Three Key IoT Cybersecurity Insights

Co-authored by saran govindarajan

The era of Smart Connect Products is turning every company into a software company. The ability to connect, manage, and monitor assets across the globe comes with the responsibility to collect and store data securely and prevent malicious actors from gaining control. 

The primary theme that ties together our series on cybersecurity is that There is No Silver Bullet for cybersecurity. Any novel cybersecurity solution is going to spur innovation on the part of third-party hackers. So, it is important to see cybersecurity as an organizational process for continuous improvement rather than a solution implemented by the IT department at a single point in time. 

There are 3 major takeaways from our series that need to be part of any company’s ongoing cybersecurity process:

1. Build defense in depth

A layered approach to security is required to minimize the attack vector. With all the different ways hackers can access sensitive systems, multiple types of solutions need to be included at the user and administrative levels. Solutions also need to be compatible with the infrastructure available at different work sites as well as remote work. 

As part of defense in depth, do not overlook the importance of physical security in cybersecurity. It is common for hackers to use vulnerabilities in the physical world to gain access to secure digital spaces.

2. Consider cybersecurity from the beginning of any new IoT initiative

Security concerns need to be considered from the beginning of the development process. Incorporating cybersecurity into the Design, Develop & Test, and Maintenance phases of application development will make product lifecycle management much easier. The key questions to consider at each stage are: 

Design

1. How sensitive is the information shared within the application? 

2. What authentication and authorization processes are appropriate? 

3. Are there any government regulations that you need to consider?

Develop & Test

1. Are your 3^rd-party libraries for secure coding practices, known vulnerabilities, and code canning up to date? 

2. How much investment in security testing is warranted given the level of sensitivity of data in the application?

Maintenance

1. Are you keeping up to date with compliance audit standards like ISO 27001 and SOC2? 

2. Is the environment running the application up to date with the latest patches?

3. Different generations of technology will require different approaches

Be aware of the security capabilities of the devices you use. Over time you will end up with a mixture of old and new, so understanding if and how your devices can be updated is absolutely key.  Ultimately your ability to manage the vulnerability of your devices and therefore the IoT solution is dependent on being able to update the device software and/or firmware remotely.  The remote aspect of the update is where IoT really shines and can transform your ability to provide a secure and scalable solution. 

Irrespective of whether you use a web interface or deploy your own microservices, you need to ensure that the APIs are used appropriately and that you do not “get clever” and try to bend the API to your specific needs.  While this might give you short term benefits, it may have unintended results.  

No matter what approach you take or what vendors you work with, at the end of the day maintaining cybersecurity is your responsibility.