The experience of the medical device industry is offering some broader lessons about device security as we enter the era of the "Internet of things." The most basic lesson of device security is one that has already been learned regarding software security: It can't be bolted on as an afterthought. To make device security integral it must be incorporated in all stages of the product development life cycle.
Medical devices are serving as pioneers in mastering the incorporation of security in hardware devices. This is due largely to the particularly demanding requirements of medical device security, underlined by new draft regulations from the FDA. Among the challenges specific to medical devices is that security add-ons may require recertification of the device.
As Matt Neely reports at Infosec Island, the basic lesson is a familiar one, that security cannot be an afterthought. This lesson has been fairly well learned in the software world. But as Internet-connected "smart" devices become more prevalent, the lesson must also sink in on the hardware side.
The key to this, argues Neely, is integrating security into the product development life cycle. This cycle has six essential stages: specification, design, development, testing, manufacturing, and delivery. The earliest stages are the most critical, since these are where device requirements are established and implemented. For security to be integral it must be implemented in these stages.
But ensuring device security does not end with manufacturing, or even delivery to the customer. The customer must be trained to recognize and understand the device's security features, or they will prove ineffectual.
Moreover, security is a moving target, so maintaining the device's security involves identifying new threats and patching the device's software accordingly. Hardware components cannot be so readily "patched," but ongoing security experience can (and must) be incorporated in the next generation of the device, closing the circle of the product development life cycle.
As the Internet of things becomes more pervasive, these lessons will have to be absorbed by makers and users of the growing range of smart, connected devices becomes pervasive. GRT Corporation brings nearly two decades of security experience to the task of making your company's devices more secure.