Comment: How IoT manufacturers can build cyber resilience into their devices

With the availability of high-speed connectivity, increased product capabilities and an appreciation of the value of data, we’ve seen a global proliferation of IoT devices in recent years. It’s estimated that there are now around 15 billion of these connected products around the world – a number that is expected to double by 2030. These devices include everything from fitness trackers and smartphones to security cameras and industrial sensors.

The problem, however, is that it can be difficult for manufacturers to secure all these products. It’s not always possible to prevent physical tampering and monitoring can be difficult as connectivity is hard to guarantee when devices are in transit or when power is depleted.

And when malicious attackers gain access to devices, it can be hugely damaging for customers. As a result, we’re seeing a significant increase in legislation aimed at tightening up IoT security. In addition to the UK’s Product Security and Telecommunications Bill and the US’s Executive Order on Improving the Nation Cybersecurity, the EU is also introducing its Cyber Resilience Act.

Heightened security demands

The Cyber Resilience Act grants the EU power to remove products from its market (the second largest global market for IoT products after Greater China) and impose fines of up to 2.5 per cent of a company’s turnover. If this doesn’t encourage manufacturers to invest in improving the security of IoT products, I’m not sure what will.

Under the new EU rules, companies manufacturing products that fall under the definition of Critical Class II – which includes operating systems, industrial firewalls and CPUs – will also face third-party security assessments.

There are still some questions that need to be answered in this proposed EU legislation, such as who is responsible if free open-source software (FOSS) is compromised. As it stands, FOSS is exempt but only for non-commercial use. But at the end of the day, it doesn’t matter if this is exempt or not – if there is a vulnerability in an IoT product, manufacturers will need to find a way to resolve the problem.

What needs to change?

I’ve worked on enough IoT device development projects to know security is not always front of mind when budgets are being allocated. With the IoT sector still in its infancy, best practice security is often a secondary consideration. But priorities will need to change. As manufacturers address growing demand for improved IoT security, they cannot adopt the same approach to cyber security that we have seen for the last 30 years.

Given the nature of the devices involved, and the difficulty defending them, a new strategy is required. This is leading to a paradigm shift within the industry, with developers moving away from the citadel style ‘guns, guards and gates’ cyber security approach of old.

We are now starting with the assumption that IoT devices will eventually be successfully attacked – and, as such, we are putting the emphasis on cyber resilience instead. Defences still need to be improved, but we also need to be thinking about detection and recovery services in equal measure.

New priorities 

This will require IoT manufacturers to take full advantage of the security features, such as secure elements that manage encryption keys and certificates, these are often already embedded on the microchips within their devices. But, as they develop new distributed or edge computing products, they will also need to create comprehensive processes to manage  aspects such as the software bill of materials – including external libraries and product modules – and make sure everything can be monitored.

With new vulnerabilities being found all the time, active monitoring must be encouraged. And product users will need easy access to services that can provide them with the security patches they need to protect against common vulnerabilities and exposures (CVEs) and other known exploits. Users need the ability to protect, detect and recover. 

As we enter a new era of cyber security (with AI also likely to accelerate the arms race) the landscape is likely to change quickly. So, it has never been more important to address the weaknesses that have existed within the IoT ecosystem – and make cyber resilience a top priority.

Mozammul Ahmed, edge and embedded technology expert, Mobica