Market research firm IDC predicts that the IoT market will reach $7 billion in 2020, while research firm Gartner predicts that 20.8 billion connected things will be in use in 2020, up from 6.4 billion in 2016.
Yet, the Department of Homeland Security explained that the Internet of Things has not kept up with the pace of innovation. As we become more dependent on network-connected technologies and replace manual processes with digital ones, we are also more at risk to attack.
Incorporating security from the start is cheaper and easier than trying to bolt on security solutions later. In addition, this can be a differentiator in the marketplace. Plus, a lack of security can involve huge costs to clean up a mess after an attack.
So, what can we do to secure IoT applications and services? Here are 7 steps to creating an IoT system that's secure by design:
1. Change the default username and password
Make sure your systems integrator or internal IT staff changes usernames and passwords from the preset default.
Generic usernames and passwords (which are easy to guess) are often default code set by manufacturers that ship the hardware or software. The underlying assumption here is that the end user will change this password to something else. Sometimes end users don’t update them, which poses a problem since botnets scan the IoT for known usernames and passwords.
2. Use the latest operating system
Many IoT devices are not on the most recent version of the Linux OS. The clear benefit of open-source software is that contributors are always improving it, but those improvements could ultimately expose new vulnerabilities. The current OS won’t be completely invulnerable, but at least it will not include open holes.
3. Choose hardware with security features
Choose hardware that includes security features. For example, you can utilize microprocessors that are specifically designed to secure, and contain on-device key protection. This can greatly reduce the chances of a device being hijacked through a physical attack. Furthermore, tamper-evident hardware and firmware can allow a compromise to be remediated before it becomes an even bigger problem (e.g. additional data loss, botnets, etc.).
4. Expect disruption
The failure of a device or part of a network can have large consequences on the larger system. The best practice is to create a system in which the failure of one IoT device doesn't disrupt the system at large.
5. Incorporate the ability to update and patch
Devices should be capable of upgrading so the latest security can be maintained and flaws can be patched if and when vulnerabilities are discovered later. A system that can adapt to new and changing threats or attack is key.
It’s also important that update mechanisms themselves are secure. Unsigned firmware and software exposes a system to man-in-the-middle and other attacks.
6. Know the device life will end
It's important to create a schedule for replacing old devices before they fail. After all, there comes a point where devices may no longer be able to be patched. Also be mindful of when support for hardware and software ends as this will have a substantial impact on whether or not security features or updated to account for new exploits and maintained according to best practices.
7. Share information
How will you participate in information sharing? A policy concerning disclosure should be in place, as well as a response plan that includes your developers, manufacturers, and service partners. To prevent compromises from occurring, it is best to ensure your developers and partners understand and are in agreement concerning your security objectives and policies.
Final Thoughts
While the IT world has traditionally seen security as a trade-off with usability, this does not need to be so. When you approach security and usability holistically in the early design phase, it's often possible to make huge gains in security without significantly impacting usability, not to mention a significant reduction of risk
About the author: In his role as Founder and CEO at Hologram, Ben Forgan is focused on building the fabric that will power the future of ubiquitous connectivity. He believes strongly in the power of technology to create massive positive social and economic change and works on a daily basis toward that goal.
Edited by
Ken Briodagh
