Digi Chief Technology Officer (CTO) Joel Young, shares which questions to ask when planning an IoT Strategy and covers the five critical areas of IoT security - secure boot, authentication, protected ports, storage, and secure connections.
When planning an IoT strategy it is important to understand the risks of being attacked, which questions to ask, and what steps to take in order to ensure strong IoT device security. Digi Chief Technology Officer, Joel Young, takes us through five simple steps to ensure a more secure Internet of Things approach.
- Secure Boot
- Authentication
- Protected Ports
- Secure Storage
- Secure Connections
Watch this video to learn more and check out
Digi TrustFence to provide the security tools to need.
Transcript
I'm Joel Young and I'm the CTO here at Digi International. At Digi, security is at the forefront of everything we do. Yet we see that in planning an IoT strategy, it oftentimes isn't as well thought through as it should be. I often hear questions like, "I wanna know if the cloud is secure" or "How can I deploy applications in our data center?" But rarely does someone ask me to prove that a specific device is secure. And it's a question that should be asked more often. HP Security Research did an evaluation and found that 70% of what we call IoT devices are vulnerable to an attack. Today, I want to cover five steps to help ensure a more secure Internet of Things approach through stronger device security.
The first one we'll call secure boot. That means that only authorized firmware can be put on your machine. So in essence, no matter who's updating your firmware, no one can add a few lines of code here and there, or install some malware because if it isn't authorized, it's not making it onto that machine.
Now, let's take a look at authentication. How many devices do you think are shipped with default password authentication or no authentication at all? Passwords are passe especially for machines. Strong Certificate Based Authentication is the best way to secure access to a device. You only have to look to the recent Mirai DDoS attack which took out companies like Amazon, Spotify and Twitter, all because there was no authentication on home routers and set-top boxes.
Often overlooked are protected ports. This is physical security. Sometimes they're called JTAG ports. Essentially, there are other ways of actually going in and physically debugging the system and since you have to physically have access to the device, most people don't worry about it. What do we know about the world of Internet of Things? Well, what we know is that machines are placed in places where people often aren't or people that care aren't, right? If I showed up in a maintenance suit and told you I was just doing some repairs, you might not think anything of it. But unless those debugging ports are protected, you just opened yourself up to being hacked.
Now, let's talk storage. Many of us know that if we're storing data on a large enterprise system, the data is secure. But what about the flash storage on your embedded device? It turns out embedded systems typically have something called flash storage. And they might hold some information from time to time that's not immediately secured or encrypted and that can open you up to a security breach leaving all that information at risk.
Last but not least, there are secure connections. Secure connections have two components. One of those components is actually encrypting the over the air data and the other is appropriate key exchange. Appropriate key exchange must include authentication and authorization upfront to set up that encrypted connection. Why are they both important? Because if you don't do the first part right, then the keys are open and anybody can un-encrypt. And if you're not encrypting, then someone could easily take a peek at your data. But not all data is created equal, right? Does anyone really care about your temperature sensor data? Well, it turns out that things like IP addresses and port identification may also get sent. And if you're not securing that whole communication pipe, it leaves it open for an attack.
So what's included with Digi TrustFence? Secure boot. That's the secure firmware. Authentication covers proper identification. No default passwords. Protected ports, those debug ports require authentication so that they're not open. Secure storage, in other words encrypted storage even in an embedded device. Secure connections, make sure that you have secured connections, encrypted, authorized and authenticated.
So when you think in terms of IoT security, remember those five key areas and then look to Digi TrustFence to give you the security tools you need so that you don't have to worry and you can sleep well at night.