What are best practices for IoT system security? A listical of sorts

Any IoT system developer knows cybersecurity threats are growing fast. It doesn’t help that just about any electronic device is now connected to the internet, putting it in line for a hotshot teen hacker with something to prove or a sophisticated threat vector from a foreign enemy state such as [insert name of evil country].

To that end, many companies are beefing up IoT system security, but just in case, Fierce Electronics reached out to experts on their best practices.  Some of the tips may seen obvious to experienced security pros, but the biggest insight is that it takes not one, but all their recommendations together to make a difference.

Here are a few guidelines, sort of a listical, of best practices for IoT system security.  The subject will be discussed more thoroughly in a panel at the Embedded Tech Conference co-located with Sensors Converge in San Jose on June 28.

Thanks go to George Grey, CEO of Foundries.Io for providing these insights. Foundries.io  is an open software platform company created to help OEMs bring IoT and edge devices to market faster.   Grey will also be on the June 28 panel, along with experts from Microsoft, Linux, Walgreens and more.

What emerging cyber regulatory guidance do companies need to know about?

Grey: Governments including national security agencies are starting to pay attention to consumer and industrial IoT devices as well as critical infrastructure.  That includes the effect a home electric vehicle charger network will have on the electric grid, for example.  Here are a few links to recent regulations in several countries:

USA                     IoT CyberSecurity Improvement Act (2020)

UK                        Product Security and Telecommunications Infrastructure   (PSTI) Bill (2022)

EU                        EU Cybersecurity Act and certification framework (2019)

                            Cyber Resilience Act (2022)

China                   Cybersecurity Law (2017)

                             New measures for Cybersecurity Review (2022)

Malaysia              Guidelines for Secure Internet of Things (2020)

What do recent regs mean for coders?

Grey: Current practices such as default passwords will not meet legislative requirements. Security must be design in from the outset, not at the end of the project.

What’s your quick list of best practices for creating secure systems?

Grey’s best practices:

  •  The latest software is the most secure.That’s because it addresses currently known threats (CVEs or Common Vulnerabilities and Exposures). CVEs are fixed first upstream (for open source) and in new software releases for proprietary software
  • Open-source platforms (Linux for SoCs, Zephyr, FreeRTOS and many others for MCUs) are open to scrutiny and continually updated to counter latest threats. Or, you had better completely trust your proprietary black box provider
  • A unique Root of Trust should be installed on every device
  • ALL software on an end device should be updatable -- we don't know what we don't know as we learned with Spectre and Meltdown. This includes secure boot firmware on Arm and BIOS on x86.
  • Older software can be patched. This includes the LTS or Long Term Support program in open source projects, but generally the older the software the longer it will take to receive fixes with corresponding risks for cyberattacks and irreparable brand damage.
  • Device provisioning should be simple and not involve the end user.This means secure device onboarding.
  • The OTA (Over the Air) update platform itself must be secure, obviously! This includes The Update Framework (TUF).
  • Always threat model the worst cases.  Ask: what if my devices are compromised? For example.can I mitigate by rotating keys/authentication OTA to regain control, including with TUF.

Editor’s Note: The panel on Best Practices for Managing IoT Systems Security will be held June 28 at 2 p.m. as part of the Embedded Technologies Expo & Conference in San Jose, co-located with Sensors Converge. Registration is online.