IoT Security – Build or Buy?

The Internet of Things (IoT) has opened up product opportunities that we’ve not seen the likes of in many years. It is an exciting time to be in both software and hardware product development; the limits on the possibilities determined only by our imagination.

Of course, like all great things, it comes with some caveats. Customer demand for IoT has precipitated an influx of vendors jumping on the bandwagon. There’s great disparity in vendor approach to security, represented in part by an all time high in security breaches. When developing a smart product, every manufacturer needs to consider developing the product with security in mind from the ground up.

 

An Internet of Insecure Things?

The security industry has gone through big changes since the early 90s. In those days, security was almost an afterthought and certainly not a consideration for the average person. The advent of the Internet started to change this view and brought with it new challenges. It is the maturation and consumerization of web-enabled applications that has truly brought the biggest security challenges and changed the overall web security landscape. Understanding the complex nature of web security requires specialist knowledge. It can be learnt, but the learning curve is steep and experience is an important aspect of knowing what type of security to apply, and when to apply it.

This is born out by some of the more blatant security flaws that seem to be hard baked into some parts of the IoT that tend to draw significant press. For example, the Open Smart Grid Protocol, the proposed underlying communication protocol for smart grids, was found to have basic cryptography issues, due to use of non-standard algorithms, leaving systems using it open to attack.

Some security flaws exist from the moment the product is manufactured, such as a product not having production scale security – key components of which are unique product identity, security keys to encrypt and decrypt not just data but also the software image that is part of the product. Some IoT products are even hard coded with passwords like ‘password’ or ‘admin’ built in to allow manufacturers to easily update / fix their products. A post by security expert Brian Krebs on the issue of IoT device access controls, states that, “attacks are fueled in part by an explosion in the number of Internet-connected things that are either misconfigured or shipped in a default insecure state”.

 

Creating a Secure Foundation

When you design a product, generally you are looking at the market drivers for that product, cool new features and functionality that will appeal to your customers or even features that make the design of your smart products easier. Your focus is not usually on fundamental security issues and rarely do you have architects specializing in embedded security on your team. The problem with Internet-enabled products is that they are open to sophisticated cyber-attacks. The Open Web Application Security Project, better known as OWASP, has an IoT Attack Surface Areas Project which lists vulnerabilities within Internet of Things devices. This list is extensive to say the least and leads anyone reading it to conclude that security must be the foundation stone of any IoT based product.

But as we mentioned earlier, security is a specialized area of knowledge. Adding a security layer into an IoT device requires a number of key product designer and developer specialisms, including:

  • Encryption experts
  • Cloud infrastructure specialists
  • Understanding of secure deployment metrics
  • Protocol experts
  • Hardware security knowledge
  • Software security knowledge, especially web-security and social engineering
  • And more…

Pulling a team of experts like this together is not easy. They are hard to recruit and expensive. The shortage of security experts is a known problem in the industry. In a 2016 report into security staffing by Trustwave, they found that 87% of respondents were looking for security specialists making it a highly competitive space.

This leaves an organization with a choice. Try and recruit a team of specialists that are expensive and highly sought after, or find an alternative.

 

The Alternative: A Secure IoT Platform

Focusing on your product’s core capabilities is important in creating a successful product. This is the way you can truly differentiate your product. Building an IoT platform from scratch doesn’t differentiate your product but often detracts resources from that goal. Being able to rely on a trusted secure IoT platform on which to build your product, is the only real alternative that allows you to focus on product success and create a secure and usable IoT device.

The idea of building a product utilizing a secure IoT platform is the same as using any other platform for efficient workflow. We already use platforms for operations, such as SAP, and CRM platforms like Salesforce. The benefit of using a dedicated and well tested IoT platform as a basis for a product is that it allows you, the manufacturer, to focus in on your product design and do what you do best while the IoT platform provider obsessively maintains security at every layer: from the factory to the product on the shelf to the product in use. Read this ZentriOS document for details on the specific security in the operating system driving the Zentri Secure Connected Platform for IoT for an idea of whether that’s something you hope to tackle yourself or use a platform to provide.

An IoT platform also gives you a mode of standardization, much needed in an emerging technology space. But most importantly, it does the security hard work for you, letting you get on with your core business and create a best of breed product that generates more revenue.

Recommended Posts

Leave a Comment