7 Critical IoT Security Practices Every Engineering Leader Should Implement Now

As IoT devices become more integrated into our daily lives, the pressure on engineering leaders to ensure their security has never been greater. Strengthen your IoT security strategy with these seven critical IoT security practices.

The growing demand for connected products is making device security more complex. New IoT security regulations add to the challenges engineering leaders already face, and tight deadlines and budgets mean that IoT security practices can sometimes take a back seat. The 2024 State of IoT Software Development Report uncovered that one in three IoT teams believe their organization’s cybersecurity testing is inadequate.

Governments are stepping in to address these security gaps, rolling out regulatory programs like the EU Cyber Resilience Act and the US Cyber Trust Mark. Frameworks like NIST’s Cybersecurity for IoT and Arm’s PSA Certified aim to provide standards to help companies build in the right level of device protection. Meanwhile, industry organizations like the Connectivity Standards Alliance (CSA) are also weighing in, advocating for a unified, global approach to IoT security.

All this puts significant pressure on technology leaders to safeguard their products—and their company’s reputation. A single vulnerability can lead to expensive product recalls, loss of customer trust, and increased scrutiny from compliance teams.

Adopting IoT Security Practices

So how can you help your team ensure that security is a top priority amidst so many other pressing demands?

In a recent webinar, François Baldassari, CEO of Memfault, and Chris Coleman, CTO, shared their insights into the evolving security landscape. They outlined key IoT security practices to help engineering teams mitigate risks, protect product quality, and stay compliant amidst shifting regulations.

Here are seven essential IoT security practices that should be at the forefront of your strategy.

1. Use Secure Boot and Hardware-Backed Keys

The foundation of a secure device starts with a secure boot process. By ensuring that only authenticated and trusted firmware can execute on your device, you prevent attackers from injecting malicious code. Implement hardware-backed cryptographic keys to further lock down the device.

It’s tempting to think, ‘Oh, we’ll worry about secure boot once the product is functional.’ That sort of behavior needs to change. Scope those key aspects into the PRD at the beginning of a project and make sure the appropriate amount of time is budgeted for it.”

Chris Coleman | CTO | Memfault

🔧 Tip: Many modern microcontrollers include hardware support for secure boot. Leverage these features whenever possible to prevent early-stage attacks.

2. Implement Over-the-Air (OTA) Firmware Updates

Make sure you have a solid software update system so you can resolve problems when you find them. The foundation of secure over-the-air (OTA) updates starts with a hardware-based root of trust. It ensures that the entire security framework is anchored from the moment the system boots. This process is anything but trivial, and trying to build it yourself can lead to serious vulnerabilities.

OTA is a net security gain because it gives you a way to address a known compromise. But it can certainly introduce its own risk if you don’t build it correctly. Building your own homegrown OTA solution is likely to be less secure than relying on a trusted, well-established solution.”

François Baldassari | CEO | Memfault

🔧 Tip: Consider automating OTA update deployment to ensure no device is left behind on outdated firmware, thereby minimizing security risks.

3. Monitor and Manage Device Fleets Remotely

Once your devices are deployed in the field, security doesn’t stop. You need the ability to monitor performance, track issues, and respond quickly to potential vulnerabilities. A robust remote monitoring system gives you visibility into what’s happening across your fleet, enabling faster response times when something goes wrong.

Looking for anomalies in device behavior is one of the easiest ways to detect a security problem—and one of the most overlooked. If your temperature sensor suddenly starts sending a gigabyte of data per day instead of its usual two kilobytes, something is seriously wrong.

You need to be able to identify in the field if devices are behaving erroneously. Are your devices overheating? Are they rebooting unexpectedly? Are you seeing any strange defects? You need to have monitoring in place to be able to detect these signals.”

Chris Coleman | CTO | Memfault

🔧 Tip: Start by tracking a couple signals that are easy wins, like how often the device resets, ingress and egress of network traffic, and which hosts and IP addresses the device is communicating with. These can be signs of memory corruption issues and potential exploitations.

4. Sign Your Firmware Images

While secure boot ensures that only authenticated code runs on your devices, signing firmware images adds another layer of security by verifying the source and integrity of the firmware itself. This practice is crucial for preventing unauthorized or malicious updates from being executed. It creates a trust chain that protects devices from unauthorized code, making it much harder for attackers to compromise systems.

In the early days especially, many teams didn’t even sign their firmware, so anyone could basically create a valid firmware for the device. But that is a huge security vulnerability. Someone can simply figure out the protocol for firmware installation, craft malicious firmware, and force install it on a number of devices.”

François Baldassari | CEO | Memfault

🔧 Tip: Ensure that your signing keys are stored securely and rotated regularly to maintain the integrity of your signing process.

5: Start Collecting a Software Bill of Materials (SBOM)

Implementing an SBOM is a manageable task that can significantly enhance your compliance efforts. For example, if you’re using Yocto for your embedded Linux device, you can easily generate an SBOM by running a specific build command. While it may not be perfect, integrating this process into your build artifacts is a great first step.

Building this muscle now will position your team to better navigate future regulatory requirements.”

François Baldassari | CEO | Memfault

🔧 Tip: Aim to review and refine your SBOM regularly—perhaps once a month—and consider comparing it against Common Vulnerabilities and Exposures (CVE) databases. Leverage tools to assist with this process, making it easier to track your software components and vulnerabilities.

6. Implement Public Key Infrastructure (PKI)

Utilizing a PKI allows you to manage digital certificates and keys effectively. This structure ensures that only authorized devices and users can communicate securely within your network.

It’s important to work hand in hand with vendors who take security seriously. Major semiconductor companies now have dedicated security teams and regularly publish updates. Make sure you’re subscribed to those updates! A few years ago, a major Bluetooth vendor discovered a critical vulnerability in its key exchange system. Imagine if you missed that update—your entire fleet of devices could have been compromised.

🔧 Tip: Ensure that your PKI is regularly maintained and audited to protect against vulnerabilities.

7. Encrypt Data in Transit

Last but not least, encrypt data in transit to protect sensitive information. Utilize TLS for secure communications and consider application-level encryption for protocols like Bluetooth. This helps ensure data integrity.

🔧 Tip: Regularly review and update encryption protocols to keep up with industry standards and emerging threats.

Implementing IoT Security Best Practices

As IoT devices become increasingly integrated into our daily lives, the stakes are higher than ever. Many of these devices control physical access and play crucial roles in safeguarding our environments. The Mirai botnet and several recent baby monitor hacks are just two examples of how insecure IoT devices can lead to devastating outcomes.

The sooner we stop viewing security as an afterthought, the better prepared we’ll be to protect the connected world.

To dive deeper into these strategies and learn how you can stay ahead of new IoT security regulations, watch the full webinar on IoT security best practices with François Baldassari and Chris Coleman.

How Memfault Helps You Implement These IoT Security Best Practices

Memfault provides embedded engineers with the tools they need to implement many of these security best practices, including performance monitoring, OTA firmware updates, and vulnerability tracking. Memfault’s platform enables engineers to remotely diagnose and fix bugs before they escalate, reducing time-to-resolution and risk while enhancing product reliability. See how Memfault works.

Additional IoT Security Resources

• Cyber Resilience Act (CRA) Guide: This comprehensive article explains what you need to know about the EU Cyber Resilience Act and outlines the expected requirements to help you prepare for compliance.
• Full CRA regulation doc: View the EU’s regulatory proposal for adopting new cybersecurity requirements for IoT products.
• Cyber Trust Mark Guide: Learn what the US Cyber Trust Mark is, who it applies to, and how you can start preparing to attain it.
• Cyber Trust Mark Certification Labeling: See the fact sheet on the Commission’s proposal to create a voluntary cybersecurity labeling program to help guide IoT consumers.
• Diving Into JTAG Security: Dive into security issues related to JTAG and the Debug Port.
• On-Demand Webinar: Best Practices for Safeguarding Your Connected Devices: Three embedded experts discuss how to incorporate security into your product development process.