IoT Security by Design

Our homes and our businesses are filled with "smart" / connected devices, which are great, but they also expose numerous new attack surfaces. The "security by design" framework may offer a path forward. It's a set of principles within hardware and software development focused on making security a core concern in the design and development process.

2117
Image of a lock with a person icon on it and a design tool overlaid so it looks like it is drawing the lock
Illustration: © IoT For All

More and more, we’re filling out homes with “smart” / connected devices beyond old school computers, from thermostats to security systems to kitchen appliances. Enterprises are bringing a whole range of processes, objects and spaces online to amplify human potential as well. The Internet of Things (IoT) has enormous potential, but connecting everything has a side effect: increased vulnerability.

We must consider the fundamentals of IoT cybersecurity to protect ourselves personally and professionally. Top concerns are best practices, the concept of “security by design” and device security certification programs.

IoT Device Security 101

Key steps to securing IoT devices include the following best practices:

  • Perform routine updates. Manufacturers release updates as they recognize ways their products can be improved. Once the product is in your hands, rapidly installing updates will help protect you against the most recently discovered threats. But keep in mind that imperfect updates can expose new security vulnerabilites.
  • Control access. Consider whether you need to be connected to the internet in order to use the device. If you don’t need to be connected, then you only want to grant access to your home network.
  • Turn off Universal Plug and Play. UPnP is a weak point for routers, cameras, printers and other devices. At the same time, secure interoperability is a must for IoT.
  • Improve the passwords. They should be long and alphanumeric, while avoiding repetition, dictionary words and personal details. Many devices currently ship with incredibly horrible passwords like “admin” and “password,” so always check with your hardware vendor and make sure to secure your IoT endpoints.
  • Secure your connections. Use a virtual private network (VPN) to connect your devices to the Internet. To improve your stability, make sure the VPN you use is well-suited for the type of device.

Security by Design & Privacy by Design

Beyond knowing a few steps you can take with devices, it helps to choose a manufacturer that follows security by design. Security by design is a set of principles within hardware and software development focused on securing the system and reducing the risk of a compromise. Following these principles allows a manufacturer to know that they are protecting users and complying with the European Union’s General Data Protection Regulation (GDPR). Systems built using this method incorporate elements such as abiding by coding best practices, implementing authentication protections and deploying continuous testing.

The key reason that secure by design is so important is that software is typically considered first and foremost in terms of its function. Security becomes a secondary concern, and the developers must address security holes and vulnerabilities as an ongoing concern rather than building it with optimized security. With secure by design, you can be certain that the manufacturer is fixing security issues effectively and rapidly.

Security by design incorporates the following principles:

  • Secure defaults. Create a secure experience standardly. Allow users to remove protections if desired.
  • Correctly repair security issues. Be careful about design patterns, which can introduce regressions when you attempt to fix your code. Test on all relevant applications.
  • Keep security simple. You want your code to be as simple as possible. It is easier to reduce your attack surface area in that context.
  • The principle of defense in depth. While it may be reasonable to just have a single control, add more controls so that your defenses are deeper.
  • The principle of least privilege. Accounts should be given the minimum possible level of privilege in order to complete their business functions.
  • Do not trust services. You may utilize outside providers for processing. Keep in mind, though, that services should not be trusted, by default.
  • Avoid security by obscurity. You should not attempt to protect critical data simply by hiding key details. It is an insufficient security control.
  • Separation of duties. Typically, administrators should not be users of an application. For instance, an administrator should not be able to buy from a storefront as a super-privileged user.
  • Secure failures. Verify that your code never fails in a manner that makes the user an administrator by default.
  • Minimize attack surface area.The attack surface area should be restricted as much as possible. All features add risk. They should warrant it.

Privacy by design, a concept within the GDPR, is similar to security by design. The two core elements of privacy by design are:

  • Data protection by default. Data controllers should only store data as long as necessary, should only process data to the extent necessary, and should only process the specific data that is necessary; and
  • Data protection by design.Data controllers should keep the processing of personal data as limited as possible by implementing pseudonymization and other safeguards.

Look for Certifications

While the principles of secure by design are helpful in understanding what to expect from device manufacturers, everything becomes simpler when you can just look for certifications that those principles are followed. ThingsCon and Mozilla came up with the Trustable Technology Mark, centered specifically on security and privacy. The analysts at ThingsCon use five chief criteria to gauge products:

  • Openness. Is open data produced or used? Are the manufacturer’s and device’s processes open?
  • Stability. What life-cycle can be expected? How stable is the device?
  • Transparency. Is the way that data will be used and what the device does communicated clearly to consumers?
  • Privacy. Are users rights respected? Are data practices leading-edge?
  • Security.Do the security practices and protections reflect the current environment?

Another certification project, the Cybersecurity Certification Program, comes from Ericsson and AT&T. That system gathers information on IoT threats and sends it to device manufacturers, allowing those companies and their developers to quickly adapt and fix any vulnerabilities.

Safeguarding IoT

By 2025, the Internet of Things will have an economic impact of $3.9 trillion to $11.1 trillion per year, per McKinsey. However, that huge reward is linked to a huge risk. By considering the above best practices, and by understanding security by design and certification programs, you can better know how to move forward securely with IoT projects and device purchases.