Suddenly, IoT security is all the rage

1 min read

Visitors to the recent embedded world exhibition in Nuremburg could be forgiven for thinking they'd turned up at a different event, such was the focus on security. It was all to do with the Internet of Things – or whatever the particular vendor was calling the technology. Already, clarity is disappearing from the sector: one company says it's the IoT; another says it's the Internet of Tomorrow; others ignore the words 'internet' and 'things' altogether.

Six months or so ago, a report was published pointing to the potential for the IoT to be compromised through weak security in 'edge devices' – the components that collect data and transmit it for further processing in 'the cloud'. The report also suggested that engineers should assume their device will be compromised at some point and should therefore design their systems so that rogue elements can be isolated.

Now, IoT security is all the rage – at least amongst vendors – and the focus is spreading to other sectors. But there are a number of issues: one is the assumption that just because a system is embedded, it's secure; another is the requirement for designers to think of every possible threat. Between those two extremes lies a sensible approach, along with another – designing from the start with security in mind.

In the last few months, companies have started to offer devices which feature high levels of security. If you want AES128, it's available; if you want more, then some vendors have secure authentication microcontrollers that offer 'banking level' security.

And yet, while vendors have got the message, not all users have. A leading semiconductor executive told a briefing that 'security is not getting the attention it needs; security needs to be understood broadly'.

But perhaps it's not quite as bad as it looks. New Electronics surveyed its readers in 2014 and found increasing concern about security – designs, as well as data. Almost all of those who said their designs accessed the internet also said they implemented access control. Half were aware of defensive programming and half were implementing tamper resistance.

Nevertheless, there's a large number of engineers who believe their system is more secure than it is.