Internet of Things Security Best Practices
Securing the Internet of Things (IoT) infrastructure is a critical undertaking for anyone involved with IoT solutions. Because of the number of devices involved and the distributed nature of these devices, the impact a security event related to compromise of millions of IoT devices is non-trivial and can have widespread impact.
For this reason, IoT security needs a security-in-depth approach. Data needs to be secure in the cloud and as it moves over private and public networks. Methods need to be in place to securely provision the IoT devices themselves. Each layer, from device, to network, to cloud back-end needs strong security assurances.
IoT best practices can be categorized in the following way:
- IoT hardware manufacturer or integrator
- IoT solution developer
- IoT solution deployer
- IoT solution operator
This article summarizes Internet of Things Security Best Practices. Please refer to that article for more detailed information.
IoT hardware manufacturer or integrator
Follow the best practices below if you are an IoT hardware manufacture or a hardware integrator:
- Scope hardware to minimum requirements: the hardware design should include minimum features required for operation of the hardware, and nothing more.
- Make hardware tamper proof: build in mechanisms to detect physical tampering of hardware, such as opening the device cover, removing a part of the device, etc.
- Build around secure hardware: if COGS permit, build security features such as secure and encrypted storage and Trusted Platform Module (TPM)-based boot functionality.
- Make upgrades secure: upgrading firmware during lifetime of the device is inevitable.
IoT solution developer
Follow the best practices below if you are an IoT solution developer:
- Follow secure software development methodology: developing secure software requires ground-up thinking about security from the inception of the project all the way to its implementation, testing, and deployment.
- Choose open source software with care: open source software provides an opportunity to quickly develop solutions.
- Integrate with care: many of the software security flaws exist at the boundary of libraries and APIs.
IoT solution deployer
Follow the best practices below if you are an IoT solution deployer:
- Deploy hardware securely: IoT deployments may require hardware to be deployed in unsecure locations, such as in public spaces or unsupervised locales.
- Keep authentication keys safe: during deployment, each device requires device IDs and associated authentication keys generated by the cloud service. Keep these keys physically safe even after the deployment. Any compromised key can be used by a malicious device to masquerade as an existing device.
IoT solution operator
Follow the best practices below if you are an IoT solution operator:
- Keep systems up to date: ensure device operating systems and all device drivers are updated to the latest versions.
- Protect against malicious activity: if the operating system permits, place the latest anti-virus and anti-malware capabilities on each device operating system.
- Audit frequently: auditing IoT infrastructure for security related issues is key when responding to security incidents.
- Physically protect the IoT infrastructure: the worst security attacks against IoT infrastructure are launched using physical access to devices.
- Protect cloud credentials: cloud authentication credentials used for configuring and operating an IoT deployment are possibly the easiest way to gain access and compromise an IoT system.