deployed.

The white paper is available here.