IoT Cybersecurity: Best Practices and Future Development

Published on 14 mai 2020 In: Trend

  • Reading time10min.
  • LevelExpert

With the massive development of connected objects, the question of cybersecurity arises. How to protect your IoT network? Interview with Hatem OUESLATI co-founder of IoTerop, an expert cybersecurity company.

IoT Cybersecurity: Best Practices and Future Development

Attacks on IoT devices increased nine-fold between the first half of 2018 and the first half of 2019, from 12 million to 105 million, according to Juniper Research. In order to better understand the challenges and risks of cyberattacks for companies using connected objects, we met with Hatem Oueslati, co-founder of IoTerop (, an IoT device management company specializing in cybersecurity for smart objects. We discussed with him the challenges, good practices, and technological development related to IoT cyberattacks.


IoTerop, expert in IoT cybersecurity

ELA: Hatem, can you tell us more about IoTerop and the Open Mobile Alliance?

Hatem OUESLATI: "IoTerop was founded in 2016 by three Intel alumni. IoTerop's customers use our device management solutions to support operations and control the costs of large IoT deployments. The more complete your device management capabilities, the higher your ability to manage costs associated with devices, communication, and operations. Our clients unlock value by reducing the resources IoT requires.

Our solutions support the Lightweight M2M standard (LwM2M). Since the beginning, IoTerop has played the dual role of LwM2M implementation expert and active proponent of the LwM2M standard.
IoTerop's Chief Product Officier David Navarro was recently appointed to the Open Mobile Alliance SpecWorks board of directors. Collectively, this board, composed of AT&T, Ericsson, T-Mobile, ARM, Itron, Qualcomm, and, of course, IoTerop works to define open standards for managing and securing connected objects as well as pushing industries to adopt LwM2M. It is important to understand that standards like LwM2M, which help to reduce costs, complexity, and security issues related to large IoT deployments, play a crucial role in supporting widespread IoT adoption."


Impacts and risks for businesses linked to cybersecurity of connected objects

ELA: What are the risks for companies using connected objects?

Hatem OUESLATI: "IoT security is a monumental challenge. Poor security practices applied even to a single device, can have devastating consequences. In addition to data loss, one pirated, a device can be used to access networks, eventually compromising other devices, systems, and companies.

In 2016, the largest ever denial-of-service attack (DDoS) was launched against service providers OVH and DYN, using a botnet that had compromised hundreds of thousands of IoT devices. It brought down many web sites, including: Twitter, The Guardian, Netflix, Reddit and CNN. The hacker used an openly available software called Mirai to create this botnet. Once Mirai had infected a computer, it scoured the internet looking for insufficiently protected IoT devices, in this case mostly cameras and DVRs, infecting them with the virus so they could then be used to launch the DDoS.

Unfortunately, the lack of IoT security is too often the rule and not the exception. In far too many cases, the data these devices capture isn't even encrypted when transmitted over networks, allowing third parties to compromise it. For the sake of safety, connected systems and their data must be secured end-to-end, using robust, reliable, and regularly updated mechanisms."


Good practices to prevent security issues

ELA: What are the best practices organizations should be considering to prevent cybersecurity attacks?

Hatem OUESLATI: "Security, collecting, and analyzing data are all fundamentally linked to industrial IoT adoption (IIoT). IoT security must be practically integrated into IoT solutions from conception. International standards, like LwM2M shine in that not only do they provide comprehensive security mechanisms, but they do so in a way that is open and interoperable.

IoT is also different in that security must be adapted both to the device and the operational environments. We don't do security on an IoT device the way we would do it on a PC. IoT security must take into account device processing capabilities, memory limitations, energy consumption, and finally, bandwidth limitations, commonly seen on low-power wide-area-networks (LPWANs). These security elements must be able to evolve over the life cycle of the device. New threats will inevitably emerge after deployment. Knowing this, robust device management capabilities, like software updates, are vital to protecting IoT solutions over time.

Finally, security must be understood to be dynamic and not static. So, if a device is behaving atypically, a new security key may be provided, or, in the case a device has been severely compromised, credentials revoked.

Massive IoT deployments are relatively new. Most organizations are still studying the different practices and use-cases, as deployments grow, organizational knowledge and practices will improve."


Which technological choices to secure connected objects?

ELA: What security technologies for connected objects would you recommend?

Hatem OUESLATI: "Security standards are the foundation. Using solutions based on an open standard, like LwM2M, assures a solution is secured end-to-end using widely-accepted, state-of-the-art authentication and encryption practices.

IoTerop's goal is to help companies securely manage billions of devices by leveraging international standards, primarily the OMA's LwM2M, but also COAP/OSCORE managed by the Internet Engineering Task Force (IETF), who historically defined the massively used Internet Standards TCP/IP. These are currently two of the most influential standards bodies in the industry. We sit on the OMA board, and work with them, providing us the opportunity to see and define their technology roadmaps.

For example IETF manages security standards like DTLS, TLS, and finally OSCORE used to efficiently manage authentication and encryption of communications on connected devices. In some cases, TLS is too heavy, especially for non-IP networks like NB-IoT. In this case, it is better to use DTLS over UDP or even OSCORE, both attractive alternatives, especially over non-IP networks, like LPWANs. Of course, security must be dynamic even in these constrained environments with the ability to remotely provide updates or new security keys on an as-needed basis. These device management features relate directly back to LwM2M and CoAP protocols and how they offer a standardized way to bootstrap, provision, and configure devices, as well as provide other core device management capabilities.

As new vulnerabilities are discovered, organizations must be able to adapt counteracting threats. That is the whole idea behind LwM2M, providing secure, end-to-end updates and device management, giving organizations the ability to adapt solutions, and control costs.

The OMA's LwM2M and the IETF's OSCORE are state-of-the-art technologies for remote management and security and will play a key role in supporting IoT adoption."


The future of IoT security

ELA: What is the future of IoT security?

Hatem OUESLATI: "Telecoms, large industrial groups, and governments are all going to impose regulations and international security standards as it is in their collective interests. Open standards like those supported by the OMA SpecWorks and IETF organizations which originated out of the mobile telephone industry are already used by each one of us every single day. It is the telecoms, device manufacturers, and smart-meter providers who are pushing for technologies that are the most adapted for securely managing large IoT deployments. Unfortunately, despite this tendency, there are still too many poorly secured, proprietary solutions on the market.

Interoperability, device management, and security for our smartphones and our internet applications seem self-evident today, but they are only possible thanks to the adoption of open standards, the origin of these initiatives often come from these same consortiums.

Beyond encrypting data, organizations will continue to improve their ability to manage IoT security solutions from end-to-end remotely as they understand device management impacts operational costs."