Asaf Ashkenazi, senior director of product management in Rambus’ Security Division, has penned an article for Semiconductor Engineering about the six “Strategic Principles” for securing the Internet of Things (IoT) outlined by the U.S. Department of Homeland Security (DHS).
Perhaps the most important of these principles, says Ashkenazi, is the concept of implementing security at the design phase, with the DHS recommending the use of hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption and anonymity.
“Treating security as a primary design parameter rather than a tertiary afterthought is certainly an approach that is long overdue for a very vulnerable Internet of Things,” he explained. “As more and more ‘things’ connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger.”
As Ashkenazi points out, building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.
“This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and its cloud service,” he stated.
In addition to implementing security at the design phase, says Ashkenazi, the DHS recommends device manufacturers promote security updates and vulnerability management. Indeed, vulnerabilities may be discovered in products after they have been deployed, even when security is included at the design stage. Such flaws can be mitigated through patching, security updates and vulnerability management strategies.
“From Rambus’ perspective, over-the-air updates and vulnerability management are crucial elements of IoT security. However, to be truly secure, both must be tied to a hardware root-of-trust,” he emphasized. “Infected, hijacked or spoofed devices that are not authenticated are denied access to the service. This approach can also help mitigate the effectiveness (and damage) of DDoS attacks against service providers.”
As Ashkenazi concludes, the six “Strategic Principles” outlined by the DHS will go a long way in helping to convince the industry that IoT devices should not be pushed to market with little regard for security.
“Put simply, IoT security needs to be treated as a primary design consideration, rather than a haphazard afterthought,” he added.
Interested in learning more about IoT security? You can check out our article archive on the subject here.