How best to secure the Internet of Things? It’s a question on the lips of product designers and manufacturers, project and procurement managers in countless different industries and across organisations ranging from start-ups and SMEs through to multinational corporations.
Our answer? The word that should underpin every aspect of designing IoT security is holistic.
This applies both to designing product IoT security, throughout the development and manufacture processes, and designing operational IoT security, in organisations deploying live IoT devices.
This white paper looks at the first area – how to design IoT products with a holistic approach to security. We explain why a holistic approach is important, what it looks like in practice, and how to implement it.
First, let’s consider why security is such a key concern when it comes to the IoT. There are several critical factors at play, and it is vital for product designers and developers to keep their eyes open when evaluating them. Confronting these complex challenges head-on, rather than pretending they don’t exist, is crucial.
It is because these factors are multifaceted – and because a similarly multifaceted set of resources are required to respond to them – that a holistic approach to IoT security is so important. Remaining alert to these factors from the outset can enable organisations designing, developing and deploying IoT products to assign the appropriate resource to IoT security, in terms of time, money andexpertise.
First, a holistic approach needs to consider the multiple different threats to IoT product security, so that it can respond to them collectively. There are three broad areas to consider:
Next, a holistic approach needs to consider the IoT product development lifecycle.
Typically, like any product development cycle, this begins with a problem solving phase. The designers and developers might be focusing on a limitation with an existing product, or attempting to resolve a problem for which there is currently no product solution. In the IoT space specifically, the problem in question is likely to relate to capturing a new data set and then, crucially, translating that data into real operational decisions, whether immediate, long-term, or both.
Next, a series of potential solutions need to be tested, before a proof of concept is created for one or more of the proposed products. This phase is all about scaling the proposed product in realistic market conditions, examining how the product will work in a commercial or consumer connected environment, how it will actually be manufactured at scale, and how it will cope in the dynamic, flexible IoT landscape. From there, the most suitable product will typically be selected, and real-life manufacture will begin.
Traditionally, security might only be tacked on at this stage. However, a holistic approach means baking in security at the outset. Any new product that is going to collect, transmit or store digital data needs to not only have appropriate cyber-security mechanisms and processes ‘baked in’ from the beginning – but that security also needs to be continually revisited and adjusted once those products are out in the market, so as to respond to the ever-evolving cyber threat landscape.
In this sense, then, a holistic approach to IoT product development is about moving away from linear development models, and instead thinking in terms of feedback loops.
Once unconnected devices are purchased and put to work, they lose any link with their developers and manufacturers. Information on how they are being used and how they are performing has to be sought second-hand, perhaps through customer feedback.
By contrast, each time a new IoT product is brought to market, it begins generating and collecting valuable data to be used for the next cycle of development.
As such, the savviest product developers in the IoT space should look for ways to incorporate a feedback loop into their processes, learning from how the first iteration of a product is being used and how it is performing under different conditions – and then using that information to drive the next development cycle, shoring up security and plugging vulnerability gaps as they are identified.
Similarly, the connected nature of IoT products means that, like software products and operating systems, they can be patched in response to new intelligence and newly evolving threats. It is vital for product designers and developers to consider this stage in their product life cycles, and to remember that their security responsibilities extend long after a product has been purchased and deployed.
IoT product security is not static. It is live, dynamic and ongoing. Why not read the second white paper in our pair, for more advice on how to incorporate a holistic approach to IoT operations?
For more guidance on security throughout your IoT ecosystem read the Whitepaper: Protecting Smart Devices and Applications throughout your IoT ecosystem below.
With the variety of connected applications and devices in operation now in the hundreds of thousands (and growing geometrically), it’s critical to ensure your IoT-related security standards are up to the task.
Read “Protecting Smart Devices and Applications” for a practical discussion of: