Embracing IoT can bring operational efficiencies, increased revenue and newfound business insights.
But ensuring the success of an IoT deployment means making sure the system is secure. Before you implement, consider how well the device is designed for security.
Here are seven criteria to consider:
- Consider the physical security of the device. Does the device physically open so that the internal components are accessible? If so, can the chips be removed for further analysis by an attacker? Depending on the deployment, you may consider epoxying chips to the circuit board or embedding the circuitry in resin.
- Lock down open ports. Any device with an open port that’s connected to a network can be hacked. Beyond network connections, are there USB ports, SD cards or other storage that can be accessed? Can ports be disabled if they’re not needed?
- Is the software secure by design? Is the device designed for secure software execution? If the device uses secure boot techniques and securely executes applications, then attackers can’t tamper with the processor and system integrity. Increasingly, hardware-based security support is embedded into the chips to ensure system integrity, secure storage and to protect anonymity, which is important if the device handles personally identifiable information (PII).
- Lock down administrator access. Legitimate user credentials are used in most breaches, according to Verizon, so make sure your administrator passwords are airtight. That includes changing the default password (you’d be surprised how many organizations don’t). Make sure the connection to the device is secure, using a protocol such as SSH rather than telnet.
- Use encryption. Connected devices often lack the power to run the usual encryption algorithms, but lightweight encryption algorithms designed for resource-constrained platforms like IoT devices are emerging. Elliptic curve cryptography is the next generation of public key cryptography and provides a more secure foundation than first-generation systems like RSA. The NSA has published two new algorithms—SIMON, which is optimized for hardware, and SPECK, which is optimized for software. Also, keep in mind that some IoT devices, such as smart meters, are designed to last for many years, and the device may outlast the usefulness of the encryption used.
- Consider how you’ll do software updates. Can the device software or firmware be updated when vulnerabilities are discovered? Is there a way to mass-deploy patches? Make sure the update process is secure so that attackers can’t perform their own malicious updates.
- Perform real-time device discovery. It only stands to reason that you can’t control or manage a device if you don’t know about it in the first place, but research shows that 70% of enterprise IoT security professionals don’t monitor devices in real time. You need a way to identify every single device on the network so you have a real-time inventory of all IoT devices.
Download the eBook Using Secure IoT to Drive Business Growth to explore the potential of IoT in the enterprise, which industries are paving the way, and how to secure your connected things.
Source: Great Bay Software