Securing Connected Devices: Considerations for Make or Buy
02/02/2016 Terry Gaul
The new challenges presented by connected devices are causing developers to go back to basics and even rethink the term security and what it means in the IoT.
Security and the IoT are terms becoming intrinsically linked in the grand discussion of connected devices and their envisioned applications in virtually every aspect of our ecosystem, whether it be consumer wearables, medical devices, or industrial systems.
Ted Harrington, Executive Partner, Independent Security Evaluators, made this comment recently in IoT World News: "IoT is very much a double edged sword. After all, the more companies collect and store data – the more reason hackers have to target them. And the more objects we connect – the more openings we create for technological infiltration."
Harrington went on to note that he believed that security is not a development priority in the IoT industry today. "If you consider the types of security vulnerabilities that plague this industry, it clearly demonstrates the security is not built in. If secure design principles were better integrated into product design, many of the fundamental flaws would disappear," he added.
This sentiment hasn’t been lost on connected device developers and the main reason why many organizations like the Industrial Internet Consortium are collaborating with industry leaders to develop security guidelines and best practices for IoT manufacturers. For some developers, the new challenges presented by connected devices are causing them to go back to basics and even rethink the term security and what it means in the IoT.
For example, Colin Walls, an embedded software technologist with Mentor Graphics said in an article in New Electronics: "I’m worried about use of the term ‘security’, because it can mean one of several things; all of which are important. For example, it can mean protecting data you’re transmitting that you don’t want people to see. It can also mean preventing people from getting into systems. Then there’s making systems safe. Safety and security are not the same thing; safety is protecting the world, while security is vice versa."
The new generation of embedded system developers are essentially in the same predicament that ISVs of traditional PC applications found themselves in years ago. Do they invest in acquiring the expertise in new technologies required to secure and protect connected devices or collaborate with outside security experts to help them build-in security by design – the classic Make or Buy dilemma. It’s a major consideration and a decision not easy to make. Let’s take a look at some of the factors involved in securing IoT devices:
Integration in devices and software
End-to-end turnkey protection and licensing from product planning, development, operations and maintenance
Industrial-grade properties (small footprint)
Support for OPC UA
Upgrades and updates
Feature on demand licensing
Models tailored to the IoT (i.e. pay per use license models)
License management, access rights, and certificates
Simple integration in all business processes, from development and production to sales and servicing
License management via the cloud, with 24/7 self-service capabilities, including license activation and returns, transfer to other devices, upgrades, license renewal or cancellation.
Flexible pricing and service packages for different use cases
Complete hardware, software, and cloud-based solutions
Industrial-grade secure elements in common form factors
Proof of origin
Protection against reverse engineering, copying, or cloning
Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.