Security and the IoT are terms becoming intrinsically linked in the grand discussion of connected devices and their envisioned applications in virtually every aspect of our ecosystem, whether it be consumer wearables, medical devices, or industrial systems.

Ted Harrington, Executive Partner, Independent Security Evaluators, made this comment recently inIoT World News: "IoT is very much a double edged sword. After all, the more companies collect and store data – the more reason hackers have to target them. And the more objects we connect – the more openings we create for technological infiltration."

Harrington went on to note that he believed that security is not a development priority in the IoT industry today. "If you consider the types of security vulnerabilities that plague this industry, it clearly demonstrates the security is not built in.  If secure design principles were better integrated into product design, many of the fundamental flaws would disappear," he added.

This sentiment hasn’t been lost on connected device developers and the main reason why many organizations like the Industrial Internet Consortium are collaborating with industry leaders to develop security guidelines and best practices for IoT manufacturers. For some developers, the new challenges presented by connected devices are causing them to go back to basics and even rethink the term security and what it means in the IoT.

For example, Colin Walls, an embedded software technologist with Mentor Graphics said in an article in New Electronics: "I’m worried about use of the term ‘security’, because it can mean one of several things; all of which are important. For example, it can mean protecting data you’re transmitting that you don’t want people to see. It can also mean preventing people from getting into systems. Then there’s making systems safe. Safety and security are not the same thing; safety is protecting the world, while security is vice versa."

The new generation of embedded system developers are essentially in the same predicament that ISVs of traditional PC applications found themselves in years ago. Do they invest in acquiring the expertise in new technologies required to secure and protect connected devices or collaborate with outside security experts to help them build-in security by design – the classic Make or Buy dilemma. It’s a major consideration and a decision not easy to make. Let’s take a look at some of the factors involved in securing IoT devices:

Integration in devices and software

• Device-specific licensing
• Multi-platform support
• End-to-end turnkey protection and licensing from product planning, development, operations and maintenance
• Industrial-grade properties (small footprint)
• Support for OPC UA
• Secure boot

Upgrades and updates

• Secure updates
• Feature on demand licensing 

Licensing models

• Models tailored to the IoT (i.e. pay per use license models)

License management, access rights, and certificates

• Simple integration in all business processes, from development and production to sales and servicing
• License management via the cloud, with 24/7 self-service capabilities, including license activation and returns, transfer to other devices, upgrades, license renewal or cancellation.

Scalable safeguards

• Flexible pricing and service packages for different use cases
• Complete hardware, software, and cloud-based solutions
• Industrial-grade secure elements in common form factors

Protection

• Data integrity
• Proof of origin
• Tamper protection
• Protection against reverse engineering, copying, or cloning
• Authentication
• Access rights

If you would like to dig deeper into these many security considerations, I invite you to download Wibu-Systems’ whitepaper, Licensing and Security for the Internet of Things.