We’ve seen a sharp rise in the last five years or so in the amount of security assurance and research activities we’re asked to undertake in the embedded system space. This has naturally led us to working increasingly with the Internet of Things (IoT) in a variety of different guises.
In response to this increase in focus we decided to distil our hardware and software product security design, implementation, testing and verification knowledge into a set of pragmatic steps and considerations for device and system implementers. So we’re happy to announce that we’ve just released a new white paper titled:
Security of Things: An Implementers Guide to Cyber Security for Internet of Things devices and beyond
The paper takes the reader through a typical IoT product development life-cycle and associated business discussions highlighting the security and privacy impacting areas and decisions that should be considered, why they should be and the potential ramifications if not. In addition for those less experienced in secure hardware and software development lifecycles we also provide a matter of fact look at some of the challenges along the way.
At a high-level the paper covers in its 35 or so pages the following:
- Why: security and privacy matter in the IoT.
- Trade-offs: between security and cost.
- Foundations: for security in the IoT and the associated threat Landscape.
- High-level considerations: before designing or developing an IoT product.
- Practical steps: for threat modelling and risks assessments of product requirements, features and design.
- Product lifecycle steps and security: at all stages in the lifecycle including concept, design & architecture, implementation, verification and sustainment.
Anyway the paper is littered with both high-level and low-level technical examples and we think strikes a good balance between the need for security and realities of business and risk management.
As we conclude in the paper, which we think sums the situation quite well:
For modern systems to be securely designed, built and sustained requires close collaboration across many phases and teams. Only by taking this holistic approach can vendors hoping to develop secure solutions do so in any meaningful manner.
Getting the Paper
If you’re interested in reading more the white paper can be downloaded here.
As always we love to receive feedback be it suggestions or correction so please get in touch via twitter (@NCCGroupInfoSec), the comments below, our contact form or e-mail (our format is firstname dot lastname at nccgroup dot com to reach the author).
Published date: 08 April 2014
Written by: Ollie Whitehouse