By the year 2020, the number of connected devices is expected to cross 20 billion. There will be billions of sensors gathering a huge amount of data and transferring it to the cloud or relaying it to other devices. This also means that are multiple points of attack and an effective security pathway becomes paramount.
Significant reengineering has to be done to optimise and adapt the current security controls that work for IT networks to make them suitable for the complex embedded applications of IoT. A few ways how IoT devices can be made secure are:
- A Trusted Platform Module (TPM) is a dedicated microprocessor that integrates cryptographic keys into devices to uniquely identify and authenticate them. This prevents hackers from hacking and impersonating a device to gain access because each device has its own identifier that is encrypted by the keys. The TPM used must be completely trustworthy.
- A Trusted Network Connect (TNC) standard must be used to check for malicious software or firmware. This prevents uploading of spyware or other malicious software to network or other devices.
- A Mandatory Access Control system limits access to certain functions or files on a device for a given user. Layered security can limit the damage a hacker can do once device is hacked. Sensitive information does not leak from a hacked device since this will act as a choke point.
- If a read-only option is used for data on a device, it will throw a hammer in the hacker’s efforts to tamper with the data. Data must be encrypted when it is stored on a device or in transit.
- IoT devices and systems are often integrated with legacy machines that were not built to be secure. We need industrial control systems that can segment that legacy hardware from other systems and secure communications between them with encryption. If a hacker has already infiltrated the network of a connected factory, the above should prevent him from taking control of the machinery on the assembly line.
Security must be considered at the earliest phases of development, particularly in the design phase. Processes like threat modelling can help engineering teams adapt their prototypes to mitigate relevant risks. Beyond the design phase, it’s crucial that security is integrated into all the other key ‘touch points’ along the development lifecycle. Some of them include secure code review and static analysis after code completion milestones and penetration testing during the Quality Assurance phase and if possible, before releasing to production. The product design engineers need to be constantly aware of security considerations; however, it is even more vital that they remain vigilant about the security implications of third-party software being used in the system.
Given the enormous amount of data collected by the connected devices, there is a need to anonymise or minimise the data retained. This requires a development of policies and practices that impose reasonable limits on the collection and retention of consumer data by organisations. For instance, maintaining only truncated credit card information or anonymising data maintained on the device or company’s network systems can help to minimise exposure in the event of a security breach. Data that is necessary for business purpose or device functionality only should be collected. In addition, companies should ensure that all representations concerning the security of the device or how information is secured are accurate, up-to-date and substantiated. This can include representations in consumer-facing documents, such as privacy policies, customer agreements, product user guides, or advertising materials.
Deciding what constitutes reasonable security for a given device will depend on a number of factors, including the amount and sensitivity of data collected and associated costs of remedying any vulnerabilities. Companies should ensure that they implement administrative, technical and physical safeguards based on the company size and the nature and scope of data collected. These controls should be tested and monitored on a periodic basis and with respect to new updates and features that will be added to the device. One of the most difficult problems to solve is physical security in order to ensure there is just the right amount of security. The acceptable level of risk for many OEMs includes only their own device being compromised; if someone can crack open a device and compromise every device that represents a major problem. A network-centric approach to security powered by machine learning is well-suited to keeping IoT devices from becoming the starting point for malicious activity.The breaches that have taken place in the industrial, automotive, retail and medical sectors have definitely increased awareness about security in a big way, and organisations today are taking a more holistic view of how to properly implement security in a way that balances cost versus risk. As a result, we are seeing the evolution of security task forces or formalised groups within these corporations to align software and hardware efforts to achieve the highest level implementation strategy. With the immense amount of data collected by IoT devices and stored, the security of such devices is paramount and opens up new avenues for designs of today and tomorrow. The data and information that IoT endpoints allow will change the impact that decision makers will have in utilising such data.
If security measures for IoT are done accurately, including leveraging hardware roots of trust as base anchors within endpoints; your system becomes nearly impossible to breach. The best solution is most cases as I have mentioned above is to use multiple layers of security. The internet of everything and connected devices are no longer hype and will soon permeate every aspect of our lives. It will improve the quality of life tremendously once we learn to secure the data collected and are able to use it judiciously.
MN Vidyashankar is the President of India Electronics & Semiconductor Association. MN Vidyashankar served as the Principal Secretary to the Government of Karnataka and brings over 30 years of rich experience in management and administration of various government offices, autonomous bodies, boards and corporations. Vidyashankar joined the IAS in 1982 and served various government departments at the state and central level before moving on to hold the position of the Principal Secretary, Department of Information Technology, Biotechnology and Science & Technology, Department of e-Governance, Government of Karnataka. Vidyashankar holds an M.A in Economics and an M.Phil. from the Delhi School of Economics, University of Delhi. He is also a post graduate in business administration from Harvard University, USA.
