Maintaining IoT Device Security is War: The Three Must-Haves You Need to Win the Battle
As more and more devices get on the Internet, the IoT attack surface grows, giving nefarious individuals juicier and broader targets. High-value critical assets found in hospitals, office buildings, manufacturing plants and homes could be vulnerable to attack due to inferior embedded security systems.
It requires considerable effort to design in robust security and even more work to ensure that devices are deployed correctly. Be wary of any IoT solution that claims to be totally secure.
Right now you might be thinking…why would an IoT enablement company – one that prides itself on the security of its products — admit such a thing?
That’s because security is not a “one and done” thing. Just as security in the IT world requires constant vigilance, there is a dawning realization that equal if not greater precautions are needed when it comes to IoT security. From the component supplier to the OEM, to the end-user and then the hosting provider, security is an ongoing battle where success is a product of participation and partnership between multiple allies.
So how is it possible to establish and maintain effective enterprise security within an IoT device? Successfully staying ahead of digital adversaries requires these three things:
- Start with a security mindset that begins on the component and connectivity level. For OEMs and systems integrators building or deploying an IoT solution, security starts with choosing partners and suppliers with proven track records in delivering solutions that address security. Below are some key questions to ask when considering which building blocks to use for your IoT solution.
- What security protocols and features do your vendors build into the components you use?
- What is their policy and philosophy in supporting security in firmware updates?
- Do they meet the stringent security standards like FIPS 140-2, FIPS-197, etc.?
- Will the device be deployed behind a firewall or is it unclear how your customer will deploy the device?
- What encryption and authentication protocols are built in to ensure secure data transmission?
- Building in security-friendly features as part of your IoT solution and cloud computing. Unlike the IT world where security often revolves around one set of users and a similar set of devices, the IoT world is much more complicated. Unlike a laptop or PC desktop on the enterprise network, in the IoT world, one device or machine is often accessed and used in many different ways by different types of users, from end-users to system integrators to service and maintenance personnel and OEMs. In addition, many of these devices are interacting with other dissimilar devices.
- Simply setting up password protection on the network or a device won’t be enough to keep out hackers. Building in policy-driven security features allow administrators to manage who can access what data on the device and when. In addition, data security can be significantly improved through adding features such as role-based access capabilities and strong encryption.
- For business-critical applications, it’s important to consider building in features that address sensitive post-deployment scenarios, such as maintenance and support. Incorporating advanced features, like a wireless simultaneous soft access point, can enable outside service personnel to obtain secure access to a device without having to expose your customer’s network or disrupt on-going device operations.
- Following best practices in security during device deployment. In today’s world, device security requires a commitment to continuous vigilance, which includes upgrading networking equipment to meet the appropriate levels of protection for the situation your device is being placed in. A recent PSA from the U.S. FBI on IoT device security made the following recommendations:
- Ensure all default passwords are changed to strong passwords
- Purchase IoT devices and solutions from manufacturers with a track record for security and providing on-going updates
- Disable UPnP on routers
- Maintain firmware and security updates and patches
- Isolate IoT devices on their own protected networks or behind a firewall
Here at Lantronix, one of our core driving principles is incorporating the latest security standards into the solutions we develop. We know that maintaining device security is an on-going battle that doesn’t just end when we ship our solutions to you. It’s why we continue to invest resources to help arm our customers against emerging security threats. These include delivering on-going releases of new features and firmware updates, as well as providing information and updates that educate our customers and OEM partners on the best practices to ensure a secure device deployment.
To learn more about solutions that can help you build secure IoT solutions, contact one of our IoT experts today.
Daryl Miller is the Vice President of Engineering at Lantronix.