Connected device makers should also ensure any software updates or modification should require administrators to authenticate to the device first and require the use of signed executable files to verify the integrity of the software that is being installed. Devices must be able to register activity which could indicate an attack. Robust logging features are a must if administrators are required to recover compromised systems.
In today's IoT world, it’s not enough to require end-users to use their initiative and set long passwords. There's a 'set and forget' mentality among users which is not sufficient for ensuring around-the-clock security.
#3 Avoid 'security through obscurity'
Another common mistake at the development phase is the dangerous 'security through obscurity' approach, i.e. the assumption that hackers won’t be interested in your product. Products must be designed with the assumption that they will be purchased, dissected and studied. Security shortcuts such as embedded private keys or weak authentication might save time and speed up deployment, but a global IT ecosystem can quickly become a global botnet network.
#4 Don't make your supply chain the weakest link
You can't underestimate the importance of screening supply chain partners closely, to make sure contracts and service provider agreements protect you. By using emerging hardware security technologies, companies can remove the risk of malicious vendors or manufacturers. These technologies allow all secret keys or intellectual property to be secured and verified directly on the chip. This same approach can also protect you against device cloning or counterfeiting.
#5 Put safety first
While great security is an absolute must have, companies must also prepare for the failure of their security. It's not enough to just have great external security, systems must be designed with compromise in mind. Traditional IT systems have just started doing this by encrypting information inside databases in the event that it is compromised.
IoT devices should ensure that critical functions of the device cannot be affected or compromised by ‘smart’ features. For example, as cars become more connected, manufacturers should separate systems to ensure that a hacker doesn't get the "keys to the kingdom" so to speak. For example, separating air bag deployment systems from infotainment systems in a car.
Unfortunately, building an IoT product is not as simple as just connecting your product to the internet.
And while it is tempting to rush to try to be first to market, quicker does not mean safer. The security and privacy issues raised by connected products are often subtle and complex. Any business looking to design and deploy applications must wrap a robust security policy around every decision.
For companies with limited resources, IoT platforms-as-a-service can address many of the security and data integrity issues that riddle poorly designed IoT products. Such tools let you streamline secure communications based on industry-standard encryption protocols and extend fine-grained user provisioning to IoT products. This will also improve time to market, whilst also avoiding a rude awakening in the future.
About the author:
Calum Barnes is Product Owner, Xively by LogMeln — https://secure.logmein.com