Nelesh Kotecha explains what can be done by organisations to prevent security threats to IoT devices from the design stage all the way through to going to market.
By Nelesh Kotecha
It is important to note that security risks can be recognised and understood, detected and resolved, managed and controlled, but never completely eliminated. IoT presents huge potential for transforming many industries. For example, the healthcare sector is one where the technology will potentially have the greatest impact but is also one of the sectors most at risk. The automotive industry is another sector that is benefiting from the technology, but again is one where there are significant security concerns.
Data is the place to begin
To mitigate risk, one of the first steps that every manufacturer of an IoT-enabled device must take is to consider the potential impact that a data breach would have. For IoT devices that have the potential to cause human fatality or a dramatic financial loss, the manufacturer must implement the most stringent levels of security. For example, a medical firm developing a healthcare device or a manufacturer of an autonomous vehicle, must deploy the highest levels of protection.
Many IoT devices will use a subscriber identity module (SIM) to transmit data via a cellular network, rather than Wi-Fi or Bluetooth. A SIM enables data to be transmitted from devices that are on the move, or are outside, such as remote patient monitoring systems or telematics. It was common practice to use standard consumer SIM cards for IoT devices, but each consumer SIM card has a dialable number, which means that any third party from around the world can call or send a short message service (SMS) to the device.
It is vital to ensure that the only people who are able to change IoT device configurations are those authorised to do so. In order to protect the SIM from unauthorised SMS, the manufacturer should use an IoT specific SIM. The SIM provider should supply connectivity that is secure; this can be achieved by using private internet protocol (IP) addresses and by ensuring that no unsolicited SMS can be received by the IoT-enabled device, and that only authorised personnel are allowed to contact the device.
Your connectivity provider should also have the ability to limit the services to those that are actually required for by the device. For example, if the device is intended to receive messages, and not send them, then your provider needs to have a method of blocking those services that are not required, in this case messages sent by the device or voice calls. This is important not just from a security perspective but from a cost perspective too.
The SIM should also be configured so it can receive over-the-air updates to keep up with new and emerging threats. For example, one method would be for the SIM to call into a central server and check to see if there is a new device configuration available. However, the challenge here is ensuring an update can be administered when the device is compromised. When this is the case it is essential that any organisation identifies the root cause of the attack, and has a predefined action plan in place in case of a breach, this should include a list of key technical personnel who can assess and take appropriate action regarding device update procedures.
Going to market
Manufacturers of IoT devices should examine their supply chain for any vulnerabilities. Organisations are increasingly using partnerships as a quicker and more agile method to develop products and get to market faster, but with any partnership strategy you need to ensure that the partner has solid security policies in place.
The majority of smart home devices will be connected to the home Wi-Fi, with data transmitted and received over the home network. This does bring with it some security risks, as the Wi-Fi password may not be particularly robust and if the home network is compromised this could lead to stealing of data that is transmitted by those devices. Transmitting the data via a cellular network can offer a higher degree of security, however this is likely to increase the device cost, and operational expenses.
Those of us in the IoT industry welcome the fact that IoT is now mainstream news, however, with that comes increased prominence and a spotlight to address security risks. While the risks can never be completely eliminated, the industry does have the tools and expertise to mitigate these risks, and facilitate the responsible development of IoT applications.