The Internet of Things (IoT) introduces a large number of new devices that can be a game changer for an organization, but unfortunately many are designed for convenience and functionality without security in mind.
In 2014, Gartner predicted that IoT security requirements will reshape and expand over half of global enterprise IT security programs by 2020. Currently, the industry does not follow any particular framework to secure the Internet of Things. However, there are a number of approaches that device manufacturers should consider during the development process to better secure their devices.
First, limit remote upgrade capabilities. While highly cost effective, this method opens the door to significant security issues. Without proper measures it can be simple for an attacker to gain control over devices and access an organization's network.
Second, devices need to be able to be “authenticated.” This helps verifying the integrity of the code for upgrade purposes. Devices should be able to securely roll back to previous versions if the upgrade fails to apply.
Lastly, it is important that devices allow logging and alerting when it comes to tampering, administrative activities and detecting anomalies related to remote upgrades, authentication or attacks. These mechanisms should operate securely and have time-stamp log entries.
The nature of IoT amplifies issues related to security when they are not addressed during the development process. It is critical to have a thorough risk assessment and security testing of components to discover the risks of connecting devices to the network and to be able to mitigate those risks. These initial guidelines should serve as a means to build in security from the beginning of the product lifecycle so that security is managed proactively, not as an afterthought.
George Japak heads up ICSA Labs, an independent division of Verizon, where he oversees vendor-neutral testing and certification of systems, products and services, as well as manages consortia organized around technology and market segments. Japak was named the Verizon HIPAA Security Officer. He has more than 25 years of experience in senior level sales, marketing and operational management, and the last 15 years of which have been at ICSA Labs.