The Internet of Things is already going beyond the hype, transforming our lives, both in consumer and business market. According to Gartner, 8.4 billion connected things will be in use worldwide in 2017, 31% up in comparison to 2016, and will reach 20.4 billion by 2020. For all of us, this means a huge number of sensors and devices which are generating an enormous amount of data and thus providing efficiency, productivity, automation and reducing operating expenses. In the meanwhile, the same things that make devices “smart” are also the ones that make them vulnerable. We were all witnesses to a DDoS attack in October 2016, when websites like Netflix, Twitter, PayPal and Amazon were temporarily unavailable. Mirai botnet targeted systems operated by Domain Name System (DNS) provider Dyn, and this is considered to be the largest attack of this kind in history. It was a wake-up call for the IoT community, showing that we all have a duty to involve security for any IoT product that could be commercialised.
Security needs to be addressed in every part of the IoT system, whether we are talking about hardware, connectivity, backend software and databases, or post-market service. That is why IoT companies should minimise these potential problems by implementing security at the design stage. It should include creating hardware-based security, developing authentication and access control and secure APIs, guaranteeing safety and quality assurance, evaluating security architectures.
Securing the Device and Data in Transit
Naturally, some form of security must be built in at the manufacturing level. Endpoint security is often focused on, but these mass flows of data must also be secured during transport as a new priority. Sensors collecting data and sending them to the cloud could leave communication channel and hardware security at risk, especially if we have in mind that data is more vulnerable when it is in transit. Lack of communication encryption makes device susceptible to the third party, allowing them to access data that are sent over the network. The focus is on building robust architectures by adding protocols, hardware security models, trusted execution environment, trusted platform module, SEs, repurposed secure microcontrollers.
Securing the Database and Addressing Privacy Issues
Another major component of the security puzzle that demands to be addressed is the privacy of the data stored in the databases. IoT developers need to understand potential security threats and address them to ensure that companies’ data or that of their customers is not compromised. Privacy concerns are already a core issue with cloud systems, and this will grow as IoT becomes mainstream. Objects will continually be collecting and aggregating data in real time, which must be stored securely for reporting and review.
Securing the Application
Applications serve as an excellent source of data, providing users an insight that could make their businesses more relevant and beneficial. It is also a source of numerous attacks. The most common vulnerabilities are injection flaws, broken authentication, cross-site scripting (XSS), insecure direct object references and security misconfiguration. IoT developers should decide which security feature to include in further development, and it depends on several factors: software development tools availability, type of hardware and OS. Implementation of a secure software development lifecycle and secure coding is the best way to go in the application development process.
Securing the Lifecycle Management
Companies which decide to embrace the IoT will require their IoT systems to be operative for many years, during which they will expect continual monitoring and upgrading. Developers are faced with a challenge - they must have detailed plan for the whole lifecycle, from the design stage, through deployment, management and eventually, the decommissioning. For a buyer, this means assurance that security can be regularly monitored and updated appropriately (when a new vulnerability is detected, patches can be pushed). To build sustainable security lifecycle management framework, you need to include security services within it: secure communication and storage, key generation and administration, authentication and identification and credential/device lifecycle management.
In a nutshell, there is no doubt that security is a must in the Internet of Things era. It has to be implemented in every part of the IoT ecosystem - from hardware to the end-user applications. Adopting a secure IoT solution enables relevant market insights and maximisation of resources while protecting your data and infrastructure assets. Therefore, advanced device security technology is available on the market, but it needs to be implemented from the beginning.