Prep for the Future of IoT with These Words of Wisdom
There are two versions of the future when it comes to security on the IoT. The first is an ecosystem that is overrun with vulnerabilities, leaving consumer and business customers at risk of a major breach. The second is a story about diligence and careful calculation—the need for builders to watch their security protocols like a hawk.
Remember that when it comes to security, the majority of consumers—and even developers—are playing checkers. Meanwhile, hackers are playing chess. If you’re an engineer, how can you make sure that you’re multiple steps ahead?
We’ve asked 8 experts to supplement Hologram’s best practices with the following tips:
1 – Have a Response Plan Ready
Tip Nominated By: Remi Alli, Founder at Brav, an Online Platform for Managing Conflict
“If you experience a DoS attack, you will not have a chance to develop a response plan at the time of impact. Restoring service and stopping the attack actions are aided by a detailed pre-plan of mitigation. This DDoS Cheat Sheet, prepared by Lenny Zelster, is an impressive template for an incident response plan. It includes step by step response plan that can be helpful for future incidents.”
2 – Rely on Established, Developed Protocols—Relying on 3rd Party Vendors if Necessary
Tip Nominated By: Joel Bilheimer, VP of Cybersecurity at Pershing Technologies, LLC
“One key to combating this is to standardize development and deployment practices, using frameworks and standards such as the Risk Management Framework (RMF) or Common Criteria. This should not be a surprise to independent vendors, as they are already familiar with compliance standards such as UL, RoHS, etc, depending on their particular industry. In particular, the recently-published NIST Special Publication 800-160 guidelines for IoT would be a great starting point.”
3 – Ensure that Employees to Cover Their Tracks
Tip Nominated By: Darren Guccione, CEO and founder of Keeper Security, Inc
“Have a written and enforced BYOD policy. Require employees to use strong, unique passwords for all password protected IoT devices. Monitor employee connected device usage. Use multi-factor authentication when possible. Use privileged access control. Consider due diligence for any third-party IoT provider. Use an enterprise password manager.”
4 – Develop a “Layered” Approach to Security
“The not-for-profit prpl Foundation has created the Security Guidance for Critical Areas of Embedded Computing, a peer-reviewed and actionable framework that brings into focus three areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation using hardware virtualization.
Interoperable, open standards are the key requirement for developers in order to improve IoT security even in the smallest of connected devices. It will help reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts. Using this framework, developers can ensure they are layering security appropriately to make it more difficult for hackers to exploit of all of
5 – Keep Your Kitchen Clean
Tip Nominated By: Ashok Thirunaraynan, program director at Cisco
“Consumer IoT devices are going to be highly constrained on margins and hence companies manufacturing IoT consumer devices are going to squeeze on investments that do not show any appreciable revenue opportunities. Security is something that consumers typically don’t pay for and this is going to be an area of least investment for product companies.
Developers, enterprises and startup teams can stay protected by following some good practices: Only open up the internal network for services that you really want to provide access to. Lock down all other ports. Ensure the software you run is up-to-date with all necessary patches. Have a good password management system.”
6 – Secure Your Data Flow
Tip Nominated By: Craig Spiezle, executive director and president of the Online Trust Alliance, a nonprofit think tank that published an IoT Trust Framework
“IoT security requires a nuanced understanding of its unique characteristics. First, the IoT ecosystem is made up of three dimensions: the device or sensor, the supporting applications, and the backend/cloud services. Combined with the supply chain of each, every facet and data layer is a potential risk. Each IoT dimension needs to be secured across multiple layers. As they communicate with and rely on each other, each data flow must be secured.
As more and more cases of data breaches, identity theft, and state-sponsored espionage come to light, consumers and businesses alike are becoming increasingly reticent about sharing their personal and business data. Companies will need to demonstrate that they are prioritizing privacy through responsible practices. By embracing transparent data collection, use, sharing and ownership principles, collectively we can bring IoT to scale.”
7 – Keep an Eye on Developments with Blockchain
Tip Nominated By: Percy Venegas, financial risk network analyst at EconomyMonitor
“Blockchain technology offers trust by design for many decentralized applications that would be difficult to secure using centralized means. Keep an eye on blockchain IoT pilots being conducted/funded by Intel, IBM and the Department of Homeland Security.”
8 – Expect Attackers to Escalate
Tip Nominated By: Jason Hong, Associate Professor in the School of Computer Science at Carnegie Mellon University
“In the long-term, I think we’ll see a lot more ransomware. Criminals might lock you out of your house and demand payment. Or they might threaten to make videos of you public. We’ll also likely see a lot of attacks for the lulz, that is anonymous or 4chan script kiddies. For example, turning off the thermostat during winter and leading to burst pipes.
The scariest scenario is non-state actors. Imagine a terrorist group holding people virtually hostage, either by taking over autonomous vehicles that they are in, or by putting in fake data into people’s insulin pumps.”
The Bottom Line
Even with an uncertain future, developers at organizations of all sizes can take some simple steps to be protected. Know your vendors. Know your hardware. Prepare for a future in which you know your strategy will never, ever be perfect.