Recommendations for IoT Firmware Update Processes: Addressing complexities in a vast ecosystem of connected devices

By Sabri KhemissaIT-OT-Cloud Cybersecurity Strategist,Thales

IoT Firmware Update Processes report coverTraditionally, updating software for IT assets involves three stages: analysis, staging, and distribution of the update—a process that usually occurs during off-hours for the business. Typically, these updates apply cryptographic controls (digital signatures) to safeguard the integrity and authenticity of the software. However, the Internet of Things (IoT), with its vast ecosystem of connected devices deployed in many environments, introduces a host of complexities that drive the need for process re-engineering.

Developers, for instance, cannot ignore the fact that their IoT is integrating into a complex system and must consider how it can be securely updated while still co-existing with other products. Implementers, meanwhile, must take into account the entire (and complex) system, including the specific constraints of each IoT component.

Complicating matters further, there are many variations in the IoT systems that require software and firmware updates. For example, some IoT systems are often on the move and require relatively large downloads—such as connected vehicles. Other IoT systems, like smart home and building devices, are more static. Regardless, the factors associated with network saturation during downloads to hundreds or even thousands of devices must be considered. Equally important is the impact of failed firmware updates on consumers.

Mitigating Attacks with IoT Firmware Update Guidelines

To assist enterprises in navigating myriad complexities, CSA’s IoT Working Group compiled a set of key recommendations for establishing a secure and scalable IoT update process. Our latest report, “Recommendations for IoT Firmware Update Processes,” offers 10 guidelines for IoT firmware and software updates that can be fully or partially integrated. Each suggestion can be adapted and designed for custom firmware updates that recognize unique constraints, dependencies and risks associated with IoT products, and the complex systems they involve. These recommendations target not only developers and implementers, but also vendors who must design solutions with security in mind.

It’s our hope that in addressing this process, attack vectors that can be exploited by hackers are mitigated. You can read the full report to get a deeper sense of the challenges involved and for a set of best practices to overcome them.

Securing the Internet of Things: Devices & Networks

By Ranjeet Khanna, Director of Product Management–IoT/Embedded Security, Entrust Datacard

The Internet of Things (IoT) is changing manufacturing for the better.

With data from billions of connected devices and trillions of sensors, supply chain and device manufacturing operators are taking advantage of new benefits. Think improved efficiency and greater flexibility among potential business models. But as the IoT assumes a bigger role across industries, security needs to take top priority. Here’s a look at four key challenges that must be taken care of before realizing the rewards of increased connectivity.

Reducing risk
Mitigating risk doesn’t always have to come at the expense of uptime and reliability. With the right IoT security solutions, manufacturers can assign trusted identities to all devices or applications to ensure fraudsters remain on the outside looking in. Better yet, the integration of identity management can also pave the way for improved visibility of business operations, scalability, and access control. Instead of getting caught off guard by unforeseen occurrences, manufacturers will be prepared to address problems throughout every step of the product lifecycle.

Setting the stage for data sharing
Data drives the IoT. As more data is shared across connected ecosystems, the potential for analytics-based and even predictive advancements increases.. Such improvements, however, aren’t all positive. Increased data sharing opens to the door to additional cyber attacks. To help keep sensitive information under wraps, businesses should consider embedding trusted identities for devices at the time of manufacturing. From electronic control units within cars to the connected devices that make up smart cities, introducing trusted identities promises to not only secure data sharing, but also improve supply chain integrity and speed up IoT deployments along the way.

Securing networks & protocols
Through the IoT, old networks and protocols are being introduced to new devices. Enterprise-grade encryption-based technologies keep both greenfield and brownfield environments secure, regardless of protocol. While this extra step may take some time, the benefits are well worth it. Whether it’s an additional source of revenue or heightened security, implementing solutions that are effective across systems, designs and protocols can help ensure improved security for years to come.

Tying identity to security
Physical and digital security may seem like different subjects on the surface, but a closer look reveals some valuable similarities. Just as authorization is needed to enter a highly secure building, sensitive information should only be made available to users with the proper credentials. Dependent upon a variety of conditions – such as the time of day or type of device – rule-based authentication is one way to ensure untrusted devices or users can’t access a secure environment.

Supply chain and device manufacturing operators have not yet taken full advantage of IoT’s impressive potential. By enabling fast-tracking of deployment timelines and allowing organizations to more quickly realize business value in areas such as process optimization and automation, ioTrust could soon change that. Leverage the power of ioTrust to stay one step ahead of the competition.

Note: This is part two in a four-part blog series on Securing the IoT.
Check out Part One: Connected Cars