The IoT Needs Security by Design

October 3, 2017

Enlighted Cofounder and CTO Tanuj Mohan recently penned a thought piece on IoT security for Forbes Magazines. His piece, titled IoT Security: Let’s Not Forget the Thing describes the case for proactively designing security into the architecture of the Internet of Things.

Mohan, a network security expert, tells us if IoT devices are to remain safe from a range of new types of attack, security must be “built-in” to an IoT device from the beginning. rather than being “bolted on” to a product after it has been built:

“With built-in components, security is an integral part of the device, whereas bolt-on components add these security features post hoc. Since the IoT affects the physical world through a device’s human interface, an attack on an internet-connected IoT device with less stable bolt-on security is not only easier, but more dangerous.”

He describes numerous new categories of security risk that did not exist in the original Internet –such as Internet-connected hotel door locks that can lock occupants in their room if hacked. Products and systems like this, if they contain weak or bolt-on security, create physical risks to public safety, and big headaches for companies.

He says that traditional security architectures don’t go far enough to keep IoT connected devices from these new kinds of attack:

“In the IoT, an attack is not just a metaphor — it’s an actual assault in the physical world. These can also be physically initiated without the attacker even being online or knowing much more than how to install a legal and readily available packet-sniffing app.”

IT research firm Gartner concurs, and has warned companies to be proactive about IoT security design. They call this practice “Security by Design.”

According to Gartner: “Security teams are realizing the need to work closely with business units within the organization to ensure that security is no longer post implementation – security-by-design is the mantra.”

ISO-like security standards for the IoT are likely still several years away. And with IoT-related hacks increasing on a range of devices from hotel rooms to cars to buildings, the IoT is still only as secure as any individual company’s security design process.

Mohan says the investment in built-in IoT security is worth it:

“Rather than stifling expansion, the built-in model of IoT security suggests that physical security provides the foundation for higher levels of networked protection. With this foundation in place, safer and broader interactions are possible with internet-connected things.”

Read Enlighted CTO Tanuj Mohan’s full article at Forbes.