Best Practices

How to Develop IoT Products with Security in Mind

“Security is the biggest issue holding back the broader development and deployment of IoT devices,” said Haydn Povey, founder and CEO of Secure Thingz, in his keynote at Embedded Conference Scandinavia (ECS) 2018.

The Internet of Things (IoT) promises a flood of amazing new products, including autonomous cars, networked medical devices, home automation and new devices in industrial applications. But data breaches affect millions annually, and there is real fear that hacked devices could be used for surveillance, fraud or even weaponization. Unless customers trust in the security of these devices, adoption will stall.

Make Security a First-Class Citizen During Development

Too often with IoT devices, security is an afterthought; sometimes it even gets scrapped due to time and resource constraints. But organizations cannot provide reliable security after the fact. Security must be addressed from day one, by both product development and leadership.

Consider architecture: There are many chipsets available that provide a security architecture for embedded devices, but less than 4% of new devices in 2018 include embedded security. The explanation for this oversight is obvious: Development begins without security in mind, leading to an architecture that omits it. And it’s not feasible to change the underlying architecture of a product after release to account for security.

Most importantly, security is everyone’s job. It’s a management topic that should manifest on all levels in the form of policies and guidelines.

The Argument for Security in IoT Devices

Security is often seen as a cost, but if you understand it correctly, you can turn it into a value proposition or a competitive advantage that customers are willing to pay premium for. For instance:

  • Today’s customers are increasingly concerned with security and privacy. Companies like Apple can charge a premium because they address these concerns.
  • Insufficient security can lead to counterfeiting.
  • Good security increases brand value and decreases the risk of brand erosion.
  • Security is required by law, and failure to comply can result in heavy fines.
Security as an Integral Part of Product Development

Once you recognize the importance of security, it’s logical to make it an integral part of your product development process. This means, amongst other things:

  • Security is part of the stakeholder needs and therefore must be part of the core requirements. This also applies to regulatory requirements, such as those derived from legislation like GDPR.
  • Make sure your architecture fits your security requirements, since architecture is one of the most difficult (and expensive) things to change after the fact.
  • Ensure your security requirements are tested. You achieve this by maintaining correct end-to-end traceability from requirements to test results.
  • Collaborate on all levels. If you want to prevent security from being patched on an ad-hoc basis, make sure that all teams communicate properly. For instance, an engineer might be tempted to write custom code to detect a Denial of Service (DoS) attack, but this might be addressed more efficiently on the architecture level.
  • Implement a product line strategy and perform systematic reuse. Security extends to the complete lifecycle of products, so you must be prepared to provide security updates for years to come. Also, reuse allows teams to use previously tested elements, improve quality and accelerate development.

Embracing security today provides more than just a competitive advantage – it may be crucial for survival. While a product development platform alone is not enough to address security, it’s ideal for implementing the policies and frameworks established by management.

To better understand how Jama Software can help you ensure security throughout the product development process, visit us at Embedded World 2019.