Where should companies start when it comes to device security?

The Internet of Things (IoT) market has a security problem that is boiling over into a business issue. According to a recent survey conducted by the Ponemon Institute, 59% of embedded product security decision-makers say they’ve lost revenue due to product security concerns.

Connected device manufacturers are increasing production to meet demand in a fast-growing industry. According to McKinsey, the market value of IoT is expected to be between $5.5-12.6 trillion by 2030. That leaves IoT makers in need of a security strategy that can scale with the growing market. But security for IoT devices isn’t yet as mature as other sectors.

IoT devices are discoverable, easy to access, and more connected to physical systems than ever before. This leaves them vulnerable to opportunistic threat actors as well as more sophisticated nation-state attackers looking to carry out distributed denial-of-service (DDoS) attacks, assemble botnets, and direct cyber-physical attacks on critical environments.

The IoT Security Foundation recently released a report that found only 21.6% of firms have a detectable vulnerability disclosure policy and 78.4% of firms would fail a threshold test.

Many device manufacturers struggle to prioritize product security without sacrificing production or incurring large costs. In Ponemon’s survey, most respondents say they struggle with a lack of resources (62%) and lack of in-house expertise (60%) as top obstacles to expanding product security efforts. This shows that security is not yet an executive priority, and that’s having a negative, real-world impact. While only 27% say their company’s leaders require proof of product security, 94% of respondents see a moderate or high impact from recent supply chain compromises on their security priorities.

Customers, for their part, are paying attention: According to Ponemon’s study, 76% of respondents said their customers rank the importance of device security at least 7 out of 10. Securing your connected and embedded products is critical to staying competitive, so let’s look at strategies to create secure products at scale.

Identify your baseline

You can’t secure what you can’t see. If you’re unaware of all the components in your embedded device firmware – like the 70% of Ponemon’s respondents who can’t create a software bill of materials (SBOM) for their devices – any remaining security efforts will have a significant blind spot.

Finding a baseline will offer insight into which vulnerabilities exist within firmware and give you a starting point as you look to improve the device’s security posture. For many manufacturers, penetration testing represents a baseline security tactic, but this type of testing is difficult to scale and impossible to automate.

According to one recent study, commercial third-party code is now more common than in-house developed code. Attackers are more likely to exploit vulnerabilities in widely used components than to launch a bespoke attack on first-party code. When you need to know what’s in your devices without vendor cooperation, binary analysis provides an excellent baseline security testing strategy. Discovering components and identifying servers pinged by the code running in your devices can give you the visibility you need into where your data is going and what software is operating in your devices.

Without this baseline of visibility into binaries, you could allow major security holes into devices deployed in critical environments. For example, DJI drones were found to transmit information to the Chinese government, leading to pressure from the Pentagon to halt their use.

Check credentials and certificates

Analyzing firmware for configuration issues, including hard-coded credentials, is another important step within product testing. Hard-coded credentials are often included into devices at the configuration stage, after security testing has already been completed in some companies. These credentials, in the worst-case scenario, can offer root access to even a low-effort, opportunistic attacker.

Some product risks don’t come from attackers, but from legal issues. Ensuring that security certificates are up to date is also key before deployment. If a certificate expires and the firmware doesn’t know to look for an updated one, it could disable the device.

Meet compliance standards

While no one can guarantee an impenetrable device, it’s imperative that device manufacturers prioritize safeguards as they keep up with product demand. Not only does this go a long way
toward securing your product, but if you can demonstrate your risk mitigation efforts, it will help put your customers at ease.

One route to providing the assurances customers need: voluntary compliance with standards and guidance. The National Institute of Standards and Technology (NIST) published baseline security criteria for consumer IoT devices in August and four documents last December with more guidance.

There is also a network of private regulatory organizations for different sectors like automotive, aviation, healthcare, and information technology. These Information Sharing and Analysis Centers (ISACs) offer their members tools to mitigate risks and enhance resiliency.

While NIST is expected to unveil a labeling program in 2022 to address IoT security concerns, manufacturers can follow the existing guidance and offer customers a window into their security process to offer peace of mind before that standard becomes law.

Motivations for adopting guidance from these organizations range from product confidence to revenue. By identifying what’s in devices and testing those components, manufacturers can prioritize the security of their devices as pressure to hit production deadlines grows.