A security checklist to protect sensitive customer and user data in the Internet of Things

(Blog): With the recent release of the FTC report on IoT device security, now is the time to start evaluating the security of devices, says Don Schleede of Digi International. This includes how they are manufactured. 

Security has often been an afterthought in the manufacturing process with little consideration given to how sensitive customer and user data could be accessed and what malicious actions could be taken by an Internet of Things (IoT) system if it came under the control of the wrong people. Manufacturers can take a much stronger role in protecting data and devices – and the following is a checklist of concepts that should be considered by manufacturers and included in all designs for IoT and M2M devices and processes.

538512109

  • Training and Tools: Invest in targeted training to ensure your engineers and testers understand security coding techniques and can properly and fully assess the risks of their designs. Utilise programs such as Open Web Application Security Project (OWASP) and look for security certifications and training from organisations like ISC2, GIAC and EC-Council. It is also crucial to invest in tools and software that measure vulnerability, scan code for unsecure usage, and examine devices’ functions.
  • Default Configurations: When your product ships, ensure that the base threshold of configuration to get the device to work is standard and part of a secure installation process for the customer. For instance, there should be no default passwords, secure protocols (e.g. https) should be in effect, and administrative interfaces should be disabled in places that may expose features to the internet. Let the customer override those features later if desired – but the initial security should be default.
  • Encryption: Ensure that all ingress and egress data and control connections are done using a secure standard such as SSL/TLS. USA Federal NIST standards (such as FIPS-140-2) are also a good place to start and cover the use of encryption such as AES128 or AES256. Understand, particularly in the IoT space, when symmetric and asymmetric encryption are needed and critical.
  • Hashing: Use a one-way non-decryptable technique for storing passwords. Make sure all hashes use a random salt value that will protect against many common attacks. The misuse of hashing is critical in design and has led to many breaches in the past. Recommended hashing algorithms include SHA-2 and PBKDF2.
  • Identification: Ensure all actions performed by a device have some form of identification. This could range from a user logging into a device with the proper role-based access controls (RBAC) to data transmissions from the device. Keep in mind that a device needs authentication as well – and be sure the device authenticates with the collection or control application. One suggested methodology is private key infrastructure (PKI) certificates to identify and authenticate devices.
  • Firmware updating: Create a process for the device to automatically update itself while in service or make it easy for the customer to update the device. Most IoT devices have long lifespans (some up to 15 years). However, the secure lifetime of a device is around six months or less. Because a secure device shipped today will no longer be a secure device in six months, manufacturers must create new software versions that can be easily mass-deployed.

If you build these functional requirements into your next IoT device, you will be in a much better position to address security concerns with future products and services — and your customer and user data will be far better protected.

Digi's information security officer, Don Schleede
Digi’s information security officer, Don Schleede


The author of this blog is Donald Schleede, the information security officer at Digi International, a Minnesota-based manufacturer of embedded systems, routers, gateways, and other communications devices for machine-to-machine (M2M) systems. Schleede manages Digi’s Device Cloud, a cloud-based device-management solution that provides Digi’s customers with secure, remote access to Digi devices.

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Snow Software study uncovers the realities vs. the promises of cloud

Posted on: October 26, 2021

26 October, 2021 –Snow Software, the global provider of technology intelligence, unveiled findings from its most recent survey, based on the input from more than 500 IT leaders from organisations with over 500 employees in the United States and United Kingdom to determine the current state of cloud infrastructure.

Read more

CloudM announces Archive feature which save businesses time and money while meeting compliance demands

Posted on: October 26, 2021

CloudM, a SaaS data management platform, has announced the launch of Archive, a new feature which allows users to easily, automatically, and safely store and recover user data, helping businesses to remain compliant without facing the mounting user license fees associated with traditional archiving and ediscovery solutions.

Read more