Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:30 AM
Pritesh Parekh
Pritesh Parekh
Connect Directly
E-Mail vvv

IoT Security Checklist: Get Ahead Of The Curve

The security industry needs to take a Consumer Reports approach to Internet of Things product safety, including rigorous development practices and both physical and digital testing.

In just two to three years, the Internet of Things will be a major avenue for hackers for the simple reason that everything is going to be connected. What systems and processes do security professionals need to put in place to defend against IoT product risk in the not-too-distant future? Here is a checklist of 9 IoT security strategies that belong in every stage of the product development life cycle

#1. Begin at the beginning to reduce attack points

Every phase of the development process must take digital security into consideration. Security should be a part of product requirements and design consideration, and be embedded at every stage of the development life cycle. The Quality Assurance cycle must account for security in addition to functionality. An important component of this is fail-safe systems. When something fails - and things will fail - it should be built to fail safe and secure so that the failure can be contained and doesn’t lead to a greater systemic failure.

#2. Authentication & authorization

Your car, your garage door opener, your medical device - all of these things have to communicate with other devices and, potentially, a mothership. The IoT will need strong authentication for these communications, using techniques like multi-factor authentication or asymmetric encryption to protect each device by using their own unique key.

You can’t expect a user to enter a password every time they get into their car, so there needs to be another form of security. One of the stronger forms of authentication is certificate-based in which devices have embedded certificates that can authenticate to the mothership. For example, a connected car should have a private certificate that it uses to communicate to the mothership. If a private certificate is compromised, the consumer is issued a new certificate securely. In this way, cars can safely communicate with the mothership to download patches, etc.

Authorization is also important. Strong authorization means role-based access controls that can be enforced to limit exposure: if a specific part of a product is compromised, it can be contained and not escalate into other components.

#3. Encryption

Sensitive personal data that is stored on a device needs to be encrypted at rest. And all communication to and from the device (to another device or to the mothership) must be encrypted in transit using secure protocol. Key management is also an important consideration. If someone has potential access to a device, they shouldn’t be able to extract data. The actual key that protects data needs to be protected.

#4. Privacy

With collected data, there must be transparency into the type of data that is collected, how it is used, and, if feasible, opt-out options. By default, personal data collection should be limited to only that which is necessary. For example, with a connected car, you may need a consumer’s VIN number, but why would you need personal data like their birthday? If you don’t need the info, don’t collect it. Only protect what you need to protect in order to reduce exposure.

#5. Consumer awareness

Some of the responsibility for IoT security falls to the consumer but as professionals, we need to build this consumer awareness. If you look at the credit card market, you see companies sending notifications to consumers with alert warnings and best practices for sharing credit card information. Empowering consumers with this information is a good practice: consumers can assist in an organization’s efforts to prevent fraud.

IoT security professionals also need to take a defensive posture with IoT by thinking about vulnerabilities before breaches occur, especially now, while the advance is still currently low. Communicating directly with consumers about these types of security best practices is an important touch point. For example, if a consumer is driving a connected car, what are the security features he or she needs to know about that car? 

#6. Security testing: digital & physical

Testing is key to IoT security. With IoT devices, this testing has to include digital testing as well as brutal physical product testing. We need to take a Consumer Reports’ approach to ensure that products can hold up to such testing, following best practices such as proactive hunting and continuous security testing. It’s not possible to detect everything during the product life cycle, so continual testing and patching is also a key consideration.

Safety airbags are a good example. When companies test their cars, airbags are always one of the top features tested for safety. There are literally hundreds of tests just to ensure that airbags are turned on at the right time. Security professionals need to invest the same level of rigor to digital testing, so that an unauthorized hacker can’t just remotely turn off your airbag while you’re driving.

#7. Third-party testing

It’s not enough for security professionals to perform internal testing on IoT products. Once products have been built and internally tested, there needs to be an additional check to uncover security flaws by a third party that specializes in IoT security. This will give manufacturers time to address potential issues without impacting consumer security. Likewise, whenever you make any significant changes to your product, you’ll need to recruit third-party testing again.

#8. Internet-enabled security software updates and vulnerability management

Remote patching of IoT devices is a critical requirement. The Chrysler Cherokee flaw resulted in a physical recall of 1.4 million vehicles; a remote patch functionality would have negated the need for a physical recall and contained the risk more quickly. Patching not only leads to lower risk, but also cost savings for the vendor, and an improved customer experience. Vulnerability management is a product discipline that should be embedded as part of the product life cycle.

#9. Security analytics to detect intrusion

The amount of data that is generated by IoT is enormous; we’re talking real big data. The challenge is that traditional intrusion software cannot effectively process so much data. So there needs to be new technology (based on machine learning, data science, security analytics) to help detect intrusion and to detect malicious traffic patterns on IoT devices. Security professionals need to be working on creating technology to support this, to set up trigger alerts when someone is attempting to bypass security.

We’ve seen companies in other sectors fail to perform proper due diligence and invest in security. The result? Massive breaches which lead to loss of consumer confidence, falling stock prices, and major organizational shake-ups. For IoT, the risks are even greater. While we’re still in the early stages, now is the time to build out a proactive and thorough security program to protect against threats that we haven’t yet even begun to imagine.

Related Content


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Pritesh Parekh is the VP & CSO of Zuora. He has over 15 years of experience in building and managing enterprise security programs, and a decade of leading security for cloud platforms. Prior to joining Zuora, Parekh was leading worldwide Security and Compliance for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/3/2016 | 5:27:01 PM
Re: Encryption
Agreed. Especially, data at rest encryption is not widely adapted. 
User Rank: Ninja
3/3/2016 | 11:29:01 AM
Encryption needs to be standard at this point. Its one of the stronger security safeguards and it seems that still some IoT devices resist implementation.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...