Internet of Things 10-12-2015

Implementing Security in the Internet of Things

Sara Drury

While website encryption ranges anywhere from a few to hundreds of SSL/TSL Certificates, the Internet of Things (IoT) requires millions of certificates. IoT devices are predicted to reach 25 billion by 2020, and security has become a complicated subject as IoT devices have made their way into the lives of consumers at home, work, on the road, and even in their personal health.

Unsecured IoT devices open users to numerous gateways for attack. Vulnerabilities in devices contain entry points for hackers to use shared network resources to access private corporate assets. While connectivity simplifies life, without proper security, such benefits can quickly rebound into nightmare situations.

IoT Is Everywhere

IoT devices exist in the form of smart appliances, cars, clothing, home automation systems, light sensors, and health monitors; each advertising their potential for greater efficiency in the workplace and at home, resulting in enhanced quality of life. However, professional hackers have already discovered and exploited vulnerabilities.

Charlie Miller and Chris Valasek found flaws in Jeeps, leaving drivers completely powerless behind the wheel and at the mercy of the attacker. Since 2014, Miller and Valasek estimated there are as many as 471,000 vehicles with vulnerable systems on the road.

Through the evolution of IoT devices in the healthcare industry, devices like insulin pumps, glucose monitors, or pacemakers are continually connected to the Internet via WiFi allowing clinicians to monitor patients’ data. However, security experts demonstrated that attackers can easily control medical devices from the collation of easily available hardware, a user manual, and the device’s PIN number.

The Solution in PKI

Security development in IoT depends on data confidentiality, information integrity, authentication, and data access control. PKI has the ability to securely transfer information across networks, in turn, enabling trusted connections between networked devices, cloud services, smart infrastructure, and “things.” PKI provides the needed foundation for secure data communication between IoT devices and platforms both at-rest and in-transit. Therefore, delivers the security needs of the Internet of Things.

Trust in IoT Devices Begins at Product Development

The Online Trust Alliance (OTA) has drafted an IoT Trust Framework to help organizations make security and privacy by design a priority from the onset of product development. A few of the many minimum requirements they have suggested companies require in the world of IoT include:

  • Personally identifiable data must be encrypted or hashed at rest and in motion using best practices including connectivity to mobile devices, applications and the cloud utilizing WiFi, Bluetooth and other communication methods.
  • Default passwords must be prompted to be reset or changed on first use or uniquely generated.
  • All user sites must adhere to SSL best practices using industry standard testing mechanisms.
  • All device sites and cloud services must utilize HTTPS encryption by default.
  • The device must have controls and/or documentation enabling the consumer to set, revise and manage privacy and security preferences including what information is transmitted via the device.

These are just a few guidelines to help companies focus on end-to-end security and privacy.

A Focus on IoT Security from the Start

Security threats can cause damage from hundreds of miles away. DigiCert is leading the way in PKI IoT deployments. Manufacturers must take the responsibility to secure the vulnerabilities in the IoT today. Not only are IoT data breach consequences potentially catastrophic to the customer, but also to brand reputation.

   
UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

10-31-2024

Announcing the GA release of DigiCert Device Trust Manager

10-29-2024

Solving the revocation gap with short-lived certificates