May 10, 2017
The Enterprise IoT Security Checklist for Today – and Tomorrow
Everyone’s worried about securing the Internet of Things (IoT). IoT is poised to create an expansive network of self-driving cars, connected energy grids, and smart appliances. According to Gartner, by the end of 2020, there will be 21B IoT devices worldwide, only expanding our current ecosystem. As companies build towards this connected future, they must constantly evaluate the risks that come with these large IoT networks.
Developers and decision-makers can combat the unique risks of IoT early by focusing on both preventing attacks and by ensuring the continued safety of their connected systems as they are being developed. By following a few simple best practices upfront and during the the development process, organizations can prioritize areas of focus to remain secure as they build connected products.
Remaining Secure Today
To build a secure system, it’s crucial to reduce the surface area for potential vulnerabilities, and this starts with a comprehensive audit of the system as a whole along with all of its parts. The following components of an IoT system must be reviewed for possible vulnerabilities:
- Operating Systems: Each point of entry (ports, protocols) is a potential point of attack. A minimal “bare metal” real time operating system running on a microcontroller (MCU) makes it easier to understand your entire surface area. In contrast, many system on chips (SOCs) and Linux systems come running various services, and can be listening on a variety of ports by default, adding a hidden layer of attack vectors product developers may not even even be privy to.
- Applications: There can be multiple application programs running on a full system on a chip device – and the more applications you have, the more potential there is for bugs or security vulnerabilities. It is critical to the vitality of your product to run an audit and sanitize these programs.
- Dependencies: Establishing a rigorous process to check that your external dependencies and libraries are up to date and validated is critical. Modern encryption and communication protocols evolve over time, and you must invest in staying current, or risk ignoring new vulnerabilities. Just like application security, a larger number of dependencies means that more maintenance must be done.
- Communication: Man-in-the-middle attacks, replay attacks, and loss of sensitive information are just a few of the threats that can occur if communications between the device and the cloud are not encrypted, or are encrypted poorly. Proper encryption ensures confidentiality, integrity, and authenticity.
- Cloud: Always on and connected servers require constant monitoring and testing. By minimizing your network, application, and dependency surface area, and closely monitoring access and behavior, you can reduce risk for each cloud server. You should subscribe to security mailing lists and alerts for your dependencies, operating systems, and service providers.
- User Access and Security: Threats come in all shapes and sizes – and they could be within the company. Establish a positive culture of security and awareness for your team, educate them about phishing and social engineering attacks. Practices like two-factor authentication, strong passwords, and whole-disk encryption help reduce the scope of damage from careless user error.
Remaining Secure Tomorrow
It’s difficult to anticipate how cyber threats will evolve five or ten years from now but all systems require maintenance to avoid falling behind evolving security risks. The following features and actions help prevent future vulnerabilities:
- Penetration Testing: Finding security researchers that will help identify and fix potential vulnerabilities as they develop will help businesses stay ahead of modern hacking techniques. Investing in maintenance and systems testing is crucial for future proofing current systems.
- Firmware Application Code Reviews: Allowing security experts to review your firmware during development can help catch and prevent application flaws that might expose your product, customers, and company.
- Security Update Mechanisms: Security protocols change and improve over time. Allowing for rapid firmware deployment to all devices at once improves security.
The conversation on IoT security will continue to evolve as the technology matures, but it’s imperative to the life of a company to follow protocol and conduct security checks early on in the development process. In an extremely risky landscape, a hack could mean loss of revenue or reputation and brand damage. Product developers and the stakeholders involved are the drivers of their own security success and failure, but by organizing and prioritizing what, where and when to test for vulnerabilities, business can remain secure today and tomorrow.
About the author: Zachary Crockett is a Founder and the Chief Technology Officer of Particle, a full-stack IoT device platform, where he is responsible for the core technology, architecture and infrastructure. He provides strategic direction for developing a scalable, reliable, secure and easy-to-use platform.
This post was originally published on http://www.infosecisland.com/rss.html.