Ten Security Objectives to consider while Building an IoT/IIoT product
As calculated by former Cisco researcher David Evans, every second, 127 new IoT devices are getting online. And by the end of 2020, the number of connected devices is expected to cross 50 billion.
But along with this fascinating growth, the concerns for IoT security and privacy issues also are growing. As per a 2017 study, 84% of organizations surveyed, experienced an IoT related security breach..
The need for a holistic IoT security strategy is, thus, crucial right from the beginning of the production cycle. So, in this article, we are listing ten key security requirements of IoT product manufacturing.
1. Security by Design
To remain unaffected from the IoT security issues, you must integrate security in the product design phase.
Having security as a part of the design process ensures that each stage of product development has provisions for defence against the cybersecurity risks.
Also, hardware vulnerabilities can’t be patched on-the-fly. Ensuring security during hardware design, thus, can prevent product recalls and save millions of dollars. Moreover, architecting a secure software helps in minimizing zero-day bugs.
Incorporating security during design also ensures a product that fits well with the required IoT security standards and techniques.
2. Privacy by Design
Economist Intelligence Unit (EIU) surveyed 1,600 consumers in eight countries and found 92% of the consumers want to control the personal information collected about them. And IoT security risks not only affect the product but also the data stored and processed by the device.
So, along with device security, data privacy measures must be an integral part of the design stage itself. Have provisions for privacy assessments at each stage to ensure the product, as well as the data, is secure.
3. Authentication and Authorization
Assigning device identity and outlining ways to authenticate it is one of the fundamental elements in IoT security. Whether you design your product for humans, machines, or both, you must implement proper authentication mechanisms.
Certificates, complex passwords, PINs, and biometrics are among the various ways to authenticate access. You can also implement two-factor or multi-factor authentication in place for better security. And the stored credentials, of course, should be encrypted.
Along with reliable authentication, your product must also have suitable authorisation process. It protects the modules from any unintended access.
4. Data Encryption and Access Control
Robust encryption and access control protocols also are among the key elements of IoT product security requirements. The measures are essential to comply with the IoT security regulations, especially when personal or sensitive data is involved.
And by encrypting the data, allowing access only with appropriate credentials, data is secure even if security is compromised. You got to ensure effective use and correct implementation of encryption algorithms combined with strong cryptographic keys.
5. Hardware Security
IoT security requirements also mandate that the product is tamper-proof.
Specialised security chips, trusted device identity mechanism, and a physically secured data storage medium is a must.
Only essential physical ports should be available, open just to trusted connections.
Apart from ensuring that the device can’t be disassembled easily, also ensure that any hardware tampering can be detected. The product should be tamper-proof and tamper-evident even in the test/debug modes, to prevent unauthorised access.
Suggested Read– 6 Tools for Penetration Testing of Smart IoT Devices
6. Network Security
The Unit 42 of Palo Alto Networks studied devices used in various healthcare organizations for an IoT threat survey. It revealed that 98% of IoT network communications are unencrypted.
And unsecured networks are known to be soft spots for cyber criminals. Therefore, IoT network security too must be taken care of.
Not only the communication channels and data transport mediums but also the ports should be monitored. Then, Public Key Infrastructure (PKI) and X.509 digital certificates build the trust needed for secure data exchanges over networks.
7. Compliance Requirements
IoT security measures also require you to ensure the data is stored and processed as per the laws. The product shouldn’t collect any data without the consent of the user(s).
For example, if you’re implementing your IoT device within the EU, it should comply with GDPR. The users must be able to exercise their rights to information, access, rectification, and others as per the policy.
Devices should also comply with industry specific compliance standards and guidelines like GSMA IoT Security, ISA 62443, IoTSF Checklist, and others. These help address domain specific threats and risks.
So, have proper documentation outlining how the product collects and stores data, how the data flows within the business and who all has access to it. You should also mention what you do with the data and who all can make the changes, to be prepared for potential IoT security vulnerabilities and attacks.
8. Performance Requirements
Maintaining the required performance standards as per the use case is another key component of IoT security needs. If your device is intended to be powered on 24×7, it shouldn’t break down in standard conditions, say, after only 5 hours of usage.
So, design your product, keeping in mind any probable disruption.
Apart from the intended features, the product must have systems for self-diagnosis and repair. Features like recovery from malfunction, data rollup from a compromised state or standalone operation in case of network failure, are mandatory.
Also, implement industry-standard communication protocols and algorithms, to facilitate seamless integration with other devices in the network.
9. Regular Secured Updates
IoT security and privacy challenges keep growing with time. Therefore, you must develop security patches and deliver them to the product as required.
Outline an end-of-life strategy for support and update of your IoT products.
And then, ensure the device can receive Over-the-Air (OTA) software/firmware updates. The update server, as well as the transmission channel, should be secure, and the device should be able to decrypt and verify the encrypted update.
Also, the updates shouldn’t change user-configured preferences or settings before notifying the user.
Additional Read – A Case of Analysing Encrypted Firmware
10. Event Logging Mechanism
Your IoT product must have a logging system to record device status and related events during its functioning. Events like user authentication and modifications to security and privacy settings should be logged as they take place. The log must also record the user activities.
And all the event logs should be kept safe and secure for later retrieval.
IoT security begins at the design stage. Everyone involved in the design, manufacture, and delivery of the device plays a role to ensure its security is intact. You must take care of all the aspects ranging from hardware security to network security and compliance requirements to performance requirements.
And if you need a comprehensive IoT security assessment, Payatu is here to help you. We perform extensive testing of all aspects of an IoT product ecosystem including device hardware, firmware, radio communication, IoT/IIoT protocols, IoT mobile and Cloud platform.