Vint Cerf, one of the founders of the Internet, recently called on IoT device makers to take responsibility for securing all these connected things. The importance of security for the Internet of Things can’t be overstated – but you’re already aware, or you wouldn’t be reading this article.So let’s dig down and look at some stories that move the discussion into the practical.
Start with a strategy.
So much of our critical infrastructure is IoT-connected that it’s not surprising that Homeland Security is all over this. As such, the department created a document recognizing that IoT security can be overwhelming, with responsibilities that aren’t clearly defined. Therefore, it defines strategic principles that build on security best practices in other tech sectors.DHS outlines solid best practices at every phase from design to device end of life.The takeaway: IoT developers, manufacturers, service providers and end users all have a role to play in security.
Keeping it simple is the approach in this resource from AT&T. These four guidelines don’t dig deep but they’re perfect for handing off to non-technical managers and business decision-makers.The takeaway: Sounds simple, but if your org could really do these four things, you’d be golden.
Keep them stupid.
We all remember the (in)famous Jeep Cherokee hack of 2016. Embedded suggests that the design techniques of least privilege, separation of privilege, and Kerckhoff's principle would have prevented it. It’s too late for all the devices already out there, but not for those still under development.The takeaway: When designing a new IoT component, it’s a solid practice to minimize its authority, isolate it as much as possible from the rest of the system and employ industry-standard cryptography and communication protocols.
Privacy issues could kick your butt.
Burger King and Google are in an arms race as the burger maker keeps airing commercials designed to activate Google Home. In April, the original TV spot featured a Burger King employee saying, “OK, Google, what is the Whopper burger?”Hilarity ensued and continues to, as BK modifies the spot and Google deactivates the response. But this has definite implications for device manufacturers that should not be ignored.
The takeaway: Voice activation is a wide-open security hole, especially when voice controls connect to physical security functions such as unlocking the door of a smart home.
Bring on the AI.
Your credit card company can identify suspicious use of your card thanks to big-data analytics that can spot anything out of the ordinary. Machine learning and data analytics could do the same for the data from connected devices, identifying and blocking abnormal activity or malicious behavior.The takeaway: The downside of this approach is that machine-learning systems must be trained on large data sets before they can identify anomalous behavior. On the other hand, most connected devices have limited parameters of functionality, so outlying behavior should be easier to spot.
We’re big fans of security expert Bruce Schneier, so when he talks IoT security, we listen. This blog post is a list of other great articles to settle in with on a cold, stormy night.The takeaway: Schneier is at the top of the security field. Pay attention.
The Department of Homeland Security sees Internet of Things data as a public good – and is actively working with research institutions and private companies to help secure it.Robert Griffin, acting Under Secretary for Science and Technology at the Dept. of Homeland Security, writes, “… by connecting to IoT technologies we are improving critical infrastructure operations in key areas like energy, water, telecommunications, and traffic management.” His article details how his organization is working with the Cyber Security Division to build public/private partnerships.The takeaway: This coordinated effort to develop frameworks for engineering and interoperability is already underway – and Griffin invites more companies to join the effort.
Our blog post, Stay Current on IoT Security with Our Must-Read List, has links to six top resources that will help you keep up with an IoT’s shifting security landscape.The takeaway: No matter where you sit in the world of IoT, security is on you.