At a recent Internet of Things (IoT) meetup hosted by Tech in Motion DC and General Assembly, three panelists spoke about ‘things’ development at their companies. Interestingly, each panelist spoke about two hot topics in IoT: Security and Privacy.
Why IoT Security?
Jack Cox of CapTech Consulting warned that, “Consumers need to think more about security. There are significant security concerns, for example: knockoff webcams from China, botnets, and major disruptions from device manufacturers using generic passwords. Also there’s no (secure development) protocol due to developers’ rush-to-market for new products and the cost of building security into the design.”
Maybe that’s why Jack believes that life-critical healthcare devices, such as a liver pump, make bad examples of IoT. Conversely, he says a good example of IoT is a power company adjusting its power capacity based on real-time usage.
Senseware’s Duane Kobayashi reminded us that “With security, people are always the weakest link. As developers, we need to think through critically what levels of isolation and attack surface” are acceptable risks. “You can make reasonable decisions based on customer needs, especially if you’re a proprietary solution.”
Eric Conn from Leverege noted that “Security puts shackles on thinking,” especially when envisioning new IoT products. “Hardware security is what’s new; software security has been around a while now.” His company often educates clients about IoT when solving customer pain points in a cost-effective way.
For example, a car auction client kept losing cars in its huge parking lots. Sounds funny, no? However, when you multiply the number of lost cars by down-time for the auction, it adds up to lost revenue for a company already operating on close margins. Leverege was able to design a GPS-locating system and mobile app solution for $1/month per car.
Leverege caters to larger companies, so Eric explained that “Enterprise is less vulnerable to security breaches” because their IT departments address security on an on-going basis.
A Secure Legislative Vision
When asked what new legislation might address IoT security issues, Jack suggested a UL-type certification that verifies a device is secure and its software is update-able. He also imagined a HIPPA-like act to address privacy concerns for collected IOT data. Jack said, “Government needs to step up with looking at what companies are doing with that data today.”
An audience member said the National Institute for Standards and Technology (NIST) can satisfy a whole range of security development, and that some standards already exist within the federal government.
Other security solutions include Google’s Cloud IoT Core, which uses public/private keys to figure out if a device has been tampered with. Also, reducing attack surface (via isolation, air gaps, your response with node integrity) for either hardware or software can lower security risk.
More Security by Design
To learn more, consider joining the Security by Design (SBD) community “where security experts, developers, architects and DevOps engineers across all platforms…treat security as an integral part of any mobile, cloud or IoT effort. We cover the tools, methods and trends impacting the way secure software gets built.”