Greetings, and welcome. This week, a promising new approach to more interoperability and security for IoT devices, and yet more proof users need help with passwords. Lots of help. Soon. And often.
As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to email@example.com. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.
Start-Up Aims to Enable Easy, Standardized Security for IoT Devices
What Happened:A new company announced plans to deliver a standard software platform to enable greater security and easier software updates for IoT devices.
- As TechCrunch reported, Foundries.io intends to offer “a standard way to secure devices and deliver updates over the air.” The goal is to provide “a long-term solution to the device update problem by providing a way to deliver updates over the air in an automated manner on any device from tiny sensors to smart thermostats to autonomous cars.”
- The company offers two different solutions. “The Zephyr RTOS microPlatform is designed for smaller, less complex devices. For those that are more complex, Foundries offers a version of Linux called the Linux OE microPlatform.”
- The company is offering three pricing tiers for access to its platform and related resources. A hobbyist and education package is $10 per month. Zephyr RTOS is $10,000 per year, while Linux OE is $25,000 per year. “These are one-time prices and apply by the product, regardless of how many units get sold and there is no lock-in,” according to the company’s CEO.
What It Means: Anything that makes it easy and affordable for IoT device developers to improve the security of those devices is good for them, good for users, and good for the entire IoT market.
What You Should Do: If you manufacture IoT devices or services, you should already be looking at what Foundries.io is doing. There will likely be competitors, but there is a lot to be said for a fixed-price, security-minded solution that lets you focus on quality and competitive differentiation. If you are pursuing or considering an IoT device deployment, you should ask every actual and potential provider if they are considering or planning to support the Foundries.io platform. Any who are not should be scrutinized closely regarding current and planned support for security and update features. (See “Patch Management: Why It Matters, Why It’s Likely Broken at Your Business, and What to Do Now” and “TWiTIoT: This Week in The Internet of Things – Every IoT Device A Security Risk?”)
This Just In, Again/Still: Users Still Don’t Get Passwords
What Happened: A security audit revealed that more than a quarter of officials in the Western Australian government had inadequate passwords.
- As The Washington Post reported, “A security audit of the Western Australian government released by the state’s auditor general this week found that 26 percent of its officials had weak, common passwords – including more than 5,000 including the word “password” out of 234,000 in 17 government agencies.”
- The most popular password? “Password123,” used by 1,464 of the accounts audited. Another favorite was “password1,” with 813 users. “Almost 13,000 used variations of the date and season, and almost 7,000 included versions of ‘123.’” “In one case, the auditors were able to access an agency’s network – with full system administrator privileges – by guessing the password: “Summer123.”
“In the wake of the report, the government has agreed to step up its security game. It’s in the process of developing new practices to help employees store their password information more securely. The new Office of Digital Government will house a cyber security team dedicated to improving security practices government-wide.”
What It Means: The Western Australian government has discovered what too many other organizations either already know or haven’t yet figured out. Left to their own devices, users cannot be depended upon to create or manage consistently secure passwords.
What You Should Do: Implement a password management solution, and enforce its use by everyone, whether that’s just you or an entire team, department, or company. Forbid connection by users who don’t create adequate passwords and update them regularly. Wherever possible, implement and enforce two-factor authentication (TFA) as well. In other words, treat every user and device exactly the way you should be treating every attempted IoT device connection to your network. If you can’t secure it and can’t update that security whenever you want or need to, ban it from your environment.