Building Security into IoT Products from the Ground Up

Until the Mirai botnet hit, most businesses didn’t think about whether their printers were securely connected. When the topic of the Internet of Things comes up, it’s most often been in the context of smart homes, self-driving cars and wearable fitness devices. But business cybersecurity risks associated with the IoT are real and significant. Mirai proved that by hijacking hundreds of thousands of IoT devices to shut down almost a third of the world’s websites.

If more isn’t done, and quickly, the Mirai attack will be the first of a string of highly successful and damaging IoT-based attacks. The rapid and wide-scale adoption of connected sensors and IoT devices in manufacturing, healthcare, transportation and utility settings means that a broad swath of the globe’s critical infrastructure is increasingly vulnerable to these attacks.

As the network and its connections change rapidly, organizations are often left feeling

confused and uncertain as to the extent they are affected by IoT security issues. As a result, many are holding off on implementing connected technologies. Forrester predicts that security concerns will stunt the growth of IoT adoption in 2017.

However, the IoT and its legitimate risks must be addressed in order for organizations to move forward. The IoT has the potential to deliver significant business benefits to your customers. Helping them choose and deploy a secure IoT solution lets them gain valuable new business insights and efficiencies while protecting their data and infrastructure assets.

Cybersecurity from the start
Security is too important to be an afterthought. No one wants to cobble together an aftermarket fix, and having to do so would not reflect well on your brand. While it is (relatively) easy to design and ship an IP camera, for example, the ease at which one can be hacked from factory settings makes installing one an unacceptable risk factor to the network – and your customer’s business.

IoT security-related issues are on the radar of regulators. In January, the Federal Trade Commission (FTC (News - Alert)) filed a complaint against router giant D-Link (News - Alert), charging that the company had deceived users on the security of its products and failed to take steps to secure those products appropriately. This case has become a bellwether because the complaint was brought in response to the vulnerabilities themselves, not because of a breach exploiting those vulnerabilities. This is a sign that regulators are taking a more aggressive stance in demanding that connected device manufacturers take clear and sufficient steps to secure their products.

Four tips to start with
Give your customers confidence in your products by observing these initial steps:

• Use unique device credentials: Rather than making the mistake that so many others have and ship connected devices with factory settings, give each device a unique password. Print that password on a sticker that’s included on the device itself. This significantly reduces the chances of compromise.
• Find and upskill the right people: “IoT” can mean many different things. A job ad asking for an IoT professional may attract 10 people with 10 different backgrounds. Think instead about what your company does with connected devices, and the specific skills it needs to design, manage and deploy those applications, systems and devices securely. Looking for and training people with IoT certifications is a way to validate those skills.
• Consider using open source carefully: Open source IoT software is an attractive option for IoT startups looking to get product to market quickly because it’s easy, cheap and flexible. Yet security flaws can be exploited rapidly, and patches are often slow in coming. IT teams therefore should be aware of the risks in using technologies that are based on open source code.
• WiFi (News - Alert) is not the only option: While it’s true that WiFi is good for quick and dirty deployments, for wide-scale installations in specialized vertical network environments, like manufacturing or healthcare, consider using one of the many specialized communications protocols that are available to your engineers. Do all functions need to be performed on the device or can some be punted back to the network? Minimizing the need for the device to perform all functions and be connected to all traffic all the time can also reduce its threat exposure.

The big picture
The IoT is a two-edged sword that must be handled carefully. The risks are real and substantial, but so are the benefits and opportunities. Customers are already wary of these risks and don’t need any more reasons to not buy your products. By creating trustworthy products that are secure right out of the box, your customers can confidently move forward to achieve their goals. This positions you well for repeat business.

About the Author: Sloman has helped shape Nadel Phelan's brand, services and reputation for quality and results. Responsible for client strategy, while building and managing solid account teams that deliver results, Sloman has worked with market leaders to set industry agenda, establish thought leadership, build new categories, launch companies and navigate PR obstacles.