The following article is written by our partners at Veridify as part of our “In Conversation With…” series.
Over the past year, many of us have spent a lot of time indoors and the quality of that inside space has become more important than ever. For business leaders, maximizing the safety, security, sustainability and efficiency of their buildings is vital too. That is why they use connected technologies to help them optimize these environments.
A smart office or factory can contain thousands of Internet of Things (IoT) devices. The problem is not all of them are secure. So, does that matter? At Veridify, we believe it does. A flaw in a single product can expose an organization, its people and customers to enormous personal, financial, and reputational risks.
Smart Building Devices Should Have Security Built-in, Even if They Are Small or Resource-constrained
The challenge we face in securing the IoT is that it is diverse. It includes large industrial machinery and smaller, inexpensive sensors. The higher value products are typically managed directly by an individual. Low-resource devices, which are often deployed at scale in connected spaces, cannot easily be updated or maintained. However, they still perform vital functions and, therefore, require the same level of security and management as high-end devices. Despite this, in low-resource devices, security is often skipped.
To help original equipment manufacturers (OEMs) build more secure products, we are taking a close look at a smart building device and highlighting six features that help to protect the technology from the increasing number of cyberattacks. The capabilities outlined below reflect industry best practice and are included in the PSA Certified 10 Security Goals, a key part of the PSA Certified scheme that aims to reduce the barriers to IoT security, making it quicker, easier and more cost-effective to get secure products to market.
Six Security Considerations for Smart Building Devices
- There Should be a Secure Connection Between a Device and an Owner
The number of connected devices that are being shipped every year continues to grow, as does the amount of data users collect on them. Protecting the data and ensuring the device only takes commands from an authentic owner is critical. We can do this by assigning a unique identity to the device and securing communication between it and the owner, aligning to the 10 Security Goals.
- They Must be Able to Perform Vital Security Functions, using a Root of Trust
That includes critical device-to-device functions like authentication and data protection, and they should enable features including secure boot and secure firmware updates. Implementing a hardware-based Root of Trust creates a trusted environment in the silicon.
- Zero-touch Provisioning Will Help Speed Up Secure Deployment
Zero-touch onboarding enables us to scale mass IoT deployments by reducing the time it takes to onboard devices securely, while provisioning of data and configuration settings in the field help to ensure the product remains secure throughout its lifecycle, as mentioned in the Security Goals. Zero-touch features also lower the cost and time involved in managing ownership and maintenance over the lifetime of a device.
- Security Must Be Reusable and Scalable
The onboarding and chain-of-custody operations must be able to easily scale to hundreds, thousands or potentially millions of devices globally by building on a common hardware-based Root of Trust.
- Pre-existing Systems Should Be as Secure as New Technologies
In a typical building automation setting where thousands of connected controllers and edge devices have to be protected, device-level security for new systems and the retrofitting of security to existing systems should be allowed.
- Protect Every Device in the System
In a building automation system, for example, security has to extend to every device – even the smallest IoT products and sensors. Small code size can help ensure all devices are protected and vulnerabilities are minimized.
Quickly and Easily Address Threats to the Security of Your Device
Our customers understand the importance of protecting their assets, including the data generated and controlled by their remote or connected devices, but we also know they can perceive security projects as uncertain, costly, complicated and difficult to manage in the field. Fortunately, there are ways to simplify it.
Veridify’s Device Ownership Management and Enrollment (DOMETM) client software secures pre-existing systems and low-resource devices connecting to IoT gateways and provides security provisioning and authentication functions. It makes the management and transfer of device ownership easy and there is no need for pervasive network or cloud connection. It also offers our customers added peace of mind because the DOME Client Library has achieved PSA Certified Level 1 accreditation, so they know best practice has been followed.
We believe that by achieving the PSA Certified Level 1 milestone, DOME better addresses the safety and security requirements of our global customers.
We also believe PSA Certified’s approach to security is critical to establishing trust in our new connected environments because it gives device makers a foundation to build assurance on. DOME’s Client Library runs on the ST Microelectronics’ STM32L5 MCU, which has shown protection against scalable software attacks and achieved PSA Certified Level 2. It is also built on the PSA Certified Level 1 Arm® Mbed™ OS.
It is important that we collaborate with partners across the ecosystem and draw on their best practice. Buildings are becoming smarter through the connection of different automation systems, access controls, environmental, and IoT networks. However, to maximize the benefits of this digital transformation we need to work together to develop technologies that help building operators provide a safe operating environment for owners and tenants; prevent hackers from using operational technology to access IT systems; and ultimately protect people’s private and confidential data.
Learn more about the DOMETM platform by visiting our website.