The numbers speak for themselves: There will be 1 trillion connected devices by 2035, but less than 4% of new devices include embedded security. Keep in mind that years, or decades will pass, until today’s embedded devices will be decommissioned. This is a Tsunami in the making, and we predict that the big disasters are still ahead of us.
The silver lining is twofold: First, awareness is raising rapidly. Second, there are a number of comparatively easy remedies.
This article is based on Haydn Povey’s keynote at ECS 2018.
Security is Everyone’s Job
All too often, security is an afterthought. Management sees security as a cost. The first step is to convince the leadership of an organization that security is an opportunity, not just a cost. In fact, security can be unique selling point and can provide value that customers are willing to pay for. The most prominent example of this is Apple, which used their T2 security chip extensively in their marketing. Also, security is clearly the leading barrier for IoT adoption. Addressing this will unlock a huge market.
It’s not just the premium that customers are willing to pay. Proper security also prevents theft of IP. While thus far, authorities had a focus on watches and handbags, trade with counterfeit electronics and spare parts is growing rapidly.
Last, it’s pointless trying to avoid security: regulation is coming from everywhere!
Once management embraces security, the organization can follow. Of course, not everybody needs to be a security expert. Rather, all employees need to understand appropriate security policies and frameworks.
True Traceability Through Supply Chain
Haydn Povey compared security to hygiene in food production: we can trace a steak on our plate back to the cow it came from, covering everything from an uninterrupted cooling chain to the animal’s medication record.
The same could be achieved with IoT products as well, in principle. In fact, chipmakers are busy preparing the infrastructure for this. But achieving this is only possible if security starts with inception. We cannot rely on firewalls any more, every devices is an island with its own defenses. It’s an asymmetric war after all, the bad guy only have to succeed once.
Security Code of Practice
As an example for harvesting the “low hanging fruits”, Haydn Povey pointed out that the 13 guidelines from the UK’s Code of Practice for consumer IoT security are fairly easy to implement. These are:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
IoT security is coming, and this is a good thing. Rather than fighting it, we should embrace it. And doing so may actually give us a competitive advantage, and will ensure that we won’t be a casualty.