Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Networks

Addressing security risks in the IoT age

Posted: 08 Oct 2015 ?? ?Print Version ?Bookmark and Share

Keywords:Internet of Things? IoT? cyber-physical systems? industrial control systems? assisted driving?

By applying a secure engineering methodology to the design, development, delivery, operations, management, and usage of these systems we can protect against identified threats and be prepared to detect, react, and recover from threats which are invented and discovered after the devices are introduced into the working environment. But what does this entail? Here is a brief list to get teams started:
???Establish a secure hardware/software development process which includes code management, automated build and automated testing, and streamlined packaging and software delivery mechanisms. Include source code analysis to identify vulnerabilities as well as security-related testing to identify runtime vulnerabilities. Software delivery also applies to device firmware/software updates as well. As more and more software is running in a wide range of distributed IoT devices, the need to update that software in a secure, timely, and cost-effective way also increases in importance. A secure, verifiable, and audited software/firmware update is part of a secure development and deployment process.
???Utilise authentication and authorisation (access control checking) for devices, users, and applications which will interact with one another as part of the Internet of Things solution. Mobile security factors into this since many of the user interfaces for these IoT-related applications will be surfaced via mobile devices.
???Insert auditing/logging of both successful and unsuccessful requests for processing and utilise monitoring and alerting technology distributed across the set of computing systems. This implies that there should be some level of audit logging and monitoring in-vehicle, in-network, and in-mobile devices. Also necessary is detection of denial-of-service and distributed denial-of-service attacks against devices and the systems which support these devices.
???Secure all communications channels such that sensitive information is protected from observation, change, or corruption. Validate input and output parameters to ensure that inadvertent command invocation or escalation of privilege is not possible. Mobile security also applies to communications security since in some solutions mobile devices act as gateway systems to enable communications between connected devices and applications running remote from the devices.

???Design and implement defence-in-depth into the IoT solution. In some cases, this will require the insertion of gateway computing elements to serve as a layer of defence as well as a point at which isolation can be enabled to ensure safe operation in a disconnected, degraded, but still fail-safe mode. In other cases, this suggests inserting a layer of indirection or separation to allow for command and data checking, filtering, and logging.
???Be attentive to availability and safety. Above all else, the system must be engineered to do no harm as a result of its connected-ness and the control which may be possible to be exerted on the device by virtue of that connection. Fail-safe operation, dropping down in capability but being sure to bring the system to a safe steady-state, must be built into the connected device.

We are entering an amazing era of Internet of Things computing where cyber-physical systems are able to provide a more streamlined, comfortable, and even safer environment to work, play, and live. With this increased set of capabilities will come some risks and vulnerabilities to be addressed. By implementing IoT solutions using methods and technologies that we learned through years of experience, and having a strong means of responding to incidents and delivering updates, we can welcome this era with open arms and much excitement.

About the authors
Chris Poulin is research strategist in IBM's X-Force R&D team. He is responsible for analysing security trends and emerging threats with focus on security for the Internet of Things.

Tim Hahnis an IBM Distinguished Engineer with IBM. As the Chief Architect for Internet of Things Security within the IBM Analytics organisation, he is responsible for strategy, architecture, and design for IBM's Internet of Things offerings. Tim also has experience with both connected vehicles and connected products.

?First Page?Previous Page 1???2

Article Comments - Addressing security risks in the IoT...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top