Key security principles for IoT device manufacturers

Last updated: 11 August 2020

Our world is becoming ever more connected. From smart speakers and thermostats in our homes to factories fitted with sensors for automation, connectivity can be found in practically every aspect of our lives. This network of smart devices – known as the Internet of Things – is expected to continue to grow at an unprecedented pace as microchips are embedded into billions of objects that were previously unable to be connected. In fact, according to Ericsson’s recent Mobility Report, there will be over 25 billion connected devices operating worldwide by 2025.

However, despite providing many possibilities, the IoT has also introduced new security risk factors. It’s therefore not surprising that the UK Government recently outlined new details on proposals to bring security requirements for smart device manufacturers into law. These proposals include new standards for security, rules for customer service information as well as stating details around the minimum length of time for which the device will receive security updates.

Considering that only around 13% of smart device manufacturers embed even the most basic approaches to cybersecurity in products, this legislation is a significant move towards bringing robust security requirements for consumer IoT products.

Why do IoT devices need to be secure in the first place?

Smartphone app that controls IoT devices

To illustrate the security issues with IoT devices and their impact on end users, I’m going to use smart meters as an example as these are an essential component of creating a zero-carbon economy. If a smart meter is compromised the hacker might be able to read the data sent by the device and, worst case scenario, precipitate a mass attack against the electricity grid. This approach is also known as weaponisation, where the smart device is used as a weapon to attack something else, which in the instance of the smart meter could be the entire grid.

Researchers from Princeton University recently studied this and found that a botnet of compromised power-consuming IoT devices such as smart meters, air conditioners and heaters, can be commanded to switch on or off at the same time, abruptly increasing or decreasing power demands and creating an imbalance between power supply and demand with dramatic effects. This destabilising of the grid can potentially cause a large-scale blackout.

Furthermore, if the data that an unsecured smart meter regularly receives is not encrypted, then a hacker can easily get access to it. By understanding the consumption patterns the hacker might be able to gauge when you’re not at home, and then use that information to break into your house.

IoT devices are inherently prone to attacks due to several factors, namely:

  • Lack of self-protection mechanisms against misuse/ malware attacks
  • The environments in which they are deployed make them unsuitable for field upgrade
  • The desire to improve security yields to budget constraints

How can IoT manufacturers secure their devices and customers’ data?

It’s key to remember that IoT security is not a one-off thing, but a constantly moving objective. This means that due to the ever-evolving cyber landscape, the security of your device needs to be upgradable and updatable throughout the lifecycle of the device.  

There are several key principles that shouldn’t be overlooked when developing IoT products. We’ve discussed these in more detail as part of our IoT Masters series, but to emphasise their importance I’ll provide a quick summary.

Firstly, when designing an IoT device, you need to always be guided by the principle of security by design, meaning that security needs to be embedded from the start. Secondly, you need to make sure you create a unique identity for every device and manage these identities during the lifecycle of the device. Finally, you need to make sure that the software updates you roll out can only be accepted by trusted sources.

Security as key to business success

The case for strong security exists today and the benefits from it can be realised for both consumers and manufacturers. Upgradable security can create a good business case where consumers can enjoy continuous protection while IoT manufacturers and service providers can ensure recurring ROIs by providing upgrades throughout the lifecycle of devices. IoT manufacturers need to meet the following key principles to achieve business success, as indicated by my colleague Welland Chu, Business Development Director Asia Pacific at Thales:

  • Ensure the device will behave as specified => Trust the source of the data
  • Prevent counterfeits => Communicate with only trusted entities
  • Ensure security and privacy => Only authorised entities have access to data
  • Ensure sustainable operation => Enable security updatability on devices
  • Ensure sound situational awareness => Continual assessment and assurance

Despite the risks associated with IoT devices, there’s still a lot to be done to implement robust security practices. Security at the IoT device level is attainable; however, manufacturers need to ensure that the chain of trust which includes the data, firmware, applications and communications, is protected so that the IoT can defend itself. By doing this, manufacturers and operators can minimise losses from counterfeits, attain regulatory compliance, reduce misuse, and facilitate future maintenance. This is key to enabling widespread adoption of smart devices with the certainty that the IoT ecosystem is safe and secure.

Leave a Reply

Your email address will not be published. Required fields are marked *