Your internet-enabled coffeemaker checks your calendar each morning to determine what time to start brewing a pot of coffee. Your lights come on in the evening just as you come home.
Sound like the distant future? It may not be, as “smart” home automation systems have appeared on the consumer market. The innovation unleashed by wireless networking technology and low-power processors has the potential to ease consumers’ lives in profound ways. At the same time, the recent Mirai Internet of Things (“IoT”) botnet has shown that device manufacturers can’t ignore security risks of networked devices.
For some guideposts in the path to a safe and secure IoT, companies can look to best practices recently released by the National Highway Traffic Safety Administration (NHTSA). Although the guidance, titled “Cybersecurity Best Practices for Modern Vehicles,” is targeted to car manufacturers, many of the NHTSA’s recommendations are equally applicable to IoT developers and users.
Some key takeaways from the report for any company learning how to secure their IoT devices include:
- Begin by performing a risk assessment of your product. Consider the safety hazards that could be exposed in your device in the home environment, as well as network security defenses.
- Detection and remediation of threats is an essential part of being a responsible IoT device manufacturer. Develop vulnerability reporting programs, define roles and responsibilities for incident response, and perform self-audits.
- Make safety-conscious design choices where possible, such as using encryption to communicate or providing over-the-air patches, in which a software update is wirelessly delivered to the device without requiring a physical connection with a computer to update. Consider also how your device might fail if it loses network connectivity or power. Should your device “fail open” as an escalator does in a power outage, becoming a useful staircase? Or should it “fail closed” as might be safest for a wireless front door lock?
- Design for a layered approach to cybersecurity, which will vary depending on your device’s complexity. Consider the security implications if various functions are compromised, and design devices to mitigate risk to the consumer. This may include allowing upgrades to wireless control interfaces, implementing two-factor authentication, or limiting how various sub-systems talk to each other within your device.
Good design decisions improve security not just for the consumer, but help prevent harm to the wider network, like last week’s DynDNS DDOS attack by the Mirai botnet. Avoid risky security practices like hardwired default passwords across a device type, or including network accounts that cannot be disabled or have the passwords updated. Although companies creating innovative and creative IoT devices will each have to develop and apply their own secure practices, these overarching principles are a good starting point to a future of safe, secure, and helpful IoT devices.