Why it’s time to act on IoT security
When connected products were a novelty, manufacturers may have been forgiven for prioritising cost savings over security – in an attempt to encourage adoption through low product prices. But those days are becoming a distant memory.
The number of IoT devices deployed worldwide has already reached 15 billion, a figure that is expected to double by the end of the decade. These devices are becoming increasingly ingrained in all walks of life and, as with the internet, we are becoming more and more reliant upon them.
In industrial environments, they are now a key component in many of the major technology trends that are transforming business performance – including digital twinning, predictive maintenance and machine learning. These solutions are helping businesses to improve efficiencies, optimise productivity and even create new products.
In the consumer world, they are helping manufacturers to enhance the support they offer to their customers. Connectivity enables companies to monitor performance, offer remote maintenance and deliver additional services, which can be switched on via over the air (OTA) updates. This is opening up new, recurring sources of revenues and helping manufacturers to gain long-term customer loyalty in the process.
The risks are too high
As companies have come to depend on these devices, however, there is an expectation that connected products must be reliable and secure. The consequences for any manufacturer that falls short on these requirements can be severe. Not only is a security breach potentially damaging for the companies and consumers that depend on these products, but any media exposure of a hack can also destroy carefully built brand reputations in an instant.
There is also the concern that criminal enterprises could extort money from businesses if devices are compromised. This could be through ransomware or the coopting of hacked devices into botnets which can used in distributed denial of service (DDoS) attacks.
A broader public concern has now encouraged regulators to take action, to raise security standards across the industry. We’ve seen IoT devices explicitly highlighted in the Executive Order on Improving the Nation’s Cybersecurity in the US and the Product Security and Telecommunications Infrastructure Act in the UK.
Perhaps the most significant legislation to date, however, is the EU’s Cyber Resilience Act. Non-compliance with this legislation could result in products being removed from the second largest global market for IoT products, outside of Greater China, and fines of up to 2.5% of a company’s turnover being imposed.
The IoT security challenge
The problem for manufacturers is that they cannot simply turn to the same security tactics that have protected IT systems for the last three decades. IoT devices often live outside the borders of the corporate network and are vulnerable to physical tampering and remote hacking.
There are actions companies can take to build resilience however, should the worst happen. This includes taking a ‘zero trust’ approach – an assumption that a device will be hacked – and then minimising the risk by limiting the data available to hackers should they be successful. Manufacturers can put processes in place to monitor devices, detect breaches and enable recovery.
Steps can also be taken to add layers of protection to the device itself. This can be done by leveraging the unique features of silicon chips to create a distinct identity for each device and to protect device communications. This will make it difficult for malicious actors to deploy tactics such as a man-in-the-middle attack, that can fake a device update in order to inject malware.
If you are concerned about IoT device security and would like guidance on how to protect connected products, I recommend you read Mobica’s latest whitepaper Securing the Connected Future. This paper takes a broader look at this topic and goes into detail on how manufacturers can deploy solutions, such as True Random Number Generators (TRNGs), Physical Unclonable Functions (PUFs) and Hardware Root of Trust, to secure their IoT devices.