Recently Witekio hosted a deep dive into IoT system security at its Securing IoT Systems End to End webinar. Three speakers took an engaged and curious audience through all elements of end-to-end security for connected systems in a 2.5-hour session that was both entertaining and informative.
Nicholas Beck was the first to speak and introduced the essential notion of IoT Security Standards – Worldwide Synergies and Variances. Starting from the fundamentals of information security (CIA – Confidentiality, Integrity, and Availability), Beck explained the need for security and the secure development lifecycle before introducing the IoT standards. He explained how different national and regional regulations and legislation impacted the applicable standards but warned that the landscape was constantly evolving. Regulation was only increasing over time and while there are many best practices shared between standards, each standard was still different and required specific attention from development teams.
Following Beck was Ed Langley who built on the idea of standards by introducing one of the core best practices in IoT security. His presentation, Introduction to Security by Design: Baking Security in from the Outset explained the theory and practice of security by design, and the ways it can improve the overall security outcomes of software development. Langley argued that security is not something that is added to a product just before it hits the market, nor is it a stage in development separate to other stages. Less a specific framework, it is a specific mentality and approach to security that ensures that at every stage of the development process security concerns are top of mind. Langley guided the audience through secure development practices from the initial risk identification to code reviews, penetration testing, and release archiving.
The final speaker, James Barrett, was charged with presenting on the theme Securing IoT Systems End to End. Under this broad umbrella he explored topics including building and testing for security (PKI, zero trust, and effective monitoring), the evaluation of threat and risk right across the system, and then turned to penetration testing. Pen testing, Barrett explained, is a means of gaining assurance in the security of a system by the attempted breach of that system’s security using the same tools that a bad actor might employ. Effective pen testing helps identify issues before a product goes to market and spotlight vectors that could fall victim to bad actors adopting techniques and tools that didn’t exist when a product was launched.