According to Alex Neill, managing director of home products for Which?: “Manufacturers need to ensure that any smart product sold is secure by design.” But do designers know where to start? Some observers think that not all engineers do.
So what is security? “There are several related concepts,” said Roger Shepherd, an IoT security consultant, “such as reliability, security, safety and privacy – and the differences can be difficult to tease out. But we need to be concerned about all these concepts and, if pressed, I’d say security is about the integrity of function and data.”
Haydn Povey, CTO of SecureThingz, agrees. “There are many facets. A technical view considers managing confidentiality, availability and privacy, but if you take a broader view, it’s about ensuring that you protect and manage your IP, your brand and your customers’ privacy, while stopping ‘bad actors’ gaining control.”
But definitions are one thing; more important in many people’s minds is where does security need to be applied? “You need to apply security where it’s needed,” Shepherd pointed out. “And you need to apply security from the beginning of a design project as it’s very difficult to retrofit security.”
Knowing what you’re protecting helps to determine where security is needed. “Understand what needs to be kept secure,” he continued, “and the threats to your system. When you build a system, you make choices – such as wired or wireless comms – and you must consider security when making those choices.”
Alongside where security needs to be applied comes the question ‘how secure should my product be?’. Povey believes the answer to this question comes from the development of a protection profile. “Protection profiles are something which have come out of the Common Criteria world. They help you to determine what are the assets you’re protecting, the consequences of losing control and the type of attackers you might have to deal with.”
Shepherd believes the level of security applied to a particular product varies. “But your product shouldn’t undermine the security of a wider system,” he highlighted. “For example, a domestic IoT device might leak a Wi-Fi password and that could undermine the security of a home network. You can determine the appropriate level of security by performing a risk assessment, which should be at the heart of everything you do.”
Povey continued: “From a scientific perspective, you should ask what’s the value and impact of an attack? Will it be a company value – for example, the Equifax hack – or is the worst thing that can happen is someone can hacking one device?
“Determine the impact of an attack and what resources need to be applied to make that attack. At one end of the scale, it might be someone hacking for vulnerabilities; at other end, there’s ransomware and state actors with infinite resource looking to take down power stations.”
Attacks can have a range of impacts. As Povey noted, there are corporate impacts, such as the Equifax hack and the attack on Target in the US. And the recent Wannacry virus provides another example of the effect of security lapses. “Ransomware is one of the worst attacks; the people behind them are smart and it’s the latest business model. I have seen examples of people demanding $1million per month as ransom.”
Haydn Povey: " “Most people care about security, but don’t know enough about it.”
If security is a bit of a mystery, then where do you start? “Most people care about security,” Povey asserted, “but don’t know enough about it, so the best place to start is a protection profile, which should highlight the risks and the consequences.
“For instance, you could be exposed to a class break, which could be a supply chain issue.”
This relates to the use of a commercially available device – for example, a Wi-Fi module – which either has poor security or, worse, no security at all. “You have to be careful,” Shepherd warned, “particularly with component suppliers. You have to ask yourself whether the Wi-Fi module you’ve selected is secure. You have to be careful with your supply chain because if you’re not, that could bring all sorts of problems.”
Povey’s advice is to ask your suppliers such questions as what is their root of trust? What is their update mechanism? And, importantly, how will they support you in the future?
One thing which Povey is keen to emphasise is that users have a responsibility to understand the consequences of their decisions. “Designers need to ask themselves whether they’re using the right tools. For example, does my compiler enable versioning? Do the chips I’m using have a secure domain where I can hide and manage secret information; what’s known as a trusted execution environment. So not only are there design decisions to be made, purchasing decisions will also influence security.”
Shepherd pointed the curious engineer towards the Internet of Things Security Foundation’s website (see box). “Take a look at its ‘Security Compliance Framework’, which covers corporate, process and technical aspects, amongst others. While there, look at the best practice guides.”
There are architectural issues to be dealt with. “Ideally, each device should be fundamentally unique; it should be designed so that it isn’t exposed to class breaks,” said Povey. “That means adopting a zero trust model in which you always authenticate people and services. You also need good ‘hygiene’, such as switching off unused ports.”
Many companies – especially those developing IoT products – may worry about the cost of security. “These companies need to stop thinking about security as a cost,” Povey said. “Rather, it’s a way of enabling the next generation of high value applications to be developed. Things like pay per use instead of retail, enablement and data analytics will all be enabled by security and shouldn’t be seen as an expense.
Roger Shepherd: “Understand what needs to be kept secure and the threats to your system.”
Security isn’t a matter of ‘fit and forget’; once you have it in place, it needs to be maintained. Asked how frequently security needs to be reviewed, Shepherd said: “From the start! Security needs to be ‘baked’ into the product implementation and support processes.”
Software updates are a critical issue in maintaining security and it’s important for designers to know how this will happen. Some will use wired communications, but many devices will need to be updated ‘over the air’, or OTA. “OTA brings connectivity issues,” Shepherd observed. “But there is also management of the update size and, potentially, cost issues.”
Povey agreed that OTA bring issues. “It needs a modular approach so the entire code base isn’t updated every time – something that’s important for embedded systems. Make sure you implement version control and modular updates.”
In Povey’s opinion, updating software needs a base level set of services. “But you also need a mechanism which identifies when you’ve been compromised.”
There is also manufacturing security to be considered, with IP theft one of the industry’s major concerns. SecureThingz is working with the industry to enable identity to be injected at the fab or in the distribution chain. This ensures a device is valid and that no counterfeit devices get mixed into those going to market.
“If you’ve spent a lot of money developing your product,” Povey said, “the last thing you want to see is copies of that product on the street.” Counterfeiting is a huge problem; an example is a home appliance vendor which contracted for 500,000 units to be made, but found out that 1.2million devices had been sold in China alone. If you talk about building in security, companies say one thing; ask them about protecting their investment in R&D, they see a value.”
Should the electronics industry be doing more? “An interesting question,” said Shepherd. “There are industry efforts, such as the IoTSF, but one problem is that, as yet, security does not seem to be demanded by the market. Until the demand is there, we won’t see investment.”
And will the Government need to legislate? “Perhaps there is enough in the existing laws and regulations and what is needed is more proactive use of them,” he concluded.
| IoT Security Foundation Annual Conference |
The 2017 IoTSF annual conference – taking place on 5 December at Savoy Place in London – will bring vendors and users together with security experts, researchers and key stakeholders to discuss security ‘in the round’. Attendees at the event – entitled ‘Knowing it’s safe to connect’ – will learn how companies are providing security capabilities and how users are implementing them. This will be framed by a bigger picture view of the contemporary issues and a look at the future from the research perspective.
A high level look at IoT security and a business panel exploring the adoption of security.
Briefings and talks that address aspects of IoT security impacting industry.
A case study of a company that deployed a consumer product rapidly and then had to fix errors and manage the business impact. The session will also include a panel session to highlight how to go about product security – and how not to.
The virtues of a collaborative approach to security are explored and the session will conclude with an expert panel discussing how to leverage security for business benefit.
For more and to register, go to www.iotsecurityfoundation.org