“While the security of IT hardware and software has strengthened in recent years, the security of Internet of Things (IoT) … has not kept pace,” Microsoft’s Digital Defense Report 2022.
The Internet of Things (IoT) promises a flood of amazing new products, including autonomous cars, networked medical devices, home automation, and new devices in industrial applications. But data breaches affect millions annually, and there is real fear that hacked devices could be used for surveillance, fraud or even weaponization. With 17 billion IoT devices in the world the surface area for attack dwarfs that of traditional computer malware.
Make Security a First-Class Citizen During Development
Too often with IoT devices, security is an afterthought; sometimes it even gets scrapped due to time and resource constraints. But organizations cannot provide reliable security after the fact. Security must be addressed from day one, by both product development and leadership.
Consider architecture: There are many chipsets available that provide a security architecture for embedded devices, but less than 4% of new devices in 2018 include embedded security. The explanation for this oversight is obvious: Development begins without security in mind, leading to an architecture that omits it. And it’s not feasible to change the underlying architecture of a product after release to account for security.
OtA Updates Should Be a Requirement
Many devices that are shipped to consumers have little to no update mechanism, or their update mechanism requires the customer to be aware of an update and go through a cumbersome process. This inevitably leads to out-of-date software that is an easy exploit for hackers.
Just like the PC industry, IoT developers must embrace secure, OTA updates to keep their customers safe. It is not enough just to offer updates; developers should push security updates to devices that are connected to their services. This is not just good business practice; it protects the service provider’s critical SaaS infrastructure as well.
The Argument for Security in IoT Devices
Security is often seen as a cost, but if you understand it correctly, you can turn it into a value proposition or a competitive advantage that customers are willing to pay a premium for. For instance:
- Today’s customers are increasingly concerned with security and privacy. Companies like Apple can charge a premium because they address these concerns.
- Insufficient security can lead to counterfeiting.
- Good security increases brand value and decreases the risk of brand erosion.
- Security is required by law, and failure to comply can result in heavy fines.
Security as an Integral Part of Product Development
Once you recognize the importance of security, it’s logical to make it an integral part of your product development process. This means, amongst other things:
- Security is part of the stakeholder needs and therefore must be part of the core requirements. This also applies to regulatory requirements, such as those derived from legislation like GDPR.
- Make sure your architecture fits your security requirements, since architecture is one of the most difficult (and expensive) things to change after the fact.
- Ensure your security requirements are tested. You achieve this by maintaining correct end-to-end traceability from requirements to test results.
- Collaborate on all levels. If you want to prevent security from being patched on an ad-hoc basis, make sure that all teams communicate properly. For instance, an engineer might be tempted to write custom code to detect a Denial of Service (DoS) attack, but this might be addressed more efficiently on the architecture level.
- Implement a product line strategy and perform systematic reuse. Security extends to the complete lifecycle of products, so you must be prepared to provide security updates for years to come. Also, reuse allows teams to use previously tested elements, improve quality and accelerate development.
Embracing security today provides more than just a competitive advantage – it may be crucial for survival. While a product development platform alone is not enough to address security, it is an integral component for implementing security policies and frameworks.