Designer! Do not forget security in your IoT system

25.01.2018 industrial internet , industrial , security

Suddenly the central heating is switched off and a Finnish block of flats starts getting colder. A random service denial attack from China brought the central computer of the building automation to its knees.

The block of flats made a lucky escape. But what if the target was a hospital, an industrial site or a central part of the infrastructure? Or a smart building, or a branch of an enterprise?

”The threat is definitely not an exaggeration. IoT is part of everyday life for all people and businesses. Still, IoT security often has serious shortcomings, even very basic errors”, wonders cyber security specialist Harri Susi. He runs a software testing team at Etteplan’s Espoo office.

The threats are versatile and criminals are constantly developing new ways to exploit the security gaps.”An IoT device can be harnessed into a part of a bot network that performs denial-of-service attacks. The device can be harnessed, for example, to mine bitcoins. At its worst, a poor IoT device is a soft route to enterprise infrastructure and critical information systems. A backdoor can be used for example for attacks with ransomware”, Harri Susi warns.

Careful design and testing guarantee security

The biggest problem, according to Harri Susi, lies with attitudes.

”Surprisingly many designers take security lightly. At the last minute, they barely remember to close the unnecessary IP ports from the system’s production version”, Harri Susi wonders, shaking his head.

”It’s worth taking a data security specialist on-board already in the design phase of a project.  Comprehensive security testing and a secure remote update mechanism of the embedded software are the two crucial items to remember”, Harri Susi reminds.

Harri Susi lists three basic data security requirements for any designer to keep in mind:

Confidentiality. Confidential information must remain secret for outsiders. Sensor measurement data shall only end up where it is intended.

Integrity. Data must remain unchanged, for example in case of a ’man in the middle’ attack.

Availability. The system must tolerate for example denial-of-service attacks.

Tosihack - competition for hackers

Tosibox is a Finnish data security product manufacturer. Tosibox products are used for establishing effortlessly a secure and fast connection to an enterprise system, control system or a measurement sensor from virtually anywhere.

Tosibox, Etteplan and Turkusec Associaton organize a hackathlon event called Tosihack in Turku on Saturday, February 3 2018 from 11am to 6pm.

”We invite experienced data security investigators to compete on which team finds the worst bugs within the device being tested. The discoverers of vulnerabilities and data security issues will be rewarded generously”, promises Harri Susi.

Tosibox will deliver the devices to be tested. Any means are allowed, including jtag debuggers and soldering irons. The organizers will provide food, refreshments and a nice party after the competition.

Both data security students and professionals are expected as participants. The jury consists of Mr Harri Susi and Mr Arto Kangas from Etteplan and Mr Jari Tenhunen, the CTO of Tosibox company.

More infromation:

Harri Susi, Cyber Security Specialist, Etteplan, Espoo

Arto Kangas, SW Embedded Specialist, Etteplan, Turku

Jari Tenhunen, CTO, Tosibox

Latest articles

  • Powering up testing – getting a grip on software projects 05.05.2017 testing , agile , continuous integration

    Well designed and correctly carried out testing and testing automation help to keep projects on schedule. The maintainability and control of the system is improved, and even the product's life cycle can be extended. The engineers at Etteplan have had good experiences with the Jenkins and Robot Framework systems.

  • Renovating testing environment with Procket Rapid 13.06.2017 testing , test systems , production testing , agile , continuous integration

    Embedded system is a combination of both hardware and software, the testing and development of which calls also for other things than just software and the device itself.

  • TOSIHack, Turku 3.2.2018 05.02.2018 testing , industrial internet , software , security

    Tosihack was a security testing event organized by Etteplan, Tosibox and TurkuSec organization in Turku at Saturday 3.2.2018. A total of 17 hackers joined the event in four teams.

  • Ekahau Sidekick – measurement powerhouse for Wi-Fi professionals 11.01.2018 wireless , laboratory , electronics , product certification

    World’s first all-in-one Wi-Fi network diagnostics and measurement device facilitates Wi-Fi network testing, validation, documentation and troubleshooting. Ekahau Sidekick covers both 2,4 and 5 gigahertz and standards 802.11 a/b/g/n/ac up to -95dBm sensitivity.

  • Less prototyping rounds and EMC challenges with simulation 29.12.2017 wireless , production testing , laboratory , electronics

    Simulation speeds up design and helps improve the end product quality. Simulation suits nicely for example for antenna design, for analysing EMC, RF interoperability, shielding effectiveness and radiating fields. It can also be used to review the current layout, design and mechanics.

  • Is your documentation created "last minute" ? 30.01.2018 industrial , medical , industrial applications , product certification

    The technical documentation is still considered a necessary evil that is often handled only in the last minute. Modern practices in creating the documentation ensure easy-to-maintain, high-quality documents that are an essential part of the product.

  • Designer! Do not forget security in your IoT system 25.01.2018 industrial internet , industrial , security

    A specialist warns: a carelessly constructed Internet of Things system is a serious security risk. White-hat hackers hunt for vulnerabilities in a respected Finnish IoT security product at Tosihack event 3 February 3, 2018.

  • Industrial internet increases requirements for antennas 28.12.2017 industrial internet , wireless , laboratory , electronics

    Wireless devices are becoming more common due to industrial internet. The antenna performance is often characterized by three parameters: efficiency, gain and selectivity...

  • Product certification – case Asqella 17.12.2015 testing , laboratory , product certification

    Nowadays more and more products contain electronics and maybe some kind of wireless technology. People do not always realize that all electronic device must be certified, in other words checked, tested, and approved, before the sales of the product can start.

  • NB-IoT Breakfast 27.9.2017 27.09.2017 industrial internet , wireless , telecom , electronics

    Great NB-IoT session today, with speakers from Ericsson, DNA, u-blox and F-Secure. Some pictures and the presentation materials available here...