Latest Whitepaper Puts a Lock on IoT Security

Security is critical for IoT devices, but how much is needed for various types of devices? Control systems in nuclear plants need a higher level of security than those in a home toaster, but how does an engineer decide? Cybersecurity firm Icon Labs has developed a whitepaperto guide IoT device engineers and manufacturers in IoT security.

Here's how Icon Labs classfies connected devices.

Icon Labs worked with customers, industry experts, and analysts to develop the guidelines that are designed to make security design decisions a little simpler. The whitepaper identifies four classes of devices ranging from small, Class 1 (8-bit and 16-bit MCUs) devices that have very little room for additional security protocols, up to complex Class 4 devices that run on embedded Linux, Android, or a full-featured RTOS supporting multiple networking protocols.

Stay Secure. Learn more about managing cyber security and hacking during the days of smart plants, sensor-rich IoT, and more at Industry 4.0: Smart Manufacturing, part of Atlantic Design & Manufacturing Expo, June 16 in New York. Register here for the event, hosted by Design News’ parent company UBM.

The idea for a whitepaper came from the wide variety of security needs and varying levels of knowledge among Icon’s client base. “We decided to do this based on the conversation we’ve had with our customers. Some are coming from an IT centric point of view,” Alan Grau, Icon Lab’s president, told Design News. “They don’t really understand the nuances between an IoT gateway and a larger factory control device. So we decided to develop a whitepaper to explain it.”

Icon discovered that many customers had invested deeply in security without reaching down to every connected device. “People say they’ve done the usual stuff using MacAfee and Cisco. They’ve installed multi-million-dollar solutions, but they have nothing that will scale down to a $10 sensor,” Dave West, VP of professional services at Icon Labs, told us. “Or, they have infrastructure that is 10 or 15 years old that was never intended to be hooked to the Internet and now they’re connecting.”

This chart matches the class of device with its apporopriate security.

Grau noted that the level of security needs to be matched to the potential damage of an attack. “It’s a business trade-off. How sensitive is the data? If you’re building toys for kids, you may not be as worried. It’s not a vehicle rolling down the road,” said Grau. “What’s the consequence of the attack? How vulnerable are you?”

Everything seems to be connected to everything else these days. The cybersecurity world is taking a lesson from the Target attack, where hackers got into point-of-sale data by first entering the HVAC system. “People will attack a device just because they’re scanning everything they can find,” said Grau. “They can hijack the device in order to go deeper into the network. So you need multiple levels of security.”

[images via Icon Labs]

READ MORE ARTICLES ON CYBERSECURITY:

Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.