Here are five key issues to address when thinking about how to secure such IoT assets:
ENFORCE UNIQUE DEVICE IDENTITIES: Any device in an IoT ecosystem that produces data or executes commands must have a unique identity that cannot be cloned. These unique identities form the basis for all other security functions.
CONTROL ACCESS TO DEVICE RESOURCES: IoT devices are often installed in uncontrolled environments, which makes them vulnerable. Hackers may access the unencrypted data the devices hold, upload malware for onward distribution, subvert the devices to carry out distributed denial-of-service attacks, or simply gain access to features for which they haven’t paid. This means it is important to ensure that device resources, such as CPU, memory, and connectivity, can only be used for their designated tasks.
PROTECT DATA INTEGRITY: The protection of data, at rest or in motion, is extremely important, to ensure privacy, confidentiality, and to meet general regulatory requirements, such as GDPR, as well as industry-specific rules such as HIPAA, the US health information privacy rules.
SECURE DECISION-MAKING: IoT devices and ecosystems must be able to rely on the validity of the input data they use to make decisions, whether those decisions are made using traditional logic or machine-learning algorithms. Decisions should be executed in a secure environment so that they are safe from tampering and intellectual-property theft.
AUTHENTICATE COMMANDS: It’s important to be able to validate that any commands sent to an IoT device (such as ‘inject insulin’, ‘open/close valve’, ‘apply brakes’ etc.) come from a legitimate source.
Securing IoT devices alone isn’t enough to enable more secure IoT ecosystems, unless it is matched by a more agile approach to security in the organizations that develop and deploy them. To do so, organizations need a clear understanding of the current and emerging threats to which their devices are exposed, in order to set up and sustain the necessary security processes.
In a recent white paper we authored with security experts at Kudelski Group, we provide the background, vocabulary, and key concepts necessary to develop and deploy IoT ecosystems that are resilient to evolving cyber-threats. The fruit of our partnership with Kudelski is an end-to-end security process that helps IoT device manufacturers design, test, and implement a security architecture that prepares their products for the diverse and constantly evolving threats they will face once deployed.
The white paper is available here.