It’s no secret that Internet of Things (IoT) networks have a security problem.
For the past two years there have been a regular stream of headlines about large-scale attacks carried out by infiltrating wireless IoT devices as a back door into corporate networks. One of the best known is the 2016 Mirai attack, which turned IoT devices into a veritable zombie army that crippled operations for companies like Netflix and Twitter. And those are just the ones that make the headlines. Security experts believe that there have actually been hundreds of less-reported/unreported IoT security attacks during this time. IoT networks have quickly become a favorite target for hackers. The headlines typically focus on the impact on household name consumer-focused companies, but the threat to industrial and manufacturing companies is just as significant, particularly given the critical role that wireless connectivity plays in the industry today, as well as in the future.
Smart, wirelessly-connected devices are everywhere in the industrial world, and they are playing a bigger role every day — in the form of everything from small wireless sensors that are being deployed in manufacturing environments by the millions, to large manufacturing equipment that plays a vital role in industrial operation… and everything in between. The impact of IoT on the industry is real and growing, but so are the concerns about the security of all those connected devices. There is no shortage of experts diagnosing these security vulnerabilities. If you do a Google or Bing news search about IoT security, get ready for several million results. However, those results will all have one thing in common: A lot of talk about how big the problem is, but little if any practical advice on what to do about it.
The goal of this article is to give you a series of practical steps engineers can take immediately to put their IoT projects on a more secure footing. It’s not a panacea and is not intended to replace what security geniuses will eventually come up with to fully secure IoT. But taking these steps will help protect your company and your customers until security catches up with the momentum of IoT deployments. Taking these steps will also help your organization get a head start on compliance with new regulations that can be relevant to IoT security, including the EU’s General Data Protection Regulation (GDPR) which raises the financial stakes for companies that do business in the EU, including U.S.-based industrial companies that have global customer bases.
So what are some of those key steps you and your engineering colleagues can begin taking?:
- Security Conversations Need to Start Earlier—and Look at the Cloud – The single most important thing engineers should be doing is making security a focus much earlier in the product development process. Too often, security is discussed only once product development is closer to the finish line than the starting line. Security cannot be an afterthought in an era when vulnerabilities in IoT devices have a bullseye on them. Security and threat modelling should be part of the very first conversations about a new product in an engineering team’s pipeline of projects. Just as importantly, that threat modelling process should address not just the product itself but the connected environment it lives in. That includes other elements of the wireless network and — crucially — the cloud that supports it.
- Don’t Forget to Think about Scaling the Product – The security strategy for a product shouldn’t just think about that device and related elements like the cloud. It should also factor in how the company will ensure security when large-scale implementations are done with thousands or even millions of these products. For example, delivering firmware to a single device securely is one thing. But what about securely delivering firmware updates to tens of thousands of devices that are geographically dispersed. Many of the most common ways of delivering firmware today and having products accept and install that firmware are inherently insecure. Security needs to happen at scale, then the product you are designing isn’t truly complete.
- Keep Using Third-Party Libraries — But Do It More Securely – One of the ways that product engineers accelerate product development and reduce development costs is to utilize third-party software libraries. That approach can make development far more efficient, but it comes with security risks if insecure components make their way into the field once products are deployed. A very common scenario is that a component may be considered secure when an engineer first integrates it, but its vulnerabilities become known at a later date without the organization having a way of tracking and fixing it. The way to solve this isn’t to stop using third-party libraries. I recommend making automated Common Vulnerabilities and Exposures (CVE) testing a standard element of how software is built, rebuilt and deployed over time. This will identify components that are vulnerable before a product is completed. But even more importantly, it will identify and remedy component vulnerabilities in products that are out in the field in use by customers.
- Start Testing Like a Security Pro…and Make It Automated – When a product is approaching the finish line, there is often tremendous pressure on engineers to “get it done and get it out the door” so that companies can get it to market before competitors do. That pressure is understandable, but too often it skips critical security-related steps that should be taken throughout all stages of product development. To make your wirelessly-enabled products more secure, it is imperative that the engineering team build in security testing phases that utilize proven techniques such as penetration testing (aka pen testing) and fuzz testing (fuzzing). Both white box testing and black box testing will uncover vulnerabilities that will save your company the expense and headaches of resolving security issues later once thousands or millions of these products are in the field. In the past, this kind of testing was time-consuming, but it can be done with a tremendous amount of automation today by outside vendors or engineering teams themselves — allowing your team to do 20x as much security testing than in the past in a very short period of time.
IoT will eventually be as secure as other corporate computing systems, but until then you and your team can take important steps to making sure your company’s IoT strategy puts a spotlight on security and ensure that your team is delivering wirelessly-connected industrial products that put up a good fight against the onslaught of threats facing IoT.
Chris Cole is the Vice President of Technology for Laird’s Connectivity Solutions business unit.