Content

Securing IoT devices

The Internet of Things (IoT) introduces a large number of new devices that can be a game changer for an organization, but unfortunately many are designed for convenience and functionality without security in mind.  

In 2014, Gartner predicted that IoT security requirements will reshape and expand over half of global enterprise IT security programs by 2020. Currently, the industry does not follow any particular framework to secure the Internet of Things. However, there are a number of approaches that device manufacturers should consider during the development process to better secure their devices. 

First, limit remote upgrade capabilities.  While highly cost effective, this method opens the door to significant security issues.  Without proper measures it can be simple for an attacker to gain control over devices and access an organization's network.

Second, devices need to be able to be “authenticated.”  This helps verifying the integrity of the code for upgrade purposes. Devices should be able to securely roll back to previous versions if the upgrade fails to apply.  

Lastly, it is important that devices allow logging and alerting when it comes to tampering, administrative activities and detecting anomalies related to remote upgrades, authentication or attacks.  These mechanisms should operate securely and have time-stamp log entries. 

The nature of IoT amplifies issues related to security when they are not addressed during the development process.  It is critical to have a thorough risk assessment and security testing of components to discover the risks of connecting devices to the network and to be able to mitigate those risks. These initial guidelines should serve as a means to build in security from the beginning of the product lifecycle so that security is managed proactively, not as an afterthought.  

George Japak heads up ICSA Labs, an independent division of Verizon, where he oversees vendor-neutral testing and certification of systems, products and services, as well as manages consortia organized around technology and market segments. Japak was named the Verizon HIPAA Security Officer. He has more than 25 years of experience in senior level sales, marketing and operational management, and the last 15 years of which have been at ICSA Labs.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.