With the recent release of the US Federal Trade Commission’s report on IoT device security, now is the time to start evaluating the security of devices themselves, says Don Schleede, information security officer at Digi International. This obviously includes how they are manufactured.
Security has often been an afterthought in the manufacturing process with little consideration given to how sensitive customer and user data could be accessed and what malicious actions could be taken by an IoT system if it came under the control of the wrong people. Manufacturers can take a much stronger role in protecting data and devices – and the following is a checklist of concepts that should be considered by manufacturers and included in all designs for IoT and M2M devices and processes.
- Training and Tools: Invest in targeted training to ensure your engineers and testers understand security coding techniques and can properly and fully assess the risks of their designs. Utilise programms such as Open Web Application Security Project (OWASP) and look for security certifications and training from organisations like ISC2, GIAC and EC-Council. It is also crucial to invest in tools and software that can measure vulnerabilities, scan code for unsecure usage, and examine the devices’ functions.
- Default Configurations: When your product ships, ensure that the base threshold of configuration to get the device to work is standard and part of a secure installation process for the customer. For instance, there should be no default passwords, secure protocols (e.g. https) should be in effect, and administrative interfaces should be disabled in places that may expose features to the internet. Let the customer override those features later if desired.
- Encryption: Ensure that all ingress and egress data and control connections are done using a secure standard such as SSL/TLS. USA Federal NIST standards (such as FIPS- 140-2) are also a good place to start and cover the use of encryption such as AES128 or AES256. Understand, particularly in the IoT space, when symmetric and asymmetric encryption are needed and are critical.
- Hashing: Use a one-way non-decryptable technique for storing passwords. Make sure all hashes use a random salt value that will protect against many common attacks. The misuse of hashing is critical in design and has led to many breaches in the past. Recommended hashing algorithms include SHA-2 and PBKDF2.
- Identification: Ensure all actions performed by a device have some form of identification. This could range from a user logging into a device with the proper role-based access controls (RBAC) to data transmissions from the device. Keep in mind that a device needs authentication as well – and be sure the device authenticates with the collection or control application. One suggested methodology is private key infrastructure (PKI) certificates to identify and authenticate devices.
- Firmware updating: Create a process for the device to automatically update itself while in service or make it easy for the customer to update the device. Most IoT devices have long lifespans – some up to 15 years. However, the secure lifetime of a device in reality is around six months or less. Because a secure device shipped today will no longer be a secure device in six months, manufacturers must create new software versions that can be easily massdeployed.
If you build these functional requirements into your next IoT device, you will be in a much better position to address security concerns with future products and services – and your customer and user data will be far better protected.
