There is an old saying in the IT security space, one that applies really across any type of security: Complexity is the enemy of security.
It’s hard to pin down exactly who coined this phrase. Among the earliest references to it are from IT security guru Bruce Schneier. And Schneier’s discussion of this principle is probably among the clearest: systems get harder to secure as they get more complex. And since our systems are getting more complex all the time, security is becoming more challenging.
Today’s poster child for the Complexity-Security inverse correlation is Internet of Things device security.
Consider the complexity that IoT injects into an enterprise’s IT operations that makes IoT security such a challenge. First, IoT takes devices that previously were relatively “dumb” — appliances, HVAC systems, medical sensors, physical security devices, cars — and embeds computing systems in them, capable of running reasonable sophisticated code. Then IoT connects these devices to networks and external computing resources. Previously, the devices may have been completely “air gapped” meaning they had no connectivity at all. Or perhaps they had a dedicated, isolated network of proprietary protocols and a bespoke design.
But IoT is often about connecting smart devices to standard IT types of networks, sometimes even the Internet. In some case, IoT devices may also be connected to nebulous Cloud computing platforms, for analytics and data processing. Then IoT deployments spread these connected devices around the world in locations that traditionally would not be populated by smart devices, such as a patient’s home, or on a remote utility grid site, or on a transportation network.
And these deployments are at massive scale. Research from Vodafone shows that the number of IoT deployments with 50,000 or more devices has doubled in the past year. Scaling to such massive deployments naturally introduces a host of complexities around device support, administration, configuration, updating, patch management and so on.
So IoT is providing us a textbook example of how complexity can grow along many dimensions simultaneously: more complex devices, more complex connectivity, more complex deployments, and more complex management at scale. And we see plenty of evidence that the Complexity-Security principle holds true, with the increasing frequency of and damage caused by IoT attacks.
If you manage or develop IoT products, the security of your devices is now at the forefront of your customers’ minds.
The Drive to Simplicity
The answer to the issue of complexity that increases security risks around IoT devices of course is to simplify. That means simplifying the implementation of secure device designs and configurations. It also means simplifying the processes for maintaining security of devices in production deployment.
In Timesys’ work with leading device manufacturers, we have captured the industry’s best practices for improving embedded system IoT security. Many of these best practices focus on simplifying how IoT devices are deployed and secured, such as:
- Designing security into devices at the start via secure configurations and embedded Linux hardening.
- Performing security risk assessments and vulnerability assessments via IoT device security auditing, a precursor to the penetration testing practices that many end customer enterprises pursue.
- Simplifying vulnerability management via a CVE monitoring and notification service. CVE notifications have exploded in recent years, so cutting through the CVE storm is an essential part of maintaining your product’s security posture.
- Streamlining patch management and updates, such as via our Security Vulnerability and Patch Notification Service.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will help you make sure your embedded products are secure by design, and stay secure throughout their lifecycle. Our embedded system security offerings will simplify IoT device security for your products and customers. Contact us to learn more.
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.