Australia's IoT Cybersecurity Guidelines Highlight Importance of Embedded Device Security

While Australia’s initiative is not unique, it illustrates the growing realization that companies can no longer ignore the need to secure IoT devices. The Australian Initiative, at least for now, is voluntary. Other governments are taking this further, passing laws requiring minimal levels of security and it is not unreasonable to think that Australia will eventually follow suit.

Regardless of the legal status, this raises the stakes for OEMs building IoT devices.

IoT Security Principles

The 13 principles outlined in the document, while perhaps not comprehensive enough, provide a strong foundation for security of IoT devices. While some of the items relate to providing consumers with control over their personal data and ensuring consumers can actually help manage the security of their devices, most are aimed at increasing the security of IoT devices. These include:

• No default or weak passwords
• Secure software updates
• Secure key storage
• Encryption of data at rest and data in motion
• Minimizing attack surfaces
• Secure communication
• Secure boot

These requirements map into the IoT Identity and Integrity solutions provided by Sectigo.

IoT Security Implementations

The Australian Cybersecurity guidelines highlight the importance of building security into IoT devices. This requires security features that protect the device from attack, protect the integrity of the device, and enable device identity. Sectigo’s IoT authentication and integrity solutions provides IIoT and IoT OEMS with best-in-breed solutions for authenticating and securing connected devices, including:

• Secure Boot.Provides embedded software APIs that ensure software has not been tampered with from the initial “power on” to application execution. Secure Boot also lets developers securely code sign-boot loaders, microkernels, operating systems, application code, and data.

• Device Identity Certificates. Adding digital certificates to devices during manufacturing ensures that devices are authenticated when they are installed on a network, as well as before communicating with other devices in the network­—protecting against counterfeit devices being introduced into the network.

• Embedded Firewalls. By working with real time operating systems (RTOS) and Linux to configure and enforce filtering rules, embedded firewalls prevent communication with unauthorized devices and blocking malicious messages.

• Secure Elements. OEMs and medical device manufacturers should use secure elements, such as a trusted platform module (TPM) compliant secure element, or an embedded secure element for secure key storage. Secure key storage enables secure boot and PKI enrollment using key pairs generated within the secure element, providing very high levels of protection from attacks.

• Secure Remote Updates. It’s important to validate that device firmware has not been modified before installation. Secure remote updates ensure components are not modified by bad actors and are authenticated modules from the OEM.

Keeping IoT devices and information safeguarded from cyberattack is not simple and will never be perfect. It’s an ongoing battle. Cyber criminals are always improving their methods and developing new, clever attack tactics. However, staying current with cybersecurity best-practices and using proven security solutions, including those outlined in the Australian Cybersecurity Guidelines, provides a strong foundation for protecting devices from cyberattacks.