The emergence of the Internet of Things (IoT) has led to a transformation in how we view cyber security, and this is changing the way products are designed.
Since the dawn of the internet, cyber security professionals have sought to keep businesses safe from hackers by placing guards and gates on the borders of the corporate network. But with huge numbers of connected devices now operating outside of those borders, tactics have had to change.
IoT devices are vulnerable to physical tampering, and hacking techniques such as man-in-the-middle and bootloader attacks, can be a problem. The nature of IoT devices also means that 24/7 monitoring cannot always be guaranteed, particularly when they are in transit or running low on battery.
Design with Zero Trust in mind
As a result, there has been an acknowledgement within the industry that it might be impossible to prevent devices from being hacked. As such, greater emphasis is now being placed on cyber resilience – in addition to resistance.
This means that any manufacturer developing a connected device should factor a Zero Trust approach into their product’s development. This will require them to focus on three key elements: prevention, detection and recovery.
1.Prevention
To understand where protection is needed, manufacturers will need to identify all possible weaknesses within an IoT device. This will involve the compilation of a comprehensive software bill of materials that includes all of a product’s modules and external libraries. This will enable all vulnerable elements to be monitored.
2.Detection
Manufacturers will need to incorporate secure mechanism within their products so that the firmware and software running on these devices can be interrogated and validated at each boot and during runtime. If this authentication process flags a failure, the device can then be marked as untrustworthy and earmarked for recovery.
3.Recovery
Manufacturers should be looking to put processes in place to restore devices if the worst should happen, and then protect them from further attacks. End users will need to be provided with regular updates that contain the security patches needed to protect devices against common vulnerabilities and exposures (CVEs).
Embedding security
To enable this approach, however, manufacturers will need to access the secure elements that are embedded on microprocessors and utilise the unique characteristics of silicon chips. For example, this will enable manufacturers to create a ‘hardware root of trust’ that will allow regular firmware signature verification to be carried out.
By taking advantage of these security elements, manufacturers can also mitigate many of the vulnerabilities associated with IoT devices and provide greater resistance to attacks. For example, it will allow them to develop secure enclaves that can keep sensitive information locked away. They will also be able to create unique cryptographic keys, using a true random number generator (TRNG), and provide each device with its own digital fingerprint, using a physical unclonable function (PUF).
If you want to learn more about how best to secure IoT devices, make sure you take a look at the latest Mobica whitepaper Securing the Connected Future. With attacks on connected products on the rise, and regulators demanding stricter standards, this paper will offer you comprehensive advice on what strategies to adopt in order to enable IoT device resilience and silicon chip security.