IoT Security: What is Job One?
There are few things as overwhelming to think about as Internet of Things (IoT) security. IoT is increasingly pervasive in our lives. For that reason, it is a huge target for hackers. Throw in these facts:
- IoT end points must be cheap and run on very low power. Thus, sophisticated security isn’t necessarily embedded. As vital as this is, it’s a low budget affair.
- IoT-based devices are readily available to the public – and to the bad guys who try to bypass that rudimental security from the comfort of their own homes.
- The good guys know that this will be a war, but the sense is that they are yet to fully embrace the security challenge.
Calls to action are coming from a variety of places. The Department of Homeland Security (DHS), for instance, has put out a call for security innovation, according to Network World. DHS wants ideas on how to detect devices connected to the IoT and grab data from them, to authenticate those devices, and to upgrade their security.
The details are complicated, of course. While calls for ideas by the federal government are not rare — Sandia National Laboratory, for instance, is seeking ideas on authentication technologies that also are IoT-related — the scope of what DHS seeks is quite broad.
Since my previous post on Internet of Things standards, I went on to ask experts what they consider to be job-one — or the first concern — when it comes to securing the Internet of Things. Their responses follow:
Lori Wigle, the Vice President and General Manager of Security Solutions at Intel Security, suggests that the keys are simplicity and comprehensiveness:
“The single most important step in securing IoT is making it dead simple to build security into their solutions. The reality is that many IoT developers are not security experts, so it is critical that the industry aligns on best practices and then furnish implementations.
There are important roles for organizations such as the Industrial Internet Consortium and the Open Interconnect Consortium to play here by respectively driving test beds and open source implementations. Suppliers can also play a role by pre-integrating security hardware and software technologies.
“Additionally, IoT security must be considered end-to-end. It’s not enough to implement security features on one element of the solution. We need to harden the devices, secure communications between devices and the cloud, and provide monitoring and management so we can operationalize security of the IoT system over its life. Particularly for the industrial IoT, these systems will be in place for decades. We cannot imagine the evolution of the threat landscape they will endure.”
ForgeRock Vice President of Strategy Daniel Raskin focuses on control:
“The absolute most important step towards securing the IoT is implementing an ability to securely manage a device’s identity, register it, verify its authenticity, link it to people (optional), authorize data to/from device, and revoke data as needed.”
Intelligence transfer is the first step for Marty Kamden, the Chief Marketing Officer for NordVPN:
“The first step in securing the IoT in the industry is cooperation between large hardware/ software companies that often do not have extensive experience in security and smaller, new companies (often start-ups) that are security experts. Big companies should be open to hearing advice from innovative, younger experts in order to build safer products.
When it comes to securing the IoT for the general public, the first step is building awareness that a network of devices is set up to make it as accessible as possible for reasons of communication and control, but this advantage can be easily be abused by hackers. Awareness leads to curiosity about existing security measures.”
Veracode Co-Founder and Chief Technology Officer Chris Wysopal thinks it’s a matter of accepting the security challenge from the start:
“There is no most important step to securing the IoT – it’s a design challenge that needs to be fully baked in from day one. Manufacturers must look at the IoT holistically to ensure that the devices they build – in addition to web and mobile applications and back-end cloud services – are built with security in mind from the start.”
Hardware security is a priority to Steve Hanna, the Senior Principal of IoT Security at Infineon:
“As recent headline-grabbing attacks have shown, IoT systems cannot be adequately protected with software alone. Encryption and authentication keys are particularly at risk. In addition, even high quality software often contains defects, which correlate with vulnerabilities that are ultimately located and exploited. Therefore IoT devices should include a Hardware Root of Trust.”
The diversity of what is being offered is not necessarily a bad thing. Experts see things in the context of their own field. What is clear, however, is that an industry consensus is needed.