How IoT manufacturers can build cyber resilience into their devices
Image by vectorjuice on Freepik
As the appreciation of data-driven insights gathered from both consumer and industrial products continues to grow, IoT devices are proliferating globally. With the availability of high-speed connectivity spreading around the word – and the development of ever more capable products – many of the technical barriers that have previously restricted these devices are no longer a problem, writes Mozammul Ahmed, an edge and technology expert at Mobica.
It’s estimated that there are now around 15 billion connected products in operation globally – and this number is expected to double by 2030. These devices include everything from fitness trackers and home security cameras to telematics solutions and industrial equipment sensors.
This phenomenal growth is creating a problem, however. As we become more and more dependent on IoT devices, people are increasingly concerned about their dependence on the internet – and how vulnerable they are to malicious actors.
Due to the nature of these devices, they can also be difficult to secure. Often operating in remote locations, it’s not always possible to prevent physical tampering. Remote monitoring can also be difficult if a device is in transit or when power is depleted as continuous connectivity cannot be guaranteed.
There are plenty of examples of malicious attackers that have gained access to devices, to either invade the personal privacy of someone’s home or to compromise companies so they can demand a ransom. This can be hugely damaging for everyone concerned – and it exposes manufacturers to major financial and reputational damage.
Heightened security demands
As a result, we are increasingly seeing regulators proposing legislation that aims to ensure manufacturers tighten up IoT security. In 2021, we saw the Executive Order on Improving the Nation’s Cybersecurity in the United Sstates, which aimed to increase the level of testing and assessment on IoT products. In 2022, the United Kingdom passed the Product Security and Telecommunications Bill and in 2023, we have the European Union introducing the Cyber Resilience Act.
The Cyber Resilience Act is perhaps the most significant legislation to date, as it will grant the EU the power to remove products from its market (the second largest global market for IoT products after Greater China). It can also impose fines of up to 2.5% of a company’s turnover.
The EU has also proved it is prepared to stand firm when it comes to these issues, even against the biggest companies in the world. When Google launched its chatbot Bard and Meta its new social media app Thread, they made headlines around the world. However, both these launches were forced to proceed without any presence in the EU, as they fell afoul of its data privacy laws.
This should encourage manufacturers to pay close attention to these new regulations, and ensure they are meeting the latest standards on IoT product security. Under these new rules, companies manufacturing products that fall under the definition of Critical Class II – which includes operating systems, industrial firewalls and central processing units (CPUs) – will also face third-party security assessments.
There are still some questions that need to be answered in this proposed EU legislation, such as who is responsible if free open-source software (FOSS) is compromised. This is a bit of a grey area because, as it stands, FOSS is exempt, but only for non-commercial use. At the end of the day, however, it shouldn’t matter whether the source of a compromise is FOSS. If there is a vulnerability in an IoT product, manufacturers will have a duty to resolve the problem and ensure their customers are safe from malicious players.
What needs to change?
I’ve worked on enough IoT device development projects to know security is not always front of mind when budgets are being allocated. The IoT sector is still in its infancy, and as manufacturers have focused on encouraging adoption, the priority has mainly been on keeping costs down. As such, best practice security has often been a secondary consideration. But things clearly need to change.
The complication for manufacturers looking to address IoT security, is that they cannot simply assume the same approach to cyber security that IT professionals have adopted over the last 30 years.
Given the nature of the devices we are talking about, and the difficulties involved in defending them, a new strategy is required. This realisation has led to a paradigm shift within the IT security industry. We are now seeing device developers move away from the citadel style ‘guards and gates’ security approach of old.
Instead, they are starting with an assumption that each IoT device will eventually be compromised – and, as such, the emphasis has now shifted to cyber resilience. While device defences can still be improved, much more thought is being given to how a successful attack can be detected, vulnerabilities identified, and recovery supported.
New priorities
To enable this to happen, IoT manufacturers are going to need to take full advantage of the security capabilities available to them within a device. This includes the secure elements which are already embedded on microchips. They are able to manage the encryption keys and certificates that can prevent a man-in-the-middle attack, for example.
As manufacturers develop new distributed or edge computing products, they will also need to track all potential sources of a vulnerability. This will require them to produce a comprehensive software bill of materials, including all external libraries and product modules.
With new vulnerabilities being found all the time, active monitoring must also be encouraged. Product users will also need easy access to updates that can provide them with the security patches to protect against common vulnerabilities and exposures (CVEs) and other known exploits.
As the IoT landscape continues to grow rapidly around the world, it has never been more important to address any weaknesses present within connected devices. Customers need greater protection, and the regulators are increasing pressure on manufacturers to provide it.
By taking the steps above, however, they will be able to do this and more. They will give their customers the ability to detect attacks, should that happen, and then take the actions needed to regain control. This is going to be vital as we move into a new era of IoT security, one that is focused on cyber resilience.
Article by Mozammul Ahmed, an edge and technology expert at Mobica.
Comment on this article below or via X @IoTGN