IoT security advice from Watchfinder CIO Jonathan Gill
Identify and isolate devices, use encryption - and "don't trust vendors", says Gill
Jonathan Gill, IT director at retailer Watchfinder.co.uk, gave delegates at Computing's Internet of Things Business Summit 2016 some tips on securing IoT projects. Here's a rundown:
1. Isolate devices
Gill said that he "doesn't trust vendors" with data. So he treats IoT devices the same way that he treats CCTV cameras: each of them should be isolated on the network so that no one can see them, and so that they can't communicate (or be made to communicate) with another device.
2. Encryption
It may be straightforward to encrypt 200 IoT devices, but if a business has 20 million devices it becomes a much bigger effort and expense. Gill said that, for example, it could cost £1.50 per device for encryption, which would mean spending millions on encryption alone.
Therefore, it would make more sense in those instances to look for other ways of encrypting the data. This is a particular challenge, said Gill, because some connected devices were made before IoT was even thought of as a concept and therefore they may be harder to encrypt.
"This is an area that hasn't been solved very well, as yet," said Gill.
3. Identification
Gill said another security measure was to find out the device's origin. "How can you prove that the device is telling the truth?" he asked.
One way is through certificate authentication. But Gill said that if the device in question has been mass produced in China, for example, then how is the business to know that the device isn't exactly the same as another device.
"So if you buy the device from a production company or vendor, how do you then ensure that the equipment can be identified back to your systems?"
4. Trust
Gill warned delegates that there are many vendors, large and small, that are jumping on the IoT bandwagon. "They say they can give you the world, but sometimes you don't need the world. So always approach [IoT] with your business in mind," he said.