There are fundamental challenges with IoT device architecture that have limited the integration of on-board security mechanisms. For the most part, developers and manufacturers have not felt inclined to design effective security into their products. Why? Time-to-market, performance optimization and a lack of standards or regulations are all contributing factors. In addition, designing for cost over safety means that even the most basic security protocols are overlooked. This means it falls to enterprise IT and risk management organizations to create a framework and use best practices in safeguarding all network connected devices – including IoT.
Where in the development chain should security be integrated is not well defined. One company designs a device, another supplies the software components and a third may engineer the final product. A Department of Homeland Security (DHS) report highlights the factors, which contribute to the absence of even basic IoT device security measures:
- Industry standards (such as IEEE) continue to be debated and negotiated but are a long way from being ratified. No widely-adopted norms exist today.
- Device cost is a driving factor that keeps the integration of necessary hardware and software components off the product roadmap.
- There are minimal incentives for developers to adequately secure products. Unlike regulated industries, such as healthcare and finance, they don’t face the consequences of failing to do so.
The DHS report provides a set of IoT security principles and best practices. They offer stakeholders – from developers and manufacturers, to service providers and business level consumers – a framework to approach and address IoT security challenges:
- Incorporate Security at the Design Phase
- Advance Security Updates and Vulnerability Management
- Build on Proven Security Practices
- Prioritize Security Measures According to Potential Impact
- Promote Transparency across IoT
- Connect Carefully and Deliberately
The DHS report is a worthwhile read. It provides practical guidelines on how to implement its recommendations. While it is nominally targeted at system designers, developers and manufacturers, it also speaks to enterprise IT security professionals. In fact, as you read through the framework, most recommendations can be applied not just to IoT development but to deployment as well. However, it’s a framework – not a “how to” manual.
The How To
The National Institute of Science and Technology (NIST) Special Publication 800-160 is considered to be a fundamental guideline. Its audience is technical – design and development engineers – and provides “a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities.” It’s not targeted specifically to IoT device security but rather outlines “every security activity that would help the engineers make a more trustworthy system.”
Great Bay Software security solutions align with the frameworks of both the DHS and NIST reports. Our solutions build upon customers’ current security infrastructure, promote transparency across IoT devices and facilitate careful and deliberate network connectivity. Learn more about our products here.