9 Design Practices to Better IoT Device Security

By Uriel Kluk, Chief Technology Officer at Mesh Systems

9 Design Practices to Better IoT Device Security Hackers, in search of quick plunder, are today’s pirates. Cyber-pirates have swapped muskets and swords with stealth code and phishing techniques to exploit computer networks and steal assets.  Individuals, companies,and countries are all vulnerable to attacks, especially as the size of potential booty grows. With IoT forecasted to connect billions of everyday home, office or industrial devices, it’s hard not to imagine how vast the potential damage could be. While IoT promises to improve machines’ uptime, cost structures and help people do their jobs better, cyber-attacks can essentially wipe out any productivity gains. If hackers find video baby monitors fun targets, imagine the potential damage of hacking an IoT video monitoring system of a manufacturing plant, mall, water system or IoT-enabled truck.

 

Organizations delivering and using IoT systems must be diligent in their defense of device data and how it flows through the network so it cannot be exploited.  There are three key threats to IoT systems and their connected ‘things’ –

 

  • Information theft – outright theft of valuable and proprietary information for economic gain.
  • Hijacking – disruption of device or network operations so that devices shut-down or degrade functionality.
  • Device impersonation– identify theft when hackers reverse engineer the IoT device’s communication, workflows or exchanges to make the device behave differently.

 

IoT Security Defense Trident – privacy, encryption, authentication (access control and authorization)

Engineering design must seek to constantly improve security during the entire IoT solution’s life cycle – it never ends, especially once deployed. Security elements for IoT devices include privacy, encryption of communications and authentication of devices and services. There are cost implications that require design trade offs to ensure affordability and deploy-ability of the end product. Security, even if it is very efficient and elegant will represent about 5% of solution cost. It involves a specialized network infrastructure, higher stack layers (MCUs with more horsepower) and greater overhead in transfers or processes to complete data handshakes.

 

Organizations must evaluate the potential threat to their IoT system when designing the framework. For some systems it makes sense to have low security measures in place, while others need the highest level possible.

 

No Security

IoT system architects must be diligent in their efforts to thwart potential cyber-attacks. Some can argue that the cost of security for simple monitoring of basic levels like temperature or humidity is too high.  The value of the total cost of ownership must be evaluated when designing security elements. Yet everyone must be aware that there is motivation to disrupt operations whether for pure entertainment or financial gain (stealing assets).

 

Weak Security

The worst case scenario is mediocre security that provides a false sense of protection.  It can stop unsophisticated attacks like robots scanning for open ports, but breaks down once the system is deployed.

Good Security: IoT Security Best Practices Checklist

  1. Connect and peer devices or machines with well-known services.
  2. Use private networks, NAT boundaries and firewall rules to hide devices and defend servers.
  3. Create isolated islands with segmented security by decoupling data flows breaking data into multiple secrets.
  4. Use industry standards and protocols – don’t try to outsmart the industry, but be aware when technology becomes obsolete.
  5. Enforce sequencing and use connected closed door policies (TCP vs. UDP).
  6. Avoid common keys – no master “key to the castle” should exist.
  7. Design the system assuming a threat can happen from within.
  8. Develop a systematic and repeatable review process to make sure field-deployed ‘things’ have current safeguards in place.
  9. Develop the ability to remotely revoke privileges on the spot.

Multi-layered Security Design Protects IoT Systems

Organizations must be diligent in creating and updating security defenses for IoT systems. The best approach is to have a multi-layered security design that includes all three elements of the IoT security defense trident. Ensure all 9 items of the IoT Security Checklist are present so you don’t let your IoT device be the portal for cyber-hackers to access data and exploit the network to steal assets.