Why businesses need to change their mentality when it comes to IoT
Two years ago the FTC released a report on the Internet of Things that recommended a series of concrete steps that businesses take to enhance and protect consumers’ privacy and security. Yet not much has changed. As people continue to reap the benefits from a growing world of Internet-connected devices, we’re still seeing security problems with devices in the home. It’s essential that manufacturers know where to begin when they develop software, especially consumer-focused companies.
I recently joined the millions of consumers entangled in the Internet of Things by adding a smart thermostat and solar panels to my home. The good news is I’ve already been able to help reduce my electricity usage. The bad news is that, as a security professional, I worry about the security of the devices in my house, the systems they communicate with and the chain of custody for my personal data.
How do I know that these devices were designed and developed with any inkling of security in mind, much less the kind of market-leading security I would condone as a professional? All I have for now are the manufacturer’s claims of security. More so, these concerns arise because it is my job as a cybersecurity professional to think this way. Although they should, the average consumer is not thinking about these issues. With IoT on the rise, industry regulation in manufacturing needs to increase and there are several practical actions and processes companies can implement. Some of these include:
- A shift in mentality toward building security in from the start of development. Organizations need to prioritize building security into IoT devices early on in the development process. Sometimes we see manufacturers more focused on production time to market, than security, which sometimes leads to vulnerabilities or completely ignoring security altogether.
- Taking a comprehensive approach to security and applying fundamental risk management principles. With the addition of networking for constant monitoring, data collection, and remote control, the risks have increased. The most common mistake manufacturers make is not taking a comprehensive approach to security and applying fundamental risk management principles. For example, many product upgrades start with security features like secure network communications or a firewall. Security features like these are necessary but insufficient. Security is an emergent property of complex systems, and as a result requires much more effort than simply creating features.
- Participating in security communities. What does it take to ensure the IoT industry is secure? It takes benchmarking and aligning with industry standards. Could you imagine constructing furniture without instructions or building a house without a blueprint? Sometimes moving from point A to point B can be challenging -- especially without guidance. When it comes to software security, using a measuring stick against an industry standard can improve security and efficiency. Participating in security communities, specifically the BSIMM, allows organizations to map to the observational study that documents 113 distinct security activities that are performed by participating organizations.
- Consider the lifecycle of connected devices. It’s important to note that embedded devices are different from a traditional computer. There is a completely different lifecycle which will be used for years to come. For instance, the thermostat I just replaced was over 20 years old and my solar panels are under warranty for 20 years. History shows that these systems will need software updates because of security vulnerabilities, but will software updates be available for the next decade or two?
Again, this is where the shift in mentality comes in. Manufacturers need to prioritize security and ensure products have software updates available as needed. However, these are expensive to build, test and deploy, especially when considering the lifespan of these devices. Also, there is no monetary incentive for the manufacturers because the customer already paid for the devices.
Recent projections put the number of connected devices at 15 billion and it’s growing rapidly. This speaks to a need in the industry for guidelines and regulations around security and connected devices, but also the importance for manufacturers and developers to align their production with secure processes. Given the scale, scope and market economics for these devices and considering the breadth of effort shown to be necessary, there is a clear need for a new mentality when it comes to IoT security.
Dan Lyon is Principal Consultant, Synopsys Software Integrity Group, one of the world’s largest consulting firms on software security. Prior, Dan spent 18 years with Medtronic as a software and system engineer for medical products including implanted devices, instruments, and servers. Dan holds BA degrees in Mathematics and Computer Science from Luther College and is currently pursuing a master’s degree in information security engineering through SANS Technology Institute.