With analysts projecting 50 billion connected devices (from wearables to industrial equipment to cars) by 2020, the IoT is big business, and manufacturers across industries are ramping up development efforts to become players in the IoT game. Yet in the rush to innovate new IoT offerings and services, companies are paying short shrift to the security aspect of these new smarter and connected products, opening the door to untold privacy and hacking risks that could have substantial financial ramifications and potentially put consumers in harm’s way.
In a speech at the International Consumer Electronics Show earlier this year, Federal Trade Commission Chairwoman Edith Ramirez voiced concerns about security and data privacy in the age of the IoT. “Like traditional computers and mobile devices, inadequate security on IoT devices could enable intruders to access and misuse personal information collected and transmitted by the device,” Ramirez said in her speech. “Moreover, the risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety such as our cars, medical care and homes.”
To address the concerns, Ramirez provided a framework for what she called “security by design” — the idea that companies design security functionality into the devices and the applications from the earliest stages while providing a mechanism for maintaining security throughout the entire lifecycle. She called on companies building products for the IoT to address security by leveraging a variety of technologies, including encryption, while also adhering to formal best practices, from risk assessments and new testing measures to monitoring products throughout their lifecycle so known vulnerabilities can be continuously addressed.
Security by Design
Security is a top concern for designing products for the Internet of Things. As outlined by Federal Trade Commission Chairwoman Edith Ramirez in a speech on privacy and IoT, here are the key security by design tenets:
• Conduct a privacy or security risk assessment as part of the design process.
• Employ encryption for the storage and transmission of sensitive data.
• Test security measures before a product launch.
• Use smart defaults — for example, requiring consumers to change default passwords in the set-up process.
• Monitor products throughout their lifecycle and patch known vulnerabilities to the extent possible.
Download the FTC report, “Internet of Things: Privacy and Security in a Connected World,” as well as its publication, “Careful Connections: Building Security in the Internet of Things” at deskeng.com/de/IoTresources.
While the vision is clear, putting security by design principles into practice remains a bit more difficult. Many engineering groups don’t have the right expertise at their disposal nor are they versed in security best practices as they relate to product development. Moreover, there’s the very real issue of time-to-market pressures trumping the need to do the development work around IoT security, experts say.
“In the big push to get product out as fast as possible, design aspects related to security get cut first to comply with time-to-market pressures,” says Donald Schleede, information security officer at Digi International, which provides machine-to-machine (M2M) products and services. “Moreover, many companies don’t have the security credentials or training to build these functions into devices.”
The danger of overlooking or underplaying security in IoT devices can be very real. Imagine a smart insulin pump that is hijacked and dispenses upwards of 50 units of insulin instead of what’s prescribed, sending a patient into diabetic shock. The product manufacturer that finds itself in the epicenter of this type of breach will undoubtedly be held responsible, which could have severe financial, ethical and legal consequences.
Practicing security by design means employing the right technologies and considering the end-to-end security requirements for a product at the earliest stages of the design cycle, says Todd Pedersen, global director of sales and sales operation, Global Cyber Security division at CSC.
Digi, which offers IoT development and support services through its Etherios division, and CSC are among the growing number of providers building out IoT consulting practices to help companies understand the new design requirements of IoT products, with security being a top priority.
“Security by design means not building the product and then figuring out how to bolt on security on top of it, but rather building the product with security throughout,” Pedersen says. “Manufacturers can use companies like CSC to augment their staff and teach engineers how to do this effectively, particularly as it relates to governance and focusing on security throughout the software development lifecycle.”
The Optimal Security Mash-up
From a technology standpoint, there are a number of things engineering groups should consider when designing products for IoT. As cited in Ramirez’s speech, encryption is critical, and in particular, designing an architecture that encrypts data as close as possible to the actual sensors to optimize the safeguards, says Digi’s Schleede. Beyond encryption, IoT products require some sort of identity authentication mechanism to ensure that the device accessing or providing data is actually authorized to do so. In the case of the insulin pump, this would confirm that the device communicating its need for a specified amount of insulin is actually the device it claimed to be and not a rogue intruder, he says.
“There is a requirement for these devices to say who they are and prove who they are when connecting,” says John Canosa, chief strategist at PTC’s ThingWorx. “From an engineering standpoint, that means the team needs to understand encryption in flight and at rest. You really need someone with an overarching view into end-to-end security.”
In that vein, companies need to consider security not just from the standpoint of locking down a device, but also ensuring that the device can’t be tapped as a vector into a traditional TCP/IP network for wrong doing. “Most engineers focus more on the first problem than the second because that’s where they are comfortable,” says Brian Ray, CEO of LinkLabs, which provides M2M/IoT wireless network products and services. “They make sure their systems are following standard embedded protocols to keep unintended access out of the system, but they may not see the physical or wireless exploitation that can be used as a launching point for some sort of nefarious operation.”
Other steps for protecting the actual device include incorporating secure enclosures as part of a design and using methods like secure boots and encryption keys to protect the internal embedded software and silicon. A third pillar in an IoT security framework is managing and monitoring the devices throughout their lifecycle so known vulnerabilities can be addressed to the best extent possible.
IoT platforms like ThingWorx, Digi’s Etherios Device Cloud, and Wind River’s Edge Management System deliver a range of security management functions, including the ability to monitor and manage individual devices to keep security capabilities current and to apply regular patches. While these types of tasks are typical in IT organizations, they are unfamiliar to most embedded software developers, which means training and auxiliary services are likely necessary to help them get up to speed, says Tim Skutt, director of Wind River’s security portfolio.
“Regardless of whether it’s an automotive or industrial application, embedded systems developers are largely independent and they lack the skill set and mentality for evaluating risk and penetration testing on IoT devices,” Skutt says. “We can provide services that can take them from early risk assessment all the way through an IoT product’s lifecycle.”
Security By Design Best Practices
As important as technology is to IoT security, so too is cultural and process change, particularly as it relates to security by design best practices. Conducting a privacy or risk assessment at the earliest stages of development is crucial to understanding the requirements and seamlessly integrating the right mix of security capabilities into a design as opposed to adding them later in the cycle, experts say.
Rigorous testing for security vulnerabilities is another best practice requiring engineering groups to establish formal processes as part of the design workflow, experts say. Most engineering groups test features and functions as part of their standard quality assurance practices, but they don’t have the same formal processes in place as it relates to security, says Digi’s Schleede. “It’s a different level of thinking when you’re testing devices for security,” he says. “When you’re testing features and functions, you don’t do a lot of negative testing to see what can happen when you do things with a product for which it wasn’t intended.”
From a cultural standpoint, security by design practices shore up the on-going emphasis on systems engineering, requiring cross-functional collaboration between the multiple engineering disciplines while also bringing IT into the fold — potentially for the first time for many engineering organizations. “Any company getting into this space needs to create a cross-functional team that looks at security design from a systems perspective,” says PTC’s Canosa. IT has the domain expertise in security issues like denial of service attacks and the corporate network infrastructure, so it’s incumbent on organizations to make them an equal partner in the IoT design effort.
“Let’s face it, there are few people out there with 10 or 15 years of IoT security expertise and you’re more likely to find someone steeped in security architectures and challenges from the IT side of the house,” Canosa says. “You have to bring IT into the mix and make them part of the cross-functional effort. You also need to come up with a common language and way to communicate about what these systems are to do, addressing it as a distributed system problem, not individual components.”