When a device is being designed, security must be one of the primary components and must continue throughout the device lifecycle. The following could be a few ways to ensure secure connected products:
• When the device is first powered up, a cryptographically generated digital signature verifies the authenticity and integrity of the software on the device, i.e., only the software that has been authorized to run on that device and signed by the entity that authorized it will be loaded.
• Access controls built into the operating system limit the privileges of device components and applications so they access only the resources they need to do their jobs. The principle of least privilege dictates that only the minimal access required to perform a function should be authorized in order to minimize the effectiveness of any breach of security.
• When the device is plugged into the network, it should authenticate itself prior to receiving or transmitting data.
• The device must have a firewall or deep packet inspection capability to control traffic that is destined to terminate at the device in a way that makes optimal use of the limited computational resources available.
• Software updates and security patches must be delivered in a way that conserves the limited bandwidth and intermittent connectivity of an embedded device and absolutely eliminates the possibility of compromising functional safety.
The Internet of Things Security Foundation (IoTSF) is a non-profit body founded by a group of technology companies that will be responsible for vetting connected devices for vulnerabilities and flaws and will offer security assistance to technology providers, system adopters, and end users. There are many other companies working on setting up platforms that will enable large networks of IoT devices to identify and authenticate each other in order to provide higher security and prevent data breaches. There is also research being conducted to enhance IoT security through device and smartphone linking.
To summarize, IoT security cannot be an afterthought – it must be an integral part of the device. Rather than searching for a silver bullet that does not exist, we must re-engineer, optimize and adapt current cutting edge security controls that work for the IT network for the complex embedded applications that is at the heart of Internet of Things.
Mr. MN Vidyashankar is the President of India Electronics & Semiconductor Association. MN Vidyashankar served as the Principal Secretary to the Government of Karnataka and brings over 30 years of rich experience in management and administration of various government offices, autonomous bodies, boards and corporations. Vidyashankar joined the IAS in 1982 and served various government departments at the state and central level before moving on to hold the position of the Principal Secretary, Department of Information Technology, Biotechnology and Science & Technology, Department of e-Governance, Government of Karnataka. Vidyashankar holds an M.A in Economics and an M.Phil. from the Delhi School of Economics, University of Delhi. He is also a post graduate in business administration from Harvard University, USA.