The Internet of Things (IoT) is full of promise, although it takes a threatening turn when its security is scrutinized. We often advise end users on the steps that they can take to improve their security when utilizing technologies — this remains vitally important — but how can IoT manufacturers improve the security of the devices that they are designing and manufacturing? Moreover, the growth of the IoT and the numerous companies taking advantage of this growing trend by developing devices for enterprises further emphasizes the importance of getting the security foundation and framework right from the get-go. IoT delivers tangible value to both consumers and enterprises and is being used to connect more than just things: people, places, systems and things. Companies developing and advancing this industry must focus on turning the security to a positive attribute — this is crucial.
Driving the development of IoT
There is an increased demand for everything to have the ability to connect to an online system and to communicate with other components, devices, and people to improve efficiency and convenience for everyday tasks. We want to be able to enrich our lives with wearables, for example, and these trends keep on coming and keep advancing.
Machine learning, analytics, automation, medical devices, and robotics all offer further drive for IoT advancement. The ability to collect masses of data for processing to advance all areas of business from product manufacture through to marketing is all made possible with IoT. Consumers seem to be on board this evolving movement, too. After all who can resist all the new smart tech!
IoT devices are alongside us, on us (wearables), within in us (medical devices/transmitters) and we are finding ourselves within them (cars). They are part of our world and we are part of theirs. We are becoming very dependent on many of these devices (and they on us), and any security vulnerability could have devastating consequences for those using them and those around them.
Security remains the unsolved side of IoT
With the integration of so many new devices and products now available, it is important that security be taken seriously. Remotely controlling IoT devices is possible, and if security is not made a priority, this can be accomplished that much easier by those with malicious intent.
Security should be a genuine concern for consumers of these products as they not only expect to buy and use a product that is both functional as per its description but they also, more often than most, assume that they are safe while using it. Consumers are not always paying attention to the security of these products that they are using. What is more alarming, though, is that many manufacturers of these products are not prioritizing security either. This seems to be a knock-on effect, since consumers are not placing enough value on security, manufacturers are not investing in a more robust, secure product. This is a ticking time bomb and should not be allowed to continue.
Companies designing, developing, and manufacturing these products must do all that they can to reassure that these products are as secure as they can be. Without the right security, the threats from these devices are just too high and the possible damage all-encompassing.
Everyone involved in the design, manufacture, and even the marketing of these devices has a role to play to ensure improved security. The consumer, too, has a responsibility, but it is up to the organization delivering the device to educate the consumer of their role with regards to the do’s and don’ts when using the product to ensure secure functioning. It is very much a joint effort, and security must be prioritized from the get-go, right through to after the product is within the consumers’ hands.
Manufacturers ought to pay attention to these key considerations:
Security by design
Build security into your product from the design stage. Security should be part of the plan and part of the design process. Embedding security throughout design to product completion and being sure to include considerations for secure code, testing, and evaluation. Security should span all product layers to incorporate defense in depth and should be applied right from the beginning of the design process and not at the end. Security should never be an afterthought.
Of course, it is fundamental that the consumer gets a working product, but a secure system is very important, too. It is often necessary to obtain advice and involvement from a security professional to advise on or pinpoint areas in the design that may pose security gaps or vulnerabilities. Applying the right skills from the start can help to avoid greater issues later on. It is better to get a well-engineered and secured system than a working but insecure one.
Security should not only refer to the device being impenetrable, but also reflect the data that the device processes. It is critical that the design is such that the data is always secure as IoT devices amass volumes of data, and this data is what hackers are after. So, secure the device (all layers) and secure the data, too.
The product must be designed with the assumption that it will be attacked and compromised. Invest in security resources; it is worth it in the long run.
Encryption and access control
Securing data is essential. Encryption and access control is a simple way to do this. By encrypting all communications and stored data only allowing subject access control, data can remain secure even if compromised. Not only is this fundamental to ensure the data processed by the device remains safe, but it is vital to comply with stringent data protection regulations, especially when personal data is being processed.
Authentication and authorization
Controlling access to the device is fundamental to securing the data. Two-factor authentication and biometrics are options to consider as well as device access control and authorization. Controlling access to the device through authentication procedures ensures that only the intended people are able to access it and a system to manage and monitor access allows for any anomalies to be swiftly recognized. Offering the ability to trace activity via logs will help with diagnostics.
Further strategies include device segregation. Utilizing this, devices are clearly segregated off onto their own networks not allowing for consumer and corporate devices to share the same network. This strategy may include whitelists to authorized networks that vendors have specified to stop IoT devices attacking third parties and being used without user understanding.
Clear-cut information
It is important that the significance of security is conveyed to the consumer, and the only way to achieve this is through the manufacturer clearly and unambiguously informing the consumer who uses the IoT product of the risks involved and the do’s and don’ts of using the product. Let them know how to safely use the product and let them know what to avoid and what not to do. They need to be told how the product works and how it connects to a IoT device. They need to know how they are protected, and they must be notified of any changes in a timely manner. The details offered must be clear, easy to understand, and the importance of security highlighted.
Encourage password security: Educate consumers on changing passwords, as this is a common area for breach.
Education is important when it comes to improving security, and this is an opportune time for educating the consumer about IoT, your product, and security.
Be explicit about risks and practices
When you choose to use an IoT product, there is always a degree of risk involved. It is important that the consumer knows this and deliberately accepts this before using the product. This must be made clear to them when purchasing the product. Part and parcel of this is informing them of the type of data that the device will be processing and how the processing will take place. All of this detail will ensure that the consumer is able to make an informed decision whether or not they are on-board and whether they are comfortable to use the product. It is the consumers’ right to know what data of theirs is being processed, why, and how. It is the manufacturer’s responsibility to comply with the demands of data protection regulation.
Quality and trusted practices
Security should start at home! Create a culture of security from within your organization to emphasize the importance of security. Attain to high standards of security at all times, the levels of security you choose to accept from others as well as the levels of security you provide as an organization.
For security to be properly executed during the entire lifecycle of the product, best practices must be used (data encryption, privacy, compliance, etc.). Failure in an IoT device can result in real-life implications and harm. Industry standards, best practices, and procedures should be followed and secure connections must always be used.
Always follow best practices. Tried and tested, reputable procedures are fundamental. If a framework or policy works, use it. There is no use reinventing the wheel; adapt to suit if need be, but it is not necessary to start from scratch each time.
Consider incorporating the use of a risk-based security approach. Apply risk-management practices to identify where potential vulnerabilities may exist (when the product is in use) and include increased security measures in areas where the risk is potentially higher. Apply your resources advantageously and allocate security resources according to levels of risk.
Enforcing secure development practices alone is not always enough, but combined with a rigorous and continuous analysis program will improve the outcome.
Personally identifiable information (PII) awareness and practices
IoT functionality stems from manipulating data and lots of it. It is important to know the data that you process and know how it is processed (collected, stored, shared, and used). It is critical that this data remains secure at all times.
Processing any data is risky business, and personally identifiable data in particular increases the risk. By law this data must be secured. If you don’t need consumer data, don’t process it! If you don’t have it you do not have to worry about securing it! Only process what you really need for your product to function.
Furthermore, if you are processing data, you must have consent to do so and must inform those concerned that it is happening. Ensure that you are following a data privacy policy and be transparent with regards to the data that you process. Make sure that data remains separate. No user behavioral data should be linked to PII. Avoid storing PII in order to lessen the impact of a security breach.
Don’t let the insecurities of IoT overshadow the benefits
For everyone to realize the wide-ranging advantages of these devices, security must come first. The only way in which we can realize the complete optimization, control, autonomous systems, real-time analytics, improved environment, and situational understanding — everything that IoT has to offer — is if we can tackle the security vulnerabilities. Make security a priority and get it right! Manufacturers, designers, engineers, developers — the entirety of the IoT product team are key in accomplishing this. Be that manufacturer that places security at the forefront of the product!
Photo credit: Shutterstock
