Are you aware of the federal initiative recently announced to improve the nation’s cybersecurity? This includes a specific focus on IoT devices and educating the public on their security capabilities. Brands that thrive in this sector will be those who keep up to date with the latest IoT device standards and best practices and ensure they are always meeting or surpassing them. So what should you be focusing on when designing your products?
What’s your base distribution?
It’s tempting to build your own custom Linux distribution to give you maximum flexibility and optimization of your product, but you have to be certain you have the necessary resources in-house to maintain your security. As soon as you start customizing, it’s on you to ensure any security loopholes are spotted and fixed. Even large corporations such as Google, Apple, Amazon, Samsung, and LG have run into trouble with this at times. That’s why it’s best to stick to a well-supported, secure base distribution, such as Ubuntu Core, Debian, YoctoLinux, or Automotive Grade Linux.
Analyze your code
Even the best code will benefit from analysis tools to toughen up the security. Depending on your base distribution, you may have some tools built-in, or you can follow guidelines such as these. You can also use automated tools to analyze your code, such as Lynis by CISOfy, Dev-Sec, and Metasploit.
Trivial bugs that could have severe ramifications for the end-user can be incredibly time-consuming to check for and eliminate manually. Instead, it’s best to use a free static analyzer such as Cppcheck to save time and effort.
Keep your updates up-to-date
A device may be completely secure when it first ships, but as new bugs and vulnerabilities are constantly being discovered it won’t stay that way for long. If you use a well-supported base distribution you can be sure it will get regular security updates, but you need to ensure they get to your devices too. A key part of your development process should be understanding how remote security updates will be installed using a secure tunnel to ensure there is no exposure of sensitive data to hackers, and how they will be pen tested prior to installation.
Endpoint Detection and Response (EDR)
No matter how well designed your devices are, to be fully confident of their security you need to employ proactive monitoring to ensure that no new vulnerabilities have been discovered. EDR collects, records, and stores large volumes of data from endpoint activities to provide security professionals with the visibility they need to detect, investigate, and mitigate advanced cyber threats.
An effective EDR solution involves installing an agent on each endpoint device to monitor activity which can then be interpreted by the central system to highlight any suspicious behavior. If you’re going to incorporate EDR (which you really should!) then you’ll need to factor this into the design process to ensure your device can be monitored in this way.
Let consumers understand their risk
Of course, increased security comes at a cost. And different sectors and consumers will have their own expectations. That’s why the US government is pushing for labeling standards on all IoT devices to make security easy to understand for purchasers.
Full security information is very detailed, so it’s best to break it down to make it easier to digest.
A primary label should be clearly displayed on the box the IoT device comes in. This should indicate its access control scheme, how long it will receive signed security updates, the type of data that is collected, the type of cybersecurity protection the device contains, and whether the device stores data, and if that data is sold.
The label should also include a link to a webpage with more detailed information. This should include an explanation of the cybersecurity protection, the monitoring services and the user protection embedded in the device.
As IoT security and labeling standards evolve, it will likely lead to a tiered categorization system whereby consumers can immediately see at a glance the level of security offered. We would expect Government and large corporations to only purchase devices in the top tier, which would include proactive EDR with 24/7 security monitoring. So if you want your products to be even considered by consumers in this large sector you’ll have to make sure they meet the very highest security standards.