Is it necessary to restrict access to or control of the device?

In part four of the blog series on principles for IoT security, we look at general requirements in order to help prevent unauthorised access or control. If an attacker gains control of the device they may be able to access sensitive data, or cause problems elsewhere in the network. To reduce this risk, developers should ensure:

  • Defences against hacking are designed in from the outset.
    • Considering potential attacks during the design stage will ensure the device’s security functionality is built on solid foundations and reduce the risk of serious security architecture issues emerging later in development.
  • Development processes incorporate secure coding standards, penetration testing etc.
    • Practices such as these reduce the risks of unintentional vulnerabilities occurring in the product and help to identify and fix potential issues.
  • Service management occurs over an authenticated channel.
    • Only authorised entities should be able to manage IoT services.

The next part will look at principles for software updates to devices.

Edited by David Rogers, CEO Copper Horse Solutions Ltd., Member of the Executive Steering Board IoTSF.