There are a lot of internet of things (IoT) prophets of doom out there. Most recently, the mobile phone industry has aired their concerns. And of course, if security is put on the back burner, there will inevitably be very serious problems. So, I’ve made a handy action-list for you, writes Bjørn Søland, IoT expert at identity and security company Nexus Group.
The mobile phone industry recently gathered at the Mobile 360 Latin America event in Bogota, Colombia, arranged by the mobile phone operators’ trade association GSMA. They discussed the future, and when it came to IoT security, they predicted serious challenges. At its bleakest, the discussion gave the impression that billions upon billions of connected things will create a complexity so difficult to handle that Cyber Armageddon will be close to inevitable.
Cherry-pick good practices
But wait – what’s the problem? Do you forget that the I in IoT stands for internet, and that the T – things – are just small, internet-connected computers? Internet has been around for a while, and internet-connected computers have been used for serious stuff like internet banking for more than 20 years. All you have to do is cherry-pick the good practices learned painfully during the last decades; the IoT community doesn’t have to repeat the cyber miseries of the 90’s.
I have made a handy action-list for you – all the steps are tried and tested, and not particularity hard to implement:
1. Provide every single thing and user with a trusted identity; if you don’t know who or what you’re talking with, you can’t trust your system.
2. Manage the identities, and manage groups, roles, and authorizations.
3. Issue and manage secure login credentials for both people and things; default passwords and shared secrets are often not a good idea (to put it mildly).
4. Prevent fake devices from connecting, and remove broken devices.
5. Protect data at rest in things.
6. Protect data in transit.
7. Issue software updates securely.
Voilà – no Cyber Armageddon!
Bjørn Søland, IoT expert at identity and security company Nexus Group