Security by design in a quickly growing IoT market
IoT Security Blog Series
From industrial systems to smart home devices: more and more products are connected to the internet. Applying security by design and having everything that is connected to the internet checked by ethical hackers can help organizations with security. This, in turn, can help them to stand out in this stormy market. Part two of a series: how to implement security by design.
By Jeroen Slobbe
Security officers and system administrators used to be people that operated in the background of on organisation. But now their work is becoming the core business of an organisation since vital industrial processes are connected to the internet with Industrial Control Systems and also because companies develop and use an increasing number of devices and machines connected to the internet.
Testing IoT devices, which we described in our previous blog, is only one part of improving the security of internet-connected machines and devices. The other and more fundamental one is security by design. Developers need to address security in the core of the development process. Achieving this, however, is easier said than done.
A paradigm shift from gatekeeper to facilitator
Security officers are sometimes sarcastically referred to as ‘members of the department of the no’; a department that only outputs limitations, because their perspective or performance indicators are chained to compliance. Now that connected devices are moving to the core business of an organisation, product security officers need to change their paradigms, from breakers to builders.
An example. We are helping one of our clients with implementing sensors on the rotors of their industrial machines. Those sensors are connected to an Industrial Control System and help to detect breakdowns quickly and predict whether maintenance is necessary. They improve the production process significantly. As a product security officer, you have two options during the innovation meeting. Highlighting all the risks that you could see in this scenario or volunteer to support the secure implementation of the connectivity part.
The old and strict security officer might come in and say: the more open connections we have, the more vulnerable we get, so we shouldn’t do this. Which will probably not lead to another invitation to the innovation table. Although this product will not see the light because it is insecure, many new products will, because people will start to circumvent the old and strict officer. However, when volunteering to implement the connection, you can start designing it with the security built in and will be guaranteed of a next invitation to the innovation table. The result of this shift from breaker to the builder of security will result in maximal ability to implement security by design.
The same applies when developing IoT devices for customers. Including the product security officer at an early stage in the development process facilitates making informed decisions and with the right attitude, that will result in more secure products combined with more innovation.
When applying security by design, security no longer is something that limits possibilities. When security considerations are involved early on in the development process, it enables the innovation of business and revenue models.
For more information about IoT, please contact Dana Spataru or Jeroen Slobbe via the contact details below.