Building a secure IoT system: interview with a Vakoms expert
If there was a universal method to secure any IoT system, connecting things to the Internet would be risk-free. However, the truth is that Internet-connected devices are among the most vulnerable and complex types of products.
So how can you make your IoT system more protected? We asked Serhiy, IoT Solution Architect at Vakoms about specific steps you can take to secure the IoT system.
1. Find weak points in your system
To get a clear image of all the vulnerabilities in your IoT network, use risk assessments and repeat them regularly. This way, you can see where and what types of weaknesses your system has. Also, if you’re not familiar with threat intelligence yet, it’s vital to have a security expert in place who will advise you on this. The risk model should be as accurate as possible. For instance, it could look like this:
2. Use a strong user authentication method
Depending on the type of your IoT device, biometrics or contextual authentication might fit you best. Discuss with your IoT development company what authentication method will be both user-friendly and secure. This way, users won’t look for a way to bypass it.
Serhiy, IoT Solution Architect at Vakoms:
— A good practice is to use a different password for each IoT device. This won’t make the devices 100% secure, but it will let you avoid password-guessing risks. Thus, even if a hacker breaks into one device, he won’t be able to expose the myriad of others.
3. Define how long the data will be stored on each IoT device and who will access it
Most IoT endpoints don’t have much memory resources to store data for a long period of time, so avoid doing this for security reasons. Also, the client should have the highest level of control over server access and users’ accounts.
4. Use OTA updates timely
Have you heard about smart ovens falsely preheating to 400 degrees in the middle of the night? The consequences could be severe, and all because of the security flaw.
— There is always a reason for a new update. Sometimes, a client needs to add a new functionality conflicting with the old one or a critical functional bug is found.
Either way, the updating process should be secured. At Vakoms, we always start with just a few devices at our disposal before proceeding to others. This way, even if an error occurs, we can fix it locally before spreading to other devices. We also use the TUF tool that is specifically designed to make the updating mechanism safe.
5. Prevent the system downtimes
— If possible, do not tie your IoT device to any 3rd party services as it becomes dependent. Therefore, if anything goes wrong with the service, your gadget might fail to function with nothing you can do about it.
For instance, businesses often use the Network Time Protocol (NTP) for time synchronization and scheduling various device actions, etc. However, if the system can work without it or you can build your own similar service, it’s always better to avoid it.
6. Limit the network access
— If your system is not intended for the remote use, you can limit access to it with local communication network. For example, for a system of smart home lighting, you can enable the lighting management from your phone only if the two system elements are connected to the same network. This way, you can prevent outside hacker attacks.
However, this also implies some limitations. Since if a kitchen device needs to be controlled from the car, you cannot do this within a local network.
7. Data encryption
The must-do is to encrypt any data stored or transitioned from devices to the cloud. This practice lets you protect any valuable or sensitive data you’re dealing with, such as credit card details or passwords.
8. Testing
Validation and penetration testing, quality assurance and design reviews are critical before the release. Make sure to find highly-skilled quality assurance engineers with deep expertise in IoT systems testing before the project begins.
9. Try to find a reliable one-stop software and hardware development company
If you’re new to IoT security practices, turning to an IoT company is a good idea. Often IoT development companies offer both hardware and software development, but that’s not always the case. When looking for a software vendor, ask about their experience in Hardware engineering. Perhaps you will get a solution from a single vendor. That will simplify the project management for you and control over your expenses. Also, it will help to avoid any miscommunication between vendors.
You should also check their experience in building similar IoT systems and reputation on the market. A trusted vendor will advise you on the right software technologies for your project, as well as PCB components, and make the workflow as transparent as possible. Agree on security measures even before the project begins.
10. No rush
Faster time-to-market will never payoff if you neglect the security of your system. Balance your cost & time resources wisely to implement the necessary security practices before the release.
Final thoughts
When building your own IoT product, you should predict all the potential weaknesses and plan its security measures even before the project starts. Alternatively, spend days or even weeks discussing it with your IoT development company. Don’t neglect anything; devices, communication protocols and a cloud server – everything should be protected. And of course, make sure to find a reliable IoT development partner who will implement your idea into reality. Learn more about how to find your true IT partner and make your product a success.