Getting to Know You: Understanding IoT Security from a Device Perspective

Posted by on June 7, 2017 at 5:00 AM Carmi Brandis  
Share This Post   

Machines becoming sentient and wreaking havoc on humanity has been a common theme in science fiction. While IoT-enabled devices are hardly capable of the Skynet future predicted in the Terminator movies, they do require a different, more out-of-box approach when it comes to security best practices. 

Here’s why. For starters, smart devices aren’t really that smart. Yes, they are vastly superior to their analog counterparts but, like a good soldier, they only do what they are told to do. They simply can’t implement security best practices ‘on their own’ as with the cloud, internet, and other network technologies—software updates only go so far with physical devices. Likewise, IoT-enabled devices simply haven’t been around that long and are changing constantly, making breaches easier. That makes implementing comprehensive security protocols more reactive than proactive, not a good place to be with so much at stake.

iot-security 1-1.jpg

Then there is the nature of the device. Take Tesla, for example. If a Tesla Model S has problems they generally are resolved via an over-the-air software update. If the problem is mechanical, the car goes in for service. That’s not possible with the majority of IoT-enabled devices. Most are part of a fixed infrastructure system, with many embedded. That presents significantly more issues than a Tesla.  

What if the devices are embedded in a building and the building is sold? What if a device can only be fixed or replaced via a human? Changing devices through human touch can be incredibly expensive and time consuming. 

The Solution? Plan, Plan, Plan!

A recent survey of IoT companies showed 72% believed their solutions are not secure, and with good reason. Most companies don’t realize how (and why) they are vulnerable until after a breach or they read about a breach at a company with similar operations.

Security-2-1.png

There is hope, however. While IoT security always will be an ongoing war, proper planning is the key to winning each and every battle. The following are a few tips to keep in mind when mapping out your security strategy:  

  • Determine the cost / benefit of your security investment versus the cost of a worst-case scenario. For example, a medical device implementation would need a real-time response and, therefore, more security, while a weather sensor much less so.
  • Spend resources on threat intelligence, as well as threat detection.

This means making your smart devices smart, from the inside-out. Incorporate response mechanisms for isolated hack scenarios so your devices can determine if a seemingly innocuous command is authentic or not. 

  • Develop mandatory checks and balances, including two-factor/multi-factor authentication and multiple communication pathways. Out-of-band authentication, which validates a command is from a true source, prevents your devices from becoming the unwitting hosts to hackers.
  • When searching for hacking patterns, employ machine AI detection techniques (robots vs. robots) in addition to traditional methodologies. Machine behavior patterns can be radically different than human ones, making them easily overlooked until a breach occurs.

Understanding device ‘psychology’ can go a long way to ensuring the safety of your operation, even as technology changes and evolves.

 

For more information on how to make your IoT Implementation secure, please visit Aeris.

Topics: IoT security, smart devices, IoT devices