As digital transformation materializes, businesses are becoming more reliant on devices that support valuable IoT services. As the reliance on these devices grows, so does the number of cyberattacks on connected solutions. Each breach not only impacts corporate reputation, but also bottom-line profitability and has legal ramifications. To limit these damaging consequences, the manufacturers (and suppliers) of IoT devices must move quickly to stay ahead of the threat.
In some countries, governments and industry bodies are trying to safeguard their citizens with legislation, standards and baseline requirements that force or encourage device makers to implement appropriate protection. Customers are also becoming more aware of the threats to their devices and to corporate or personal data. Recent surveys show many people are not buying smart home products such as locks and cameras because they have concerns about their security.
Original equipment manufacturers (OEMs) must build customers’ confidence in these products and in the data they generate if they want to capitalize on the opportunities created by digital transformation. The only way to do that is by designing security in and embedding it in every layer of a connected device.
IoT security challenges
Not all OEMs have the time, resources, or specialist expertise to invest in security. Securing an IoT device is complex. It requires an understanding of hardware, software, operating systems, and application security. It also takes time to identify and assess different security solutions, which can increase time-to-market. Implementing protection adds to the cost per unit and the bill of materials as well, and more than half of respondents to our 2021 survey of technology industry leaders said the extra cost of security was one of the top barriers to implementation. So, is that a good enough reason to skip it?
To answer that, consider the potential impact of a security breach on your customers, whether they are individuals or organizations. A vulnerability in a single product can bring down an entire network, which could have significant implications if it’s, for example, part of the health, water, or energy infrastructure. The financial costs of a successful cyberattack could also be high, and you may be putting your reputation at risk if you do not follow best practice.
Fortunately, there are five key steps OEMs can take to reduce the complexity of security and the time and cost involved in building the right protection into their device(s), from the ground up. They are:
Step 1: Follow a framework
IoT security frameworks democratize security. They make it quicker, easier and more cost-effective to build a secure product, even if you do not have a team of security experts. They also standardize security, so the ecosystem approaches design and implementation in the same way.
In many cases, the frameworks have been designed by world leading firms, and they include a suite of free resources to help you adopt best practice and meet basic security requirements. It may be useful to choose a framework that aligns with legislation, standards and baseline requirements, such as the global standard ETSI EN 303 645, NIST 8259A in the USA, or other industry schemes. This is particularly valuable if you operate in several markets.
Step 2: Complete a threat model and security analysis
A threat model and security analysis (TMSA) is the next step on your security journey and it helps you establish your audit trail of best practice. By carrying out a TMSA, you will be able to identify the threats to your device and the action you must take to keep it – and the data it generates – secure.
A TMSA helps you avoid under- or over-investing in security at the outset and means that costly changes later in development are less likely. It will also help you embed security into every layer of your device.
Look for frameworks that provide examples you can adapt for your use case if you want to make the process even easier.
Step 3: Implement a Root of Trust
According to the National Institute of Standards and Technology (NIST), a Root of Trust (RoT) is: “Highly reliable hardware, firmware, and software components that perform specific, critical security functions.” Those functions may include cryptography, attestation, trusted boot and secure storage.
A RoT is built into the silicon. It puts fundamental security features at the heart of the device, and it gives application developers a secure foundation to build on. It is recognized by several industry schemes and some cyber insurers. As Tim Davy, Cyber Senior Security Specialist, Munich Re, explained: “Having components that are built on a Root of Trust within an organization or system helps insurers to compartmentalize risk and reduce the cost of inaction. With more trusted components comes greater business resiliency and more understanding of supply chains that keeps the cost of failure to a minimum.”
If you choose components that have a RoT you will know security has been built in, which takes the hard work out of securing your device.
Step 4: Seek third-party evaluation and certification
However, you will also want to showcase your investment in security so customers know your products can be trusted. Third-party evaluation and certification will offer customers and the wider ecosystem peace of mind – and that assurance is what will enable you to scale deployment.
To become certified, independent security experts will assess your implementation against best practice, and your alignment with legislation, standards, and baseline requirements. The certification will be awarded if appropriate measures have been taken.
Step 5: Increase collaboration
If you leverage the expertise of the ecosystem, you can break down the barriers to security highlighted above and ensure you do not face these security challenges alone. There is already widespread support for a more collaborative approach. Most of the technology industry decision makers (85%) that responded to the PSA Certified 2021 security survey said they were interested in sharing knowledge of IoT security.
So, how do you do that? One option is choosing components that have already been assessed as being secure, which enables you to benefit from the knowledge of industry leaders. In some cases, you could even capitalize on their investment in security by re-using their certification to support your own journey.
Reducing the complexity of IoT security
The five steps set out above reduce the complexity of security and minimize the time and cost involved in securing an IoT device. They also help scale digital transformation across industries, building more secure products, that generate data people can trust, and that can be used to create new services.
1. Frameworks make it quicker and easier to implement security and reduce the time and cost involved in protecting an IoT product.
2. A threat model and security analysis will help you determine the right level of security for your device, and the steps you must take to secure it.
3. Implementing a RoT enables you to build your device on a foundation of security.
4. Third-party evaluation and certification help assure customers that you have designed products in line with best practice.
5. Finally, by working closely with the ecosystem you can simplify and speed-up security implementations, helping instill confidence in the IoT.