An interview on security challenges of organizations deploying IoT

Posted by Hagai Bar-El on Monday, July 26, 2021 | Categories: Categories: Personal news, Podcasts & shows, Secure design, Security analysis, Security management

| Defined tags for this entry: IoT, SDLC

On July 12^th, I was interviewed on Security challenges of organizations deploying IoT. The recorded (and transcribed) video interview can be found here. For those who prefer a written abstract, here is the outline of what I said in reply to a short set of questions about the security challenges with IoT deployment, and the approach followed at Pelion to overcome them.

The biggest security challenges for IoT projects

One of the biggest problems with Security in general is that of coverage.
- Security is unlike other areas of engineering:
  - In general Engineering, you design one phase at a time, removing abstraction-layers in the process.
  - You have product requirements, then a system spec, HLD, LLD, etc.
  - This way, you know when you’re done: it’s clear when your objectives are met: your code meets a spec, which meets the spec above it, and so forth.
  - In Security Engineering, there is one phase in the process which is not as linear: it’s the phase at which you move from the descriptive security-objectives level to the prescriptive engineering language that is required to get things done.
  - This is where security is an art as much as it’s a science, and this is also where security often breaks.
  - For example: this is the stage where an objective of “users have to be properly authenticated” is translated into specific authentication schemes, along with their implementation requirements.
This is true for all Security, not just IoT Security, but in IoT the situation is yet more critical, because systems are heterogenous and inherently complex, causing this challenge to manifest itself in more places.
In Security Engineering, you never really know when you’re done.
- One problem this causes is that you often stop too early and leave holes in the design.
- Another problem is that it crushes your appetite to improve and for engineers to follow you, because you are never done and the Security process often does not seem to converge.

Pelion’s approach to security

In Pelion, Product Security Governance is treated as science.
- We use a mechanical, almost algorithmic, approach to product security governance.
- We know at every moment where we stand, even for large projects.
  - We know our measurable risks and our non-measurable risks.
  - We algorithmically measure our posture and can demonstrate it. This is important, because:
  - Security has to be seen
    - Security, which is all about prevention, is almost impossible to prove.
    - This makes security half about technology and half about scientific-storytelling.
Treating Product Security Governance as science doesn’t only improve security; it improves confidence in the IoT deployment process.
- Confidence is required for large IoT projects, which are always high-risk.

My top tip for organizations developing an IoT project

Finally, as a top tip for organizations looking to embark on an IoT project, I have two:

Work in an organized fashion
- Don’t just produce endless lists of security requirements, but have a solid structure of what you want to achieve and then move on to how, without ever mixing the two.
Be prepared for most security requirements to not be implemented all at once.
- Be able to tell the implication of all that is imperfect in your security posture at any moment.
- If your security management is focused on perfection — you will get perfection indeed; because your project will never be launched...
- Have a security governance process in place that truly recognizes that security is something you’ll never be done with.
- My second tip in short: Know how to be properly imperfect, by design.