At the Linley IoT conference recently, one of the presentations was by Steve Singer of Inside Secure. As many of the other presenters emphasized during the day, security is one of the biggest issues in IoT, above lack of standards, ease of user-setup, and general complexity. In my experience, it is also one of the most difficult areas to handle. You might have two PhDs and be able to design a state-of-the-art Viterbi decoder, but that doesn't mean you know anything about security. There is a famous Monty Python sketch featuring the Bournemouth Amateur Gynecologists, an obviously ridiculous concept. Well, there is far too much amateur security engineering going on. You shouldn't design your own security any more than you would design your own SerDes. This is a big opportunity for companies, such as Inside Secure, that specialize in IoT security, with the market predicted to roughly increase 4X in the next five years to nearly $30B. Some of the reasons that security is important are obvious. You've probably seen video of a Jeep on the road being taken over by hackers with a journalist, having entered through the entertainment system (which has an internet link). You don't need much imagination to look at a WiFi-controlled front-door lock before you start to wonder just how easy it would be for someone unauthorized to open the door. Even the infamous (and apocryphal) internet-connected toaster could be used to set someone's kitchen on fire. Inside Secure have worried about all these things...and more. In security, there is a lot of distinction made between the different times that data could be compromised. In IoT, there seem to be four big ones: Protect data in process: Make sure the device works as intended (and not as unintended) Protect data in transit: Prevent unauthorized access and alteration of communications Protect access to data: Ensure only authorized devices are attached to the network Protect data at rest: Ensure that the data in the device cannot be accessed or altered in unauthorized ways Increasingly, there is an awareness that this sort of security requires a combined hardware-software solution. Software on its own is inadequate. But hardware has its own challenges since it is difficult (or impossible) to change once the product has shipped, so the security in hardware needs to be like a safe in a house, a place where the most important items are kept in the most secure way. Inside Secure have written IoT Security for Dummies . Like any other book in the Dummies series, it has a wealth of valuable information condensed down into a small amount of material (44 pages). The book is available as a free download (or if you run across them at a tradeshow, they will give you a printed copy). The last chapter of the book is a summary of best practices. So here are the top 10 IoT security bullets: Understand the risks: Life-threatening attacks are more serious than ones that find out how many paces you stepped today. Never underestimate your enemy: It is not just "Fred in a shed" any more. Cybercriminals, rogue nations, PhD computer scientists may all be your enemy. Minimize the attack surface: Security that is simple tends to be best. Remember the Jeep I mentioned: They didn't control the engine by breaking engine ECU security, they came in through the radio. Implement security at the right layer: For example, if an attacker has physical access to the device, the physical security will need to be different. If you are worried about a well-equipped lab using focused ion beam (FIB) attacks on a de-capped chip, then that is in a different league from monitoring the radio. Authenticate connected devices: It doesn't matter how good the rest of your security is if the devices can be impersonated. Use standards-based protocols and algorithms: Security through obscurity does not work. I'd go one step further, and say don't write the code yourself. Don't forget the security professionals' maxim that anyone can produce a security algorithm that is so strong that...they can't break it themselves. Protect data in motion: I think that is obvious but you'd be surprised how many unencrypted links there are around. Protect data in use: In particular, make sure you have a secure boot process. Otherwise, all security is useless if the bad guys can just run their own code. Protect data at rest: Even data like public keys, that is already known, needs to be protected against change (for reasons that I hope are obvious). Choose the right security vendor/partner: Of course Inside Secure want you to pick them, but I have an additional piece of advice for you, having worked for six months at a security company myself. Pick a vendor/partner. Unless you are a specialized security company yourself, you don't know enough to do it yourself. You just know enough to be dangerous. (By the way, Inside Secure told me that they worked with the Dummies people (actually Wiley) and their use of the name, logo, and format is all legal. If you want them to write one for you, then here are the details .) Next: ITF Keynote: IC Innovation—the Heartbeat of Yesterday, Today, Tomorrow Previous: DAC: the Curtain Rises on the Cadence Theater![]()
![]()
↧