The Secure Fashion of IoT
Internet of Things (IoT), Industrial Control Systems (ICS) and even Medical environments, they all have one thing in common: they’re out of control!
You must admit it. There are devices in these infrastructures that are naked! Of course, you want to dress them as quickly as possible so they won’t catch a disease. But, there is a big problem: you can’t control them and you don’t have access to them. Sounds like a recipe for disaster, doesn’t it? Well, it does not need to be. I’ll give you the cure!
There are two types of infrastructures that need to be taken care of:
- IoT with a central control point
- Standalone ICS, medical devices and others
IoT: a good design is good business
It is a cliché saying: “never underestimate a good outfit on a bad day”. Is this getting too girly for you? Just compare it to your security. IoT Hacking as we saw with Mirai bot, the Owlet WiFi Baby Heart Monitor Vulnerabilities, the Jeep Hack are your bad days. If you wore a good outfit that day, you wouldn’t have caught your cold. Those who are dressed slobby are much more likely to be less successful.
That is why all companies should have a ‘security-by-design’ mentality. Each product you release should be secure! IoT usually does not speak directly to the big chains, but to the individual consumer. This often results in lower security… Companies and end users don’t want that of course. Security is luxury. A luxury we cannot deny ourselves.
IoT devices rely on a central point of control – in the cloud. Oh, yes, there’s that cloud again. And again, I need to stress how important it is to dress your cloud warmly. All communication between IoT devices and their management (tools/apps that give reports, instructions, etc.) should be secured and locked down if needed.
Standalone devices should follow the trends
When it comes to standalone ICS, medical devices etc, companies should always follow the security-by-design trend. Industrial and medical devices have to follow certain regulations, so this should be easier to accomplish. But we still see that this isn’t always the case, for example: the Hackable Cardiac Devices from St. Jude. As some of these devices are connected to the corporate network, you have to make sure their behavior is monitored and to disconnect them from the network if necessary.
COMING UP: We will soon post a technical follow-up blog with more concrete examples