Should you secure small devices or the network to which they are connected? Steve Rogerson listened to a webinar to find out.

The nature of the IoT means there are lots of low-powered devices out there, I mean we are talking millions, many millions. Only this week, Vodafone was celebrating connecting its 200 millionth IoT device. Well done.

But, having so many small devices in the field must bring smiles to all those bad actors who want to hack into our networks and cause disruption. Protecting them can be a nightmare. It is alright developing complex security algorithms that consider every possible attack, but try running them on a soil moisture detector in the middle of a field in some vast rural area. You can’t.

The big security fixes draw lots of power, need processing capabilities, memory and so on that these devices just don’t have, and they can be incredibly difficult if not impossible to update over the air when new vulnerabilities are spotted.

And this is not something you can ignore. Regulations, both in place and on the horizon, are demanding certain levels of cyber security even for the little devices. And if you try to ignore that, you could end up being criminally liable if there is an incident caused by someone who accessed the networks through one of those devices. And on a lesser scale, but still important, insurance companies may refuse to offer cover if you can’t prove everything is secure.

I was reminded of all these problems last week listening to an IMC online webinar addressing this very topic. There the panellists suggested two different approaches. The first is to go down the security-by-design approach to make sure all these little devices are protected.

Now, as said, that is tricky because they are not sophisticated devices, but you can use that to your advantage. If there is not much code running on the device that can be easier to protect due to its simplicity. The attack surface can be reduced dramatically.

These devices don’t have a lot of brains, pointed out Martin Jefferson from Globalstar. They don’t have the processing power to run really complex encryption algorithms or security protocols. Over-the-air updates have to be minimal and as simple as possible to make them as low cost as possible.

“You need to start early,” said Matt Wyckhouse, CEO of Finite State, who added security should be part of the development process from the outset. If you reduce the attack surface, more effort can be put into securing that attack surface. It was important though to make sure the hardware and software teams were working together and they understood the security needs.

But, and it is a big but, lots of devices are already out there and some are expected to operate for a decade or more. These were not made secure by design yet they present an attack surface that can be vulnerable. Remember, we are not just talking about traditional attacks that can close down networks, but data poisoning where these sensors start feeding back erroneous information. If one does that, not so much a problem, but if half a million do it, it can lead to really bad decisions.

That is where the second approach comes in, and that is applying the security in the network to which all these devices are linked. Train the network to spot unusual data coming from the devices and, if it happens, check it out. This is the option preferred by Syed Z Hosain from Aeris Communications.

Z said large numbers of devices made it tougher to implement security by design, so monitoring, detecting and securing in the network was probably the best approach. That is where you get the biggest bang for your buck, he said.

Any unusual transmissions, he said, needed to be looked at. If a device has been out in the field for years, operating in a particular way, and then that changes, there has probably been a violation that needs to be investigated.

So which is best? Making sure the device is secure or securing everything in the network? The answer, of course, is you should consider both. Make sure your devices in the field are as secure as possible, and new devices are secured by design. And, because there are older devices out there and no new devices is completely secure, then get your network to monitor for unusual activity. It is good practice anyway, and with new regulations coming along, security is no longer optional.

To find out more about IMC webinars, go to www.iotm2mcouncil.org/iot-library/event/imc-events.

And details of this webinar can be found at www.bigmarker.com/series/iot-days-spring-low-power/landing_page.

Details of Vodafone’s 200 millionth connected IoT device can be found at www.iotm2mcouncil.org/iot-library/news/iot-newsdesk/vodafone-connects-200-millionth-iot-device.

For information on what the IMC is doing on IoT security in collaboration with the Global Certification Forum (GCF), go to www.iotm2mcouncil.org/imc-gcf-joint-task-force-on-iot-security.