IoT Security? Let Them Eat Cake!

Often attributed to Marie Antoinette, the now famous phrase “let them eat cake” (qu’ils mangent de la brioche) is typically used to highlight one’s lack of understanding of a serious issue.

This attitude is particularly noticeable in the world of IoT security. Everyone acknowledges that the clear majority of IoT devices are vulnerable and easily compromised, as many lack even the most basic of security functionalities. This is problematic, because an unsecured IoT ecosystem introduces real-world risks that include malicious actors manipulating the flow of information to and from network connected devices or tampering with devices themselves.

Nevertheless, despite the real-world risks, a number of IoT security products are presented as “super solutions” that aren’t at all affordable or easy to use. This has led to a situation where some OEMs view IoT security as a zero-sum game, with liability, risks and high costs piling up no matter which way they turn. The industry must therefore move away from a “let them eat cake” mentality and understand the very real concerns of OEMs who are struggling to implement even the most basic levels of IoT security.

Clearly, IoT security solutions should be affordable and ready out of the box. Additional layers of security, if needed, can be added based on a changing threat landscape. It is also important to note that a comprehensive IoT security solution is about more than just protecting a specific device in a vacuum, as robust security capabilities should extend to the cloud service as well.

Put simply, the most effective IoT security solution is one that does not disrupt the OEM’s profitability or time to market. A practical and simple, yet secure solution that can be easily and widely adopted by OEMs and services is more effective than a “super solution” that has limited adoption. A solution that provides seamless end-to-end secure connectivity – from device to the cloud, as basic as it is, can make a significant difference.

The goal of security technology providers should be to deliver affordable and simple to use security, thereby increasing the adoption of security practices in IoT devices. In addition, IoT security solutions should be ready for the day where they need to be updated or upgraded to keep up with new threats. Indeed, it is important to understand that IoT devices are not always as accessible as laptops, tablets and mobile phones. Some are embedded in smart city infrastructure on rooftops, concrete walls and subterranean pipes in sewage systems. These devices must receive secure over-the-air (OTA) updates, even if they are physically inaccessible.

In conclusion, IoT devices are particularly susceptible to security lapses, mostly because they are at once simpler, yet more difficult and costly to protect. Moreover, developers of such systems tend to be less familiar with the importance of security. Nevertheless, the industry can still do its best to safeguard IoT devices by leveraging secure hardware provided by the chipset vendor, as well as utilizing on-chip pre-provisioning of unique keys and IDs.

In addition, OEMs should focus on the most critical vulnerabilities and choose the most appropriate levels of security based on plausible risks and attack vectors. A complete and scalable security solution that covers the device and the cloud service is the most effective, as it allows both OEMs to reduce their costs and time to market and services to minimize in-field device setup, customization and maintenance.