IoT brings with it so much opportunity, but it also increases risk and widens the attack surface of your product and even your organisation, says Stuart Griffin, founding director and technologist, Consult.Red.
To put it into perspective, according to Gov.uk’s Cybersecurity survey 2020, almost half of businesses (46%) report having cybersecurity breaches or attacks in the last 12 months, this is up from a third in the previous year. Maintaining trust with customers is a key concern for CEOs and a big obstacle to successfully deploying IoT products to market.
In our many years of developing connected devices and systems, we’ve seen costly mistakes crop up time and again – here are some common ones with some pointers to help you avoid them:
1. Rushing to get an IoT product or solution to market:
In the race to get to a smart product to market, it can be tempting to think that security can be ‘left until last’ and bolted on at the end, when in fact security is something that needs to be planned at every phase of designing, developing and deploying your connected devices and systems. Security will be need to maintained throughout the product life and a well-planned approach will make this much easier.
When businesses engage in innovation without proper preparation, they can put their project, company and customers at risk. Preparation takes time and money, and the Proof of Concept (PoC) stage is essential in reviewing all aspects of security. But in rushing to get to market, we’ve seen PoCs developed too quickly with little to zero security consideration of implementation. It’s important that PoCs are developed with data encryption and end-to-end security in mind, even if not implemented. The feasibility of the design may pivot on the security solution. This is also the stage when compliance can generate complexities, as different devices may need different certification types.
2. Introducing insecure components into your IoT product.
When it comes to the build vs. buy decision, remember that the components you select can affect security and reliability. It’s important that you choose to work with a supplier that will disclose vulnerabilities to you throughout the entire lifecycle of the product. You’ll need to review security at every stage of the product development process moving forward, as the impact of poor risk and vulnerability management will be significant as your solution scales up.
3. Underestimating security issues when scaling IoT devices.
As solutions scale, security can get harder to manage. When all of the components are scaled to the size of an expected deployment, security risk and compliance should be a major focus. In the planning stages, you’ll need to consider how security will be maintained throughout the manufacturing and production process, in particular, how sensitive data such as key and software will be handled.
For one client we’ve installed hardware in the third-party factory to inject secure keys at the site of manufacture and programme signed code on each device. Your IoT security solution needs to be future-proof, allowing for updating and change in a safe, secure and low-risk way without requiring a whole new system.
4. Planning no security for smart devices not connected to the internet.
It’s a common myth that just because a smart device isn’t going to be connected to the internet (in other words it only interacts through Bluetooth or NFC or some other interface) it doesn’t need security. While not being connected to the internet does remove a big attack surface, it doesn’t mean a device is secure. It’s not just IP stacks that have vulnerabilities, a range of vulnerabilities have been found in Bluetooth, USB and NFC stacks. Developing exploits and scaling them is harder for these vulnerabilities but still relatively straightforward.
The author is Stuart Griffin, founding director and technologist, Consult.Red.