In my last post, I discussed the need for infosec professionals to reach out to engineering to help bridge the cultural divide and be seen as partners in IoT project success. We need to be humble and help them realize how good security practices are as vital as making sure the switches work. Otherwise, their projects eventually will fail.
In a follow-up post this week, I’d like to address the fundamental security flaws that are all too common in many IoT implementations.
Fundamental Processes to Improve IoT Security
As we engage engineering and manufacturing, we can help by educating folks on the fundamental security needs that often are lacking in today’s industrial and consumer IoT security technology. We can help convey real threats amid growing consumer awareness of security issues. We can help R&D understand how these threats, if not addressed, will eventually threaten the bottom line.
We can and must help non-security folks understand some basics, including the need for the following:
Use encryption. Manufacturers need to build their devices to use encryption of all data stored and transferred. Effectively and at scale, for data exchanged, this is done using digital certificates and public key infrastructure (PKI).
Build the device with firmware that can be updated to address security events. The use of encryption is not enough on its own, though. These devices need to be manufactured with firmware that is capable of regularly being updated to keep up with evolving security threats throughout the lifetime of the device. Equally as important for devices that are connecting to computer, tablets, smart phones, etc., is that the manufacturer needs to use PKI to authenticate each device with a uniquely identifying digital certificate and make sure it cannot be tampered with by hackers. The server that the smart device communicates with also needs to use a certificate to enable end-to-end encryption.
Deploy and manage certificates properly. The use of digital certificates is only optimally effective if the devices and servers can be properly configured throughout the time that the company offers a smart data automation service. Similarly, certificates need to be properly provisioned. Real security beyond just applying a code library out of the box is key to protecting consumer security and privacy. Managing the certificate lifecycle to apply updates is critical to keeping up with evolving security threats.
Value security. Sometimes, these best practices are not followed due to a cost consideration in manufacturing the device or perhaps a lack of thorough security expertise. This might be okay for a pedometer that tracks how many steps someone takes and only stores the data on the device. For smart medical devices, home automation and security or kitchen appliances, the risks of poor information security practices may threaten one’s livelihood. Imagine the damage an attacker could do if she could turn off someone’s refrigerator, for example, or thousands of refrigerators, or worse, could tamper with a connected health monitoring device.
Uniting for a Better Future
It’s time for us as the IT security community to reach out to engineering and manufacturing to increase our role in the product development and management cycle. We have the knowledge and tools to make create a much better IoT future and to ensure we properly secure the connected devices and objects yet to hit the market. Let’s do all that we can to secure the future and not let recent television fiction become reality.