What makes securing the Internet of Things (IoT) so different from securing other computing platforms? Three things that are top of mind are the long lifecycle, the volume of production, and the machine versus human mode of operation.
Unlike traditional computing devices, which have an expected lifetime of three to five years, an IoT device may be in use for decades. During its life, it might be connected to different backend systems, change ownership, be reconfigured, or remain in its original role and configuration. It may or may not be upgradable, and similarly may or may not accept additional software functionality such as virus scanning or malware detection and removal. As a result, security solutions for these devices particularly benefit from robust hardware-based security, and legacy devices need to be protected behind purpose-built gateways. No one company can deliver all this for the IoT. Developer kits and platforms will enable innovation into vertical and horizontal markets, delivering specific solutions that are purpose-built and that represent new business opportunities.
Due to the volume of production, IoT devices come off the manufacturing line with a common configuration and specific, limited functionality. They all have the same default user ID and password, if appropriate, and the same vulnerabilities. The limited functionality makes it easier to protect them with narrow whitelists that confine actions and communications to a trusted set. But when they are deployed, it is easy to leave the defaults in place, thinking they are inaccessible or too small to care about. However, we have already seen these devices used as points of entry, so strong, unique passwords are just as important as they are on your laptop or bank account.
Finally, many of these devices operate in machine-to-machine mode, rarely seen by a human operator. Others may be in human contact all day, but are considered nothing more than a tool. Some have no display at all, or maybe just a few lights to communicate basic information. In virtually all cases, they do not have sufficient display and input capabilities to be configured, patched, or upgraded directly. Robust remote monitoring and management, supported by secure communications, keeps the operations center informed of anomalous behavior and enables it to remediate security breaches when necessary.
There is no simple solution or silver bullet that will secure such a diverse collection of devices. Multiple vendors and integrators will likely be involved over a device's lifetime, requiring a collaborative mix of proprietary, standards-based, and open-sourced components. There is also no single, perfect security level. Different devices at different points in the system and at different companies have different risk profiles. Building just the right level of security is achievable, by evaluating the risk, usage, and capability of each device.
The focus of IoT security is more on the data than the device. Protecting the data, when stored, in process, or in transit, enables you to provide security and privacy simultaneously.