How to make IoT products and solutions secure

In the emerging vision of a hyper-connected world, there is interactive intelligence all around us. Physical products and infrastructure are no longer mere objects. They are sensible things that can in many cases understand – and even anticipate – our human intentions and adjust accordingly.

Cyber-physical systems will become commonplace

Just a few years ago, pervasive computing was looked upon by many people as a futuristic notion. Manufacturing systems that detect, self-diagnose, and report imminent failures; irrigation systems that adjust watering dynamically based on soil conditions; and institutional coffee makers that automatically schedule service and resupply – all of these were, until very recently, newsworthy innovations with the ring of science fiction. Today, they are relatively mature examples of connected products – backed by successful business models. This is why companies all around the world are starting to prepare for a future in which cyber-physical systems are commonplace.

“Our strategic target is for all our electronic product categories to be IoT-enabled by 2020.”

Volkmar Denner, chairman of the board of management of Robert Bosch GmbH

IoT will not succeed without security and privacy

The IoT doesn’t just connect things; it also empowers them to be an active part in our business and private lives. People need to have confidence in the security of a connected product or solution before sharing their private data and relying on the products. Therefore, I believe that the correct handling of security and privacy is the key to unlocking the full potential of the Internet of Things. Recent examples of IoT-related security breaches support this view. They show us that the immense promise of “connected everything” is counterbalanced by the equally big challenge of securing billions of devices that are not always designed or set up to function securely when connected to the internet.

Symantec official blog: “IoT devices being increasingly used for DDoS attacks”

http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks

These examples further highlight the importance of trust as the key enabler for society to accept the innovations that arise out of the IoT. Without trust in the security, reliability, and safety of cyber-physical systems, broad adoption of connected products will not be achieved. Moreover, the tremendous market opportunities associated with it will also not materialize as expected.

IoT security must be considered as a whole

To provide secure IoT solutions and products, we need a holistic IoT security approach, one that takes into account the whole lifecycle of solutions and products and covers processes and organizational requirements as well as applied technologies.

An IoT solution or IoT product in general is presented as a system made up of one or multiple instances of the following elements:

For a holistic IoT security approach, it is important to consider and protect all components as well as all communication paths leading to or from them. This includes the IoT device, the user’s optional mobile device for controlling the IoT device, and also the enabling technologies of the optional IoT gateway and IoT cloud.

“Unlike traditional computing devices, which have an expected lifetime of three to five years, an IoT device may be in use for decades.”

Lorie Wigle in www.darkreading.com

Securing an IoT solution is a challenging task, made more challenging by the very long lifetimes IoT devices can have in connected operations. To manage this challenge, oversight and procedures must be put into place. They need to ensure that when new vulnerabilities and threats are discovered, the foundational means and mechanisms for addressing them are already in place. This needs to happen in the end-to-end IoT solution, so that the expected security posture can be maintained. This principle requires IoT solutions to have a defined security lifecycle along with appropriate privacy governance.

Together, these elements help ensure the ability to respond to new threats. They also make sure that changes performed over the lifetime of the solution’s operation are done appropriately, safely, reliably, and securely. Of course, this needs to happen while maintaining continuous compliance with applicable data protection principles and regulations.

This video demonstrates why it is important to start thinking about security right when you define your IoT solution:

In a recently published white paper entitled “Holistic IoT security”, Bosch offers guidance based on our experience in delivering solutions and supporting infrastructure for connected products. We are sharing these insights because we believe that technology vendors need to work together to establish a high standard for security and privacy in the Internet of Things. This is in the best interests of our customers, the robust development of the IoT market, and digital society as a whole. In fact, it’s the only way to build the trust needed for broad adoption and to unleash the benefits of these exciting new technologies for society.

 

Download IoT security white paper
 

About the author

Jan Holle

Jan Holle

Jan Holle studied Applied Computer Science Minor Electrical Engineering at the University of Siegen. During his studies he concentrated on the security aspects of software and communication systems. In 2009 he received his diploma at the University of Siegen with a thesis about Performance Analysis of CAN Bus Gateways and Design of a Security Concept for CAN Bus. Afterwards he worked as a Scientific Assistant at the Chair for Data Communications Systems of the University of Siegen. Since August 2013 Jan Holle has been working at ESCRYPT, first as Security Engineer focusing on IoT-security and secure future EE-Architectures, and since mid of 2016 also as product manager for in-vehicle network security solutions in particular firewalls and IDS. Jan Holle is a guest author for the Bosch ConnectedWorld Blog.