Is it necessary to restrict access to or control of the device?
In part four of the blog series on principles for IoT security, we look at general requirements in order to help prevent unauthorised access or control. If an attacker gains control of the device they may be able to access sensitive data, or cause problems elsewhere in the network. To reduce this risk, developers should ensure:
- Defences against hacking are designed in from the outset.
- Considering potential attacks during the design stage will ensure the device’s security functionality is built on solid foundations and reduce the risk of serious security architecture issues emerging later in development.
- Development processes incorporate secure coding standards, penetration testing etc.
- Practices such as these reduce the risks of unintentional vulnerabilities occurring in the product and help to identify and fix potential issues.
- Service management occurs over an authenticated channel.
- Only authorised entities should be able to manage IoT services.
The next part will look at principles for software updates to devices.
There are 7 elements to the IoTSF security principles blog:
- Part 1. Establishing Principles for Internet of Things Security
- Part 2. Does the data need to be trusted?
- Part 3. Is the safe and/or timely arrival of data important?
- Part 4. Is it necessary to restrict access to or control of the device? [this blog posting]
- Part 5. Is it necessary to update the software on the device?
- Part 6. Will ownership of the device need to be managed or transferred in a secure manner?
- Part 7. Does the data need to be audited?
Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.