So, what can we do?
There’s no silver bullet that can effectively mitigate all IOT threats and we need to understand that we can’t apply Security by Obscurity principles in IOT. We can’t say our IOT product is secure because it uses proprietary protocols, indigenous hardware or air-gapped closed networks. We need to think Security by Design. And security cannot be an afterthought. It has to considered & implemented in all of these stages.
- Planning: Security requirements, Risk Analysis
- Design: Secure Design Practices, Threat Modelling
- Implementation: Secure Coding Practices, Security-focused Design Reviews
- Verification: Security-focused Testing, Third-Party Security Audit
- Validation: User Testing to expose Weak-points, Penetration Testing
- Deployment: Operational Risk Assessment, Secure Deployment Practices
- Operations: Incident Response Preparedness, Vulnerability Management
Lot of research is going on in various parts of the world regarding, how to bootstrap trust and security, from the very basic Design stage like powerful Systems on a Chip (SOC) with embedded hardware security support, Elliptic Curve Cryptography with reduced computational demands etc.
Also, to address the threats IOT Business Model has to change. Earlier we used to build product, ship them and forget about them until we had to service them, but now in the world of IOT we have to ship and remember. Remember where are our devices and wat they are doing that they shouldn’t. We need to understand the delicate balance of speed to market and the appropriate level of security considering the final product cost too. IOT cannot be a success if we don’t believe in Amara’s law, “We tend to Overestimate technology in the short run and underestimate the impact of it on the long run.”