6 6
environments? Does it need to talk to a central server, or can you have hubs in your
environment to accommodate the local network and local updating?
You also have to think through its default communication strategy. For example, if there
is communication with a device that fails to ping back, does the device shut down or turn
off key features? Consideration of all its attack surfaces and failure modes is not only
important for remote operations and data transfer but critical for planning device security.
The attack surface your device offers is potentially enormous. In planning for system
security, one of the biggest questions is what you want to allow the device to receive
and how it can take action. Aronchick says, "If a device never has to open a port or listen
to anything, it will be pretty secure. Restricting what that device does as a result of
communications will reduce a whole class of potential attacks."
Many solutions require regular communications, however, so you must have a plan
for updating your devices. Device updates must take place reliably and securely,
which requires having immutable identities built into those devices, certificates that
authenticate communications, use of encryption, and secure communications channels.
You must plan how you will handle failures when they happen. For example, if device
communications fail midway through an update, what's the fall-back strategy?
An important architectural consideration that influences the nature of device
communications across the control plane is how much processing occurs locally
on the device and how much occurs in the cloud. When it comes to smart systems,
machine learning (ML) is everywhere, analyzing data from many devices to automate
"Restricting what
that device does
as a result of
communications
will reduce a
whole class
of potential
attacks."
