Article: 9 Design Practices to Better IoT Device Security

Carmel, IN –

By Uriel Kluk, Chief Technology Officer at Mesh Systems

Hackers, in search of quick plunder, are today’s pirates. Cyber-pirates have swapped muskets and swords with stealth code and phishing techniques to exploit computer networks and steal assets.  Individuals, companies, and countries are all vulnerable to attacks, especially as the size of potential booty grows. With IoT forecasted to connect billions of everyday home, office or industrial devices, it’s hard not to imagine how vast the potential damage could be. While IoT promises to improve machines’ uptime, cost structures and help people do their jobs better, cyber-attacks can essentially wipe out any productivity gains. If hackers find video baby monitors fun targets, imagine the potential damage of hacking an IoT video monitoring system of a manufacturing plant, mall, water system or IoT-enabled truck.

Organizations delivering and using IoT systems must be diligent in their defense of device data and how it flows through the network so it cannot be exploited.  There are three key threats to IoT systems and their connected ‘things’ –

  • Information theft – outright theft of valuable and proprietary information for economic gain.
  • Hijacking – disruption of device or network operations so that devices shut-down or degrade functionality.
  • Device impersonation – identify theft when hackers reverse engineer the IoT device’s communication, workflows or exchanges to make the device behave differently.

IoT Security Defense Trident – privacy, encryption, authentication (access control and authorization)

Engineering design must seek to constantly improve security during the entire IoT solution’s lifecycle – it never ends, especially once deployed. Security elements for IoT devices include privacy, encryption of communications and authentication of devices and services. There are cost implications that require design tradeoffs to ensure affordability and deploy-ability of the end product.  Security, even if it is very efficient and elegant will represent about 5% of solution cost. It involves a specialized network infrastructure, higher stack layers (MCUs with more horsepower) and greater overhead in transfers or processes to complete data handshakes.

Organizations must evaluate the potential threat to their IoT system when designing the framework. For some systems it makes sense to have low security measures in place, while others need the highest level possible.

No Security

IoT system architects must be diligent in their efforts to thwart potential cyber-attacks.  Some can argue that the cost of security for simple monitoring of basic levels like temperature or humidity is too high.  The value of the total cost of ownership must be evaluated when designing security elements. Yet everyone must be aware that there is motivation to disrupt operations whether for pure entertainment or financial gain (stealing assets).

Weak Security

The worst case scenario is mediocre security that provides a false sense of protection.  It can stop unsophisticated attacks like robots scanning for open ports, but breaks down once the system is deployed.

Good Security: IoT Security Best Practices Checklist

  1. Connect and peer devices or machines with well-known services.
  2. Use private networks, NAT boundaries and firewall rules to hide devices and defend servers.
  3. Create isolated islands with segmented security by decoupling data flows breaking data into multiple secrets.
  4. Use industry standards and protocols – don’t try to outsmart the industry, but be aware when technology becomes obsolete.
  5. Enforce sequencing and use connected closed door policies (TCP vs. UDP).
  6. Avoid common keys – no master “key to the castle” should exist.
  7. Design the system assuming a threat can happen from within.
  8. Develop a systematic and repeatable review process to make sure field-deployed ‘things’ have current safeguards in place.
  9. Develop the ability to remotely revoke privileges on the spot.

Multi-layered Security Design Protects IoT Systems

Organizations must be diligent in creating and updating security defenses for IoT systems. The best approach is to have a multi-layered security design that includes all three elements of the IoT security defense trident. Ensure all 9 items of the IoT Security Checklist are present so you don’t let your IoT device be the portal for cyber-hackers to access data and exploit the network to steal assets.

Article originally posted on 1IT Enterprise  http://bit.ly/1sCvjnk

To download complete article, click HERE.

 

About Uriel Kluk

Uriel Kluk brings more than two decades of software architecture experience to Mesh Systems. He architected and designed an Internet protocol-centric access control system, as well as founded and led a building automation systems integrator. Mr. Kluk has designed and implemented a wide range of monitoring and control applications for large scale, enterprise client-server and multi-tier systems.

 

Mr. Kluk is a consistent, reliable source of information to Mesh Systems’ clients as he knows how to derive product value from IoT device data.  He designs highly scalable IoT systems that are efficient, reliable and utilize a set of design telemetry blocks that, when put together, creates a custom solution that is economical to make without sacrificing quality, portability or scalability. 

 

Prior to co-founding Mesh Systems, Mr. Kluk founded four companies and served as a technology leader to a broad spectrum of organizations, from startups to global corporations in the U.S., Canada and Mexico. He offers vast expertise in sensor networks, building automation systems and networking protocols. Mr. Kluk holds a Master’s Degree in Electronics Engineering from Instituto Technologico de Estudios Superiores de Monterrey (ITESM) in Monterrey, Mexico.

 

##

Monday, June 13, 2016