IoT Security: The Ugly Truth

Tech providers have to think very carefully about how attackers might break into their systems, they have to consider the entire attack surface and ensure security is architected in, and this needs to happen from manufacture right through to end of life. The bad news is that a hacker only needs to find one exploit and all that effort could be undone.

So what is a developer to do? Is it feasible for developers to become expert in security as well as product design? Probably not but that doesn't mean it's futile. Indeed, we need to learn the lessons of the past - the PC and the mobile era - to make sure we're in much better shape for the explosion that is the Internet of Things.

To start with, we have to equip developers with much better security suites so that they do not have to be experts in the latest security measures. We should think about how we architect security into systems without encountering endless choices or variations. In theory this can be achieved by separating the security aspects of the product from the operating features. In a sense, there is a two-speed development cycle: rapid innovation can happen at the product level whilst security elements move more slowly and are highly likely to be provided by third party experts. In this way we can keep pace with market opportunities without compromising the product, the service or embarrassing the brand.

During his talk, Mike also discusses the need now to have a better quality of engineering as there are so many potential exploits in these new and complex systems that the consequences of getting it wrong are much too unpalatable. As a case example, Mike draws on experience with the automotive sector and suggests that this could be the way forward in general for IoT. Mike concludes by outlining 5 common areas we need to address to liberate the Internet of Things all rooted in trust throughout the lifecycle.

You can watch the full talk from here: http://iotsecurityforum.net/iot-security-summit-2015/