Security-By-Design: The Mantra for Securing IoT

The Internet of Things requires more than traditional security safeguards. Are you ready?

istock 937818394

IBM and IDG Content

Smart thermostats, autonomous vehicles, wind turbine farms—these are among the myriad products and commercial assets rapidly being linked to the Internet of Things (IoT). While this universe of “connected things” is sparking new experiences and business models, it’s also opened up a raft of security challenges that many IT organizations aren’t fully equipped to deal with.

The installed base of IoT-enabled devices is forecast to grow to almost 31 billion worldwide by 2020 and soar to 75.4 billion by 2025, according to industry estimates. Protocols for safeguarding IoT devices are similar to enterprise IT security practices—authentication, authorization, encryption and decryption, data integrity, and key management, among others. But the new frontier also introduces additional considerations, as there are a wider range of device types operating in a less controlled environment with an expanded attack surface.

Even in this early stage, there have already been a rash of IoT-based attacks. A major DDoS attack launched by the IoT Mirai Botnet took down portions of the Internet by infecting vulnerable devices like digital cameras and DVR players with malware. In another instance, a team of researchers took control over an SUV through its CAN bus. On the industrial front, there are reports that over 60,000 Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) sport vulnerabilities that could be exploited to take over energy or transportation systems. More recently, Gartner found that nearly 20% of organizations observed at least one IoT-based attack in the past three years. As a result, Gartner is projecting worldwide spending on IoT security tools and services to reach $1.5 billion in 2018, a 28% jump from 2017 levels, and expected to hit $3.1 billion in 2021.


There is no one-size-fits-all IoT security architecture—needs vary depending on the organization, the product or service, the scope of the environment, the potential risks, and the possible threat vectors, among others. In all cases, however, the entire ecosystem of devices, networks, and applications must be considered when scoping security practices for a particular IoT system. With that in mind, consider these best practices when moving forward:

  • Start with a security-by-design mentality, meaning security is considered at the earliest stages of product development, including a full analysis of potential attack surfaces and robust threat modeling. Using a system modeling tool with a security viewpoint can aid in threat modeling and help anticipate potential weaknesses. It’s also important to ensure device protection with multiple layers of defense.
  • Design for privacy by employing data separation, segregation, redaction, and data transform techniques that remove personally identifiable information. Leverage tools with centralized controls for real-time data security and monitoring, automated compliance reporting, fine-grained database auditing, and data-level access controls to aid in this effort.
  • Test for security vulnerabilities. Simply put, this must be an integral part of IoT implementations. Standard security testing techniques apply here, including code analysis and ethical hacking, which will to help verify that security mechanisms and services perform as designed.
  • Establish a continuous delivery method to make security updates available to devices long after they are in the field. Remember problems and new vulnerabilities will evolve and change post deployment.
  • Leverage security intelligence analytics to pre-emptively identify and manage the threats that pose the greatest risk to your business, accelerating investigation times and ensuring a timelier response to potential incidents.

Given the high stakes and expected widespread deployment of IoT devices over the coming years, IoT device security must be an integral part of the complete product lifecycle in order to fully mitigate potential risks. The good news is a partner like IBM can help show you the ropes—and help secure that wider range of device types operating in a less controlled environment with an expanded attack surface.

To learn more about IBM’s IoT security solutions, visit https://www.ibm.com/security/cognitive

For more information on this topic, don’t miss our podcast, The exciting truth about IoT, with IBM’s Stephen Biller or our infographic, Next-gen Technology Adoption.