Six principles to secure the IoT

Two decades in, the Internet of Things (IoT) remains in its infancy stage. The phrase itself was popularized only about five years ago — and 80 percent of consumers still don’t know what IoT means, according to at least one study

Fortunately, the relative novelty of the IoT — along with the innumerable lessons we’ve learned from continual tech innovation over the last half-century — presents an unprecedented opportunity to proactively address security issues as the technology catapults forward. 

One of the things we’ve learned as industry experts is that it’s better to self-regulate and implement strong protocols and procedures than to abandon leadership — and inevitably wind up at the mercy of governmental regulatory proposals. We need to lead in the security arena, especially when — according to Gartner research estimates — the number of IoT devices right now exceeds the world’s population, and there will be more than 21 billion IoT devices around the globe within two years. 

Current regulatory proposals lack substance, momentum

Political leaders recognize the importance of balancing privacy and security with broader business demands. Many bills are already in the works, including one in California that has passed the legislature and awaits Gov. Jerry Brown’s signature.

Yet California’s SB-327 — the first legislation of its kind in the United States — has been labeled “superficial” and “weak” by some who have been diligently working on IoT security issues for years. Moderately publicized federal proposals — such as S.1691 (the IoT Cybersecurity Improvement Act of 2017) and HR 1324 (Securing IoT Act of 2017) — continue to idle in Congress. 

The dangers of IoT security failures

In the meantime, just one highly publicized major security breach can devastate the fledgling IoT industry. For example, in the home:

  • Some solar panels remain vulnerable to hackers who might maliciously control power access or — worse — spy on residents and children.
  • Certain toys are riddled with security holes that can expose images of those playing with them to third parties.
  • Fitness trackers, heart-rate monitors and security systems all transmit sensitive personal data users don’t want falling into wrong hands.
  • Actuators embedded within several products can be hacked to rewire triggers to malevolent ends. Connected kitchen appliances can be maliciously programmed to overheat and catch fire while connected vehicles can theoretically be shut off in the middle of a highway.

In the corporate world, poorly secured IoT devices connected to a company’s data storage infrastructure can lead to customer and corporate data exposure, leading to significant reputation and brand damage as well as crippling legal and liability issues.

Six guidelines to secure IoT devices and apps

The IoT industry needs to lead when it comes to securing and safeguarding connected systems. If we don’t, it’s only a matter of time before a major mishap occurs and government steps in to impose rules that likely won’t have as nuanced a view of the needs and challenges of the IoT ecosystem.

To stay ahead, it’s critical that we integrate security into every level of the hardware, cloud software and firmware stacks, and every system and device needs to be designed with a minimal attack surface area. These six principles will help to achieve that goal:

  • Prefer microcontroller-based designs over full operating systems.
  • Every open port is a potential point of attack. Avoid opening ports on microcontrollers, and actively close or secure every open port and available protocol on more powerful systems.
  • Encrypt all communications between the device and the cloud to ensure confidentiality, integrity and authenticity.
  • Actively monitor dependencies for known vulnerabilities, both in device firmware and cloud services. GitHub and other service providers assist with this process.
  • Secure the cloud with network segmentation and immutable infrastructure that can quickly and easily replace suspect servers.
  • People are often the weakest link, so enable or require multi-factor authentication to use device management software for IoT fleets.

Setting an example for legislators and regulators

Those of us on the front lines of the IoT are pioneering a brand-new industry. That’s a huge responsibility. As we continue to innovate and create the connected systems of the future, leadership in the realm of security will play a large part in smoothing the path ahead. Political leaders will notice that we take privacy, safety and data protection seriously.

The IoT is poised to do amazing things and unleash substantial value across the global economy. By investing in keeping the IoT safe, we’ll build public confidence in our growing industry — and ensure regulators maintain trust in our intentions and capabilities.

Zachary Crockett is founder and CTO of Particle

Zachary Crockett

Zachary Crockett is the Founder and CTO of Particle. He is a strategic and cultural leader of a globally distributed, rapidly growing, engineering-focused organisation serving the exploding internet of things industry with great user experiences built on cutting edge tech.