"We really need to treat IoT security with a sense of urgency."
So said Intel general manager of IoT security Lorie Wigle at Intel Security's Focus 16 conference last week.
IoT security is really just security, she said, but the window is closing on the ability to implement IoT with maximum security and minimum risk.
The recent attack on Dyn showed how IoT devices can be co-opted by evildoers.
{loadposition stephen08}Wigle pointed out that item such as fridges and cars have a useful life of 15 to 20 years, so it will be very important that they can be patched and updated throughout that time.
(In the real world this is also an issue for more traditional devices such as computers, smartphones and tablets - for example, there are many Android devices and Apple products that are still in use running operating system versions that are no longer being updated when security issues are revealed.)
But there are also issues stemming from configuration errors rather than software bugs.
The Mirai botnet was possible because so many devices were shipped with default passwords and users either didn't know or didn't bother to change them. Intel is working on technology that will provide devices with preprogrammed credentials so users do not need to use passwords.
The threat defence lifecycle - protect, detect, correct, adapt - should be applied to IoT, she suggested, noting that the 'protect' aspect needs to cover the entire supply chain.
Measures that can be taken on the software side include whitelisting, data encryption, security analytics, policy management, provisioning, and remediation. Hardware techniques such as trusted execution environments also have roles to play.
"No one company can solve the IoT security problem," said Wigle, so Intel is working with a number of device manufacturers including Philips, NCR, Toshiba and Sharp.
Disclosure: The writer attended Focus 16 as a guest of Intel Security.