IoT Security and Privacy - Getting it Right, Right Now
Security and Privacy is recognized as a key concern for the Internet of Things (IoT). The World Economic Forums Industrial IoT Survey found “Regarding risk, respondents single out vulnerabilities for cyberattacks as their most important concern, as more physical systems come online. …76% of respondents indicate that they believe the likelihood of such attacks is very or extremely high. A related but slightly different risk is privacy breaches of personal data, which are also ranked high (68%).” The US Federal Trade Commission’s Report on IoT Privacy and Security states “…IoT devices may present a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating safety risks. Although each of these risks exists with traditional computers and computer networks, they are heightened in the IoT…” Applications of IoT devices in Medical, Industrial, and other applications are of particular concern.
Even with the level of concern throughout the industry, IoT products continue to fail basic Security and Privacy tests (reports by Veracode, HP, and Symantec). Some of what failed: sensitive private data not protected, lack of strong identity/passwords, security issues in cloud/web/mobile interfaces, and security authorization of software/firmware updates. OWASP had developed list that includes these and other common IoT issues.
why does security/Privacy fail?
At it core, these failures are not a failure of security technology in general. The security methods (technology, policy, configuration, architecture, etc.) to solve these Security and Privacy issues are well understood. So, why does Security/Privacy fail in Products?
- Product included too much – Security/Privacy decisions did not reflect product risk and/or product needs were misunderstood. Result – Security/Privacy was on the product critical path when it did not need to be and delayed product launch.
- Product did not include enough – Security/Privacy features were cut late to make delivery without evaluating risk and/or not specified. Result - Product launched without key Security/Privacy features causing customer and/or compliance issues.
- Product included the right features, implemented badly – The implementation of the Security/Privacy requirements was not specified correctly and/or testing was not designed to catch coding/security issues. Result – Product released claiming to be secure but with significant vulnerabilities leading to reduced product confidence.
- Product features moved to V2.0– Security/Privacy requirements not well understood and tied to product risk enabling decision to launch without Security/Privacy features to make budget/schedule. Result – High risk to product reputation and long lead time/expense to implement technical changes to restore confidence.
- Product outsourcing failed – Security/Privacy requirements were not translated correctly into technical specifications and tests to ensure proper delivery from subcontractor. Result – Product launch delays, budget overruns, and product risk unknowns post launch.
Security Systems Engineering – An Investment in Getting it Right
Many new, innovative products come from ideas implemented by small, responsive teams with driving needs (business, schedule, competitive) to launch the product quickly. As a result, development can move ahead of product definitions. While this parallel effort can lead to faster product cycles, it can also lead to re-work and budget overruns.
There is an optimum balance of up-front design/planning and transition to execution that experienced product teams seek. This is especially important in areas, such as Security/Privacy, that tie to many product components causing changes to have significant effects to schedules and budgets. Equally important are the ties between the up-front design and planning to the execution of the project and the verification that the resulting product does what it was designed to do. This philosophy must be agile in areas where the product is evolving, but the changes must be controlled and the effects of a change across the product understood before making the change.
Security Systems Engineering works to ensure the right secure product is designed and delivered. Systems Engineering focuses on: defining what needs to be built (Requirements), defining the components so then can be implemented including interfaces (Specification), creating a system design (Architecture), enabling the components come together correctly into a system (Integration), insuring that the system meets the Requirements (Testing), and understanding the reasons the systems can fail and their effects (Risk Management).
For an overview of best practices, NIST Special Publication 800-160 Systems Security Engineering provides view of accepted international standards of Systems and Software Engineering (ISO/IEC/IEEE 15288:2015) tailored to Security Engineering. As with all technical disciplines, the rigor applied to Systems Engineering can be adjusted to project scope, budget, and risk.
How Secmation can help
Secmation provides a wide range of products and services to aid Product Teams implement Security/Privacy in IoT efficiently leading to on-time product launch. Our Experts have led product development through the full lifecycle and understand how Security and Privacy is integrated efficiently into the product. Our capabilities include providing Security Systems Engineering services including:
- Requirements Generation
- Risk Management
- Developing Security Specifications
- Security Architecture
- Security Outsource Management
- Test Plan Design and Execution
A Stage-Gate Development process tied to the analysis and risk management provided by Systems Engineering can lead to more effective product launches. Secmation provides guidance on how to integrate security into your Stage-Gate process.
A core understanding of security principles specific to your product and proper initial analysis of security requirements is essential. Secmation provides Security Express, a rapid introduction to security for the Product Team with structured workshops to define your product’s Security/Privacy needs and get started right.