At the recent IoT West show in Las Vegas, I was on a panel with Nolan Mondrow, founder and CEO of LockState, on the topic: “Is IoT Security Even Possible?” We talked about Internet of Things (IoT) security from two perspectives: the platform (me) and a manufacturer (Nolan).
Not surprisingly, there was strong interest in this topic. The IoT is a mega trend right now, but it’s still not well understood. The IoT is not only about making a device connect to a cloud, but also about devices interconnecting and making autonomous decisions.
With the Internet being a core part of IoT, the good practices of Internet security must be applied to the IoT as well. This means adopting the same stringent measures that drive online banking, for example. It means securing and maintaining IoT devices and cloud infrastructure on an ongoing basis.
At the same time, the IoT also has a unique set of security constraints, in that the devices themselves—and access to the data in the devices—must also be controlled. With the IoT becoming more of an ecosystem play, data gets transferred between clouds. This brings about another set of data governance and security challenges that requires a truly holistic view of security.
Providing his manufacturer’s perspective, Nolan described how LockState has been offering security solutions since 2014. LockState technology allows control of Wi-Fi-connected devices such as locks, thermostats, power-plugs, motion sensors and more.
He stressed that rather than try to tackle the IoT as a whole, manufacturers interested in the IoT should focus on their areas of core competence, which means their own products. He advised choosing a partner for the IoT that has expertise across all the IoT domains—embedded device, cloud and mobile—and one that has security experts who cover all these areas.
Some Things to Do, and Some Things Not to Do
In our IoT West panel, Nolan and I provided some guidance that applies to manufacturers of any kind of product destined for the IoT.
When it comes to IoT security, here are a few best practices to follow:
- Secure all devices equally. Use the standard “AAA” security practices of authentication, authorization and accounting, as well as data encryption during both transmission and storage; multifactor authentication; and layered access control mechanisms.
- Give each communications chip a unique serial ID to prevent things like “spoofing,” and lock down the communications chip.
- Use additional encryption chips.
- Implement a trusted boot (also called a verified boot or secure boot; it’s a feature that allows only authorized software to run on a particular device) to verify Over-The-Air (OTA) images.
- Follow standard security protocols.
At a higher level, remember that security is not an add-on; it must be infused into every aspect of IoT operation. Also, you can’t afford to think only about data security. You must also consider data privacy, as well. Finally, assume you will be compromised, and plan accordingly.
We see a number of mistakes and misconceptions when it comes to IoT security. Here are some of the most common mistakes:
- Storing personally identifiable information locally on the device, without controls
- Providing insufficient authentication and authorization
- Lacking transport encryption
- Maintaining insecure software
- Focusing on securing a single point of the system rather than taking a holistic view
- Failing to take data governance into account
And here are some misconceptions and wrong assumptions about IoT security:
- It’s only for high-cost devices from big brands.
- To truly secure devices, you need a high-level operating system.
- Security comes with a very high cost.
- Good security happens only with the tradeoff of a diminished user experience.
- The IoT is inherently insecure.
Back to Our Original Question: Is IoT Security Even Possible?
The answer is yes, but with some qualifications and caveats.
On the plus side, Moore’s law is on our side: Our ability to pack more technology into smaller and cheaper formats bodes well for IoT security. As the IoT enters the mass market, the whole concept of IoT security is gaining more prominence and attention, which is good. Advances in data analytics are improving early detection of security threats, which opens more options for thwarting those threats. Security standards already honed for other online services are being adapted for the IoT, and it’s faster to adapt than to invent from scratch.
But on the minus side, the many proprietary technologies employed by IoT vendors lead to a “security through obscurity” mentality, where design secrecy is confused with security. The sheer number of devices being connected to the IoT, and the sharing of lots of data with a variety of providers, complicates everything about security, as well as heightening the potential effects of security breaches. And finally, the IoT is fragmented by nature and will remain fragmented. It is not going to coalesce into a more cohesive entity over time.
Still, we’re optimistic that the right IoT platform and partners, combined with the right hardware, architecture, OTA update and data analytics technologies and practices, will enable IoT security to evolve to the point where both manufacturers and consumers feel confident about using the IoT and gaining from its enormous benefits.