Stop Talking About IoT Security And Do Something About It

Steps that manufacturers can take today to make their wirelessly-connected products more secure.

Apr 6, 2018

It’s no secret that Internet of Things (IoT) networks have a security problem.

For the past two years there have been a regular stream of headlines about large-scale attacks carried out by infiltrating wireless IoT devices as a back door into corporate networks. One of the best known is the 2016 Mirai attack, which turned IoT devices into a veritable zombie army that crippled operations for companies like Netflix and Twitter. And those are just the ones that make the headlines. Security experts believe that there have actually been hundreds of less-reported/unreported IoT security attacks during this time. IoT networks have quickly become a favorite target for hackers. The headlines typically focus on the impact on household name consumer-focused companies, but the threat to industrial and manufacturing companies is just as significant, particularly given the critical role that wireless connectivity plays in the industry today, as well as in the future.

Smart, wirelessly-connected devices are everywhere in the industrial world, and they are playing a bigger role every day — in the form of everything from small wireless sensors that are being deployed in manufacturing environments by the millions, to large manufacturing equipment that plays a vital role in industrial operation… and everything in between. The impact of IoT on the industry is real and growing, but so are the concerns about the security of all those connected devices. There is no shortage of experts diagnosing these security vulnerabilities. If you do a Google or Bing news search about IoT security, get ready for several million results. However, those results will all have one thing in common: A lot of talk about how big the problem is, but little if any practical advice on what to do about it.

The goal of this article is to give you a series of practical steps engineers can take immediately to put their IoT projects on a more secure footing. It’s not a panacea and is not intended to replace what security geniuses will eventually come up with to fully secure IoT. But taking these steps will help protect your company and your customers until security catches up with the momentum of IoT deployments. Taking these steps will also help your organization get a head start on compliance with new regulations that can be relevant to IoT security, including the EU’s General Data Protection Regulation (GDPR) which raises the financial stakes for companies that do business in the EU, including U.S.-based industrial companies that have global customer bases.

 So what are some of those key steps you and your engineering colleagues can begin taking?:

  • Security Conversations Need to Start Earlier—and Look at the Cloud – The single most important thing engineers should be doing is making security a focus much earlier in the product development process. Too often, security is discussed only once product development is closer to the finish line than the starting line. Security cannot be an afterthought in an era when vulnerabilities in IoT devices have a bullseye on them. Security and threat modelling should be part of the very first conversations about a new product in an engineering team’s pipeline of projects. Just as importantly, that threat modelling process should address not just the product itself but the connected environment it lives in. That includes other elements of the wireless network and — crucially — the cloud that supports it.
  • Don’t Forget to Think about Scaling the Product – The security strategy for a product shouldn’t just think about that device and related elements like the cloud. It should also factor in how the company will ensure security when large-scale implementations are done with thousands or even millions of these products. For example, delivering firmware to a single device securely is one thing. But what about securely delivering firmware updates to tens of thousands of devices that are geographically dispersed. Many of the most common ways of delivering firmware today and having products accept and install that firmware are inherently insecure. Security needs to happen at scale, then the product you are designing isn’t truly complete.
  • Keep Using Third-Party Libraries — But Do It More Securely – One of the ways that product engineers accelerate product development and reduce development costs is to utilize third-party software libraries. That approach can make development far more efficient, but it comes with security risks if insecure components make their way into the field once products are deployed. A very common scenario is that a component may be considered secure when an engineer first integrates it, but its vulnerabilities become known at a later date without the organization having a way of tracking and fixing it. The way to solve this isn’t to stop using third-party libraries. I recommend making automated Common Vulnerabilities and Exposures (CVE) testing a standard element of how software is built, rebuilt and deployed over time. This will identify components that are vulnerable before a product is completed. But even more importantly, it will identify and remedy component vulnerabilities in products that are out in the field in use by customers.
  • Start Testing Like a Security Pro…and Make It Automated – When a product is approaching the finish line, there is often tremendous pressure on engineers to “get it done and get it out the door” so that companies can get it to market before competitors do. That pressure is understandable, but too often it skips critical security-related steps that should be taken throughout all stages of product development. To make your wirelessly-enabled products more secure, it is imperative that the engineering team build in security testing phases that utilize proven techniques such as penetration testing (aka pen testing) and fuzz testing (fuzzing). Both white box testing and black box testing will uncover vulnerabilities that will save your company the expense and headaches of resolving security issues later once thousands or millions of these products are in the field. In the past, this kind of testing was time-consuming, but it can be done with a tremendous amount of automation today by outside vendors or engineering teams themselves — allowing your team to do 20x as much security testing than in the past in a very short period of time.

IoT will eventually be as secure as other corporate computing systems, but until then you and your team can take important steps to making sure your company’s IoT strategy puts a spotlight on security and ensure that your team is delivering wirelessly-connected industrial products that put up a good fight against the onslaught of threats facing IoT.

Chris Cole is the Vice President of Technology for Laird’s Connectivity Solutions business unit.

Read Next
Cybersecurity
Cybersecurity
ZAG Technical Services Announces New Cybersecurity Offering
April 5, 2024
Latest in Cybersecurity
Intuitive and Flexible Manufacturing ERP
Sponsored
Intuitive and Flexible Manufacturing ERP
April 17, 2024
Ep90
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Transportation and Logistics Under Siege
April 24, 2024
Industrial Cyber
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
April 24, 2024
Related Stories
Cybersecurity
Cybersecurity
ZAG Technical Services Announces New Cybersecurity Offering
I Stock 1251037786
Cybersecurity
What is Volt Typhoon?
This photo provided by the Municipal Water Authority of Aliquippa shows the screen of a Unitronics device that was hacked in Aliquippa, Pa., on Saturday, Nov. 25, 2023. The hacked device was in a pumping booster station owned by the Municipal Water Authority of Aliquippa. An electronic calling card left by the hackers suggests they picked their target because it uses components made by an Israeli company.
Cybersecurity
Congressmen Ask DOJ to Investigate Water Utility Hack
Manufacturing Business Management
Sponsor Content
Manufacturing Business Management
More in Cybersecurity
All-In-One Manufacturing Management
Sponsored
All-In-One Manufacturing Management
Acumatica looks to offer new solutions.
April 17, 2024
Ep90
Video
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Fleet Of Fed Ex Delivery Trucks In A Parking Lot 483290419 4500x3000 (1)
Cybersecurity
Transportation and Logistics Under Siege
A look at how this vital and increasingly targeted market sector is responding to more cyberattacks.
April 24, 2024
Industrial Cyber
Cybersecurity
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
Manufacturing Infrastructure Cyber
Cybersecurity
Avoiding Shutdowns from Ransomware Attacks
A strategic approach for protecting OT networks.
April 24, 2024
IEC 62443 is a key standard to reduce risk of cyberattacks in industrial workplaces.
Cybersecurity
How to Build a More Secure Connected World with IEC 62443
The goal is better efficiency, improved sustainability and interoperability, enhanced reliability and greater cost-effectiveness for system integrators, product suppliers and other stakeholders.
April 24, 2024
Coding
Cybersecurity
CISA Releases 7 ICS Advisories
Unitronics, Rockwell and Mitsubishi head the list.
April 19, 2024
Financial Cyber
Cybersecurity
Alarming Trends Reinforced in Ransomware Attack of Semiconductor Mfr.
Experts assess the fallout from the Dark Angel attack on Nexperia.
April 19, 2024
Industrial Cyber
Cybersecurity
Hexagon, Dragos Announce Partnership
The team-up looks to "revolutionize OT cybersecurity."
April 18, 2024
Ransomware
Cybersecurity
Report Shows Updated Ransomware Concerns
Hackers are elevating the complexity of their attacks - making them harder to detect.
April 18, 2024
Cybersecurity In A Bubble
Cybersecurity
Responding to Emerging Risks and Attack Vectors
Insight on key hacker strategies, response plans and creating a culture that embraces cybersecurity.
April 18, 2024
Ep89
Video
Security Breach: Weaponizing Secure-By-Design
How a greater focus on new and legacy OT connections could alter the cybersecurity battlefield.
April 18, 2024
Siemens Image 1
Cybersecurity
An Automatic Cyber Response Solution
The platform works to isolate and quarantine the infected production equipment during an attack.
April 11, 2024
Financial Cyber
Cybersecurity
1 in 5 S&P 500 Companies Reported Breaches Last Year
Ransomware demands and supply chain targeting continues to escalate.
April 11, 2024
Soc
Cybersecurity
How Oversight Impacts Enterprise Level Cybersecurity
A new report examines the benefits being realized by higher-level cyber scrutiny.
April 11, 2024