April 20, 2017

Seven Steps to Securing Your IoT Device

By Special Guest
Ben Forgan, CEO of Hologram

Market research firm IDC predicts that the IoT market will reach $7 billion in 2020, while research firm Gartner predicts that 0.8 billion connected things will be in use in 2020, up from 6.4 billion in 2016. Yet, the Department of Homeland Security explained that the Internet of Things has not kept up with the pace of innovation. As we become more dependent on network-connected technologies and replace manual processes with digital ones, we are also more at risk to attack.

Incorporating security from the start is cheaper and easier than trying to bolt on security solutions later. In addition, this can be a differentiator in the marketplace. Plus, a lack of security can involve huge costs to clean up a mess after an attack.

So, what can we do to secure IoT applications and services?

Here are seven steps to creating an IoT system that’s secure by design.
1. Change the default username and password.
Make sure your systems integrator or internal IT staff changes usernames and passwords from the preset default. Generic usernames and passwords (which are easy to guess) are often default code set by manufacturers that ship the hardware or software. The underlying assumption here is that the end user will change this password to something else. Sometimes end users don’t update them, which poses a problem since botnets scan the IoT for known usernames and passwords.

2. Use the latest operating system.
Many IoT devices are not on the most recent version of the Linux OS. The clear benefit of open source software is that contributors are always improving it, but those improvements could ultimately expose new vulnerabilities. The current OS won’t be completely invulnerable, but at least it will not include open holes.

3. Choose hardware with security features.
For example, you can utilize microprocessors that are specifically designed to secure and contain on-device key protection. This can greatly reduce the chances of a device being hijacked through a physical attack. Furthermore, tamper-evident hardware and firmware can allow a compromise to be remediated before it becomes an even bigger problem (e.g. additional data loss, botnets, etc.).

4. Expect disruption.
The failure of a device or part of a network can have large consequences on the larger system. The best practice is to create a system in which the failure of one IoT device doesn’t disrupt the system at large.

5. Incorporate the ability to update and patch.
Devices should be capable of upgrading so the latest security can be maintained and flaws can be patched if and when vulnerabilities are discovered later. A system that can adapt to new and changing threats or attack is key. It’s also important that update mechanisms themselves are secure. Unsigned firmware and software exposes a system to man-in-the-middle and other attacks.

6. Know the device life will end.
It’s important to create a schedule for replacing old devices before they fail. After all, there comes a point at which devices may no longer be able to be patched. Also be mindful of when support for hardware and software ends as this will have a substantial impact on whether or not security features are updated to account for new exploits and maintained according to best practices.

7. Share information.
How will you participate in information sharing? A policy concerning disclosure should be in place, as well as a response plan that includes your developers, manufacturers, and service partners. To prevent compromises from occurring, it is best to ensure your developers and partners understand and are in agreement concerning your security objectives and policies.

While the IT world has traditionally seen security as a trade-off with usability, this does not need to be so. When you approach security and usability holistically in the early design phase, it’s often possible to make huge gains in security without significantly impacting usability, not to mention a significant reduction of risk.

Ben Forgan is CEO of Hologram (https://hologram.io).

Edited by Ken Briodagh

Back to Homepage
Comments powered by Disqus