CAMBRIDGE, Mass. -- Makers of Internet of things devices need to incorporate security into them during the design phase to make them less of a threat when connected to networks, according to speakers at an IoT security forum.
In addition they need to consider early on what regulations the devices will have to comply with so those requirements can be baked in and not added later when they would be less effective, according to advice delivered at the Security of Things Forum 2015.
Josh Corman, CTO for Sonatype and co-founder of I Am The Cavalry, an industry group urging cyber safety in cars, urged IoT vendors to follow the cavalry’s five-point plan for auto safety.
It encourages: safety from the design phase; encouraging third-party researchers to test systems without threat of legal action; installing data-gathering devices like airplane black boxes to assist forensics; readily downloadable software updates; and segmenting and isolating critical systems from, say, entertainment systems.
While the Five Star Automotive Safety Framework is tailored to motor vehicles, there are lessons there for any networked thing, he says.
An important principle is to think about what happens if the security of a device is breached. “All systems fail,” Corman says, “we just want to be prepared for when they do.”
As sensors – a common category of IoT devices – become embedded in larger systems, such as cars, liability of the manufacturers looms larger, says Andrea Matwyshyn, a professor of law at Northeastern University. If software in IoT devices in cars is exploited to create catastrophic accidents, the liability disclaimers that software developers have been asserting for years may lose their bite, she says.
At the same time, liability laws for physical devices have been carefully thought out over years of case law. Shifting software liability into the realm of physical objects needs to be done conscientiously because it could disrupt the legal balance.
She cited an Oklahoma case where a jury found reckless disregard against Toyota for its electronic acceleration system that jammed and resulted in a fatal accident. As more and more software and computers are added to cars, this type of case and hence potential liability for the quality of the software will become more common. “Software is written by humans,” she says. “Mistakes will happen.”
Architecture considerations should also come into play in designing IoT devices. Makers of IoT devices should think about how their products might be networked and make their communications channels conform to standards friendly to hub-and-spoke networking, says David Miller, CSO of Covisint. That way when a problem arises with a device – or with software or communications channels associated with multiple identical devices – it can be dealt with centrally, making remediation simpler. “It’s easier to fix problems in one place,” he says.
Sign up for CIO Asia eNewsletters.