IoT security by design starts with security-tested modules and adoption of industry best practices
For application developers, IoT security is a fundamental baseline foundation that must be considered from the design stage, through manufacturing to the ultimate deployment and operation of the device itself. Security is not an end state, it’s an ongoing process of selecting and integrating components that offer secure attributes and can contribute to the overall security of the device or service. However, until recently it has been a significant challenge to identify the security status of individual components.
Now, this issue is being addressed with implementations of IoT device security by design which supports best practices in relation to transparency, testing, compliance and network security. By taking the ‘by design’ approach, developers and designers can ensure that device security is considered throughout the development process and select the most suitable components for each deployment. This takes into account the likely threat profile that specific devices face, the appropriate cost and the key attributes each component needs to contribute to overall security by design.
IoT security relies on transparency under penetration testing
Only by selecting pre-tested components that report transparently on their performance under processes such as penetration testing can developers know the security status of components such as IoT modules. This knowledge helps them select secure modules and also contributes to the overall picture of IoT device and service security.
At the heart of the heightened awareness of IoT security are the GSMA IoT Security Guidelines which describe the security attributes IoT devices and networks need. These Guidelines come together with industry best practices and cellular network security to create a bedrock on which secure IoT solutions can be built. In turn, these come together to create and enable IoT security building blocks and transformed system architectures that help to address device security.
A virtuous circle that continually advances IoT security is being created between more secure IoT modules, cellular networks and the emerging best practices for secure design, development and operation of IoT devices. Even so, challenges remain. Achieving security has never been free so careful consideration needs to be given to the levels of security that can be achieved and which security approaches are appropriate for individual deployments.
The concept of the security bill of materials (SBOM) has emerged to align the cost of security with the threats faced and the overall cost of a device or service. With IoT security testing now becoming part of industry best practices, it’s clear that holistic approaches to security as an integral part of IoT solutions are here to stay.
All of these issues were explored and detailed in a recent Quectel Masterclass titled: ‘IoT device security: Mastering best practices and design essentials’. The Masterclass, hosted by Quectel and Matt Wyckhouse, the founder and chief executive officer of Finite State, a specialist company that works with product and supply chain security teams around the world to help them build scalable vulnerability and risk management solutions for complex product portfolios, reveals the new ways in which vendors are approaching security testing. In addition, it provides a series of in-depth insights into industry best practices and how to build efficient, tested, IoT solutions that are secure by design.
To view the Masterclass, visit: https://www.quectel.com/masterclass-library/iot-device-security-best-practices-design-essentials