As IoT devices proliferate, manufacturers will need to take steps to build greater resistance and resilience to increased criminal attacks.
By Mozammul Ahmed, Embedded Solutions Manager at Mobica, a Cognizant company
During the infancy of the Internet of Things (IoT), when connected products were a novelty, manufacturers may have been given more leeway when it came to securing devices. In those early days, manufacturers were more focused on keeping costs down than on investing in the most stringent security protocols.
But we are now seeing a proliferation of connected devices, in everything from our public infrastructure, to the workplace and within our homes. Today, the average US household is likely to possess between 10 to 20 IoT devices – including connected thermostats, security systems, TVs, smart speakers, wearable fitness devices, and more.
Analysts estimate that there are now more than 16 billion IoT devices active globally – a figure that is expected to reach 29 billion by 2027. Given this speed of adoption, and the increased dependence we have on these products, the concern around security – from consumers, businesses, and regulators – is growing.
Issues extend from threats posed to an individual’s privacy and safety to the potential for large scale cyberattacks, such as a Distributed Denial of Service (DDoS).
These concerns have already led the US government to introduce the IoT Cybersecurity Improvement Act, which has set minimum security standards for IoT devices. We’ve also seen the Federal Trade Commission (FTC) taking action against companies that fail to adequately secure connected products. In Europe, the EU is also in the process of passing the Cyber Resilience Act, which will allow it to ban products and impose heavy fines on manufacturers that fail to comply with its IoT security standards.
Manufacturers that want to ensure they are meeting these standards and protecting their customers, will need to enhance their product designs and processes to combat the threats posed by malicious actors. This is, of course, easier said than done as the nature of those threats are evolving all the time. But any manufacturer that is serious about increasing their resistance to hackers and building resilience to cybercrime, should follow the seven actions outlined below.
The challenge with IoT devices is that they operate remotely, which makes them vulnerable to physical tampering. They also need to receive over the air (OTA) updates, which opens the door to hacking techniques such as man-in-the-middle (MITM) attacks. In reality, it is impossible to have 100% certainty that products will stay safe. That is why manufacturers should adopt a ‘zero trust’ approach. This mindset assumes hacks will happen so the consequences can be mitigated. For example, manufacturers could limit the amount of sensitive data that can ever be held on a device.
Manufacturers need to identify all potential vulnerabilities on a device. This will enable them to monitor all the components that could be compromised – and detect a breach if it happens. As part of this process, businesses should compile a comprehensive ‘software bill of materials’ that includes all of a product’s modules and external libraries.
Manufacturers should also incorporate a secure mechanism within the product design that will interrogate and validate the firmware and software on a device whenever it boots up, as well as during its runtime. If any component fails, the devices can then be flagged as untrustworthy and marked down for recovery.
Regular OTA updates can be used to help improve the performance of products and protect them from common vulnerabilities and exposures (CVEs). If manufacturers become aware of any weaknesses or cyberattack exploits, they can also provide additional security patches.
To increase tamper resistance, manufacturers can take advantage of the ‘secure elements’ on microprocessors embedded in their devices. This will create an isolated environment within the product where sensitive information, such as security keys and certificates, can be stored and processed. These secure areas are already being utilized by companies such as mobile payment providers and digital content streaming services.
It is possible to give each device its own ‘digital fingerprint’. Using the physical characteristics on a silicon chip, the chip manufacturers can create a physical unclonable function (PUF) that can reliably generate an unpredictable key that does not need to be stored or distributed before manufacture. This unique identity can be used in cryptographic processes that will secure OTA updates – and prevent MITM attacks.
A device’s digital fingerprint can also be used to prevent known vulnerabilities, such as fault injection attacks during the boot process. It can do this by creating a ‘hardware root of trust’ when in bootloader mode – enabling the main application to be validated. Cryptographic keys, created with a device’s unique identity, can also restrict access to the debug ports that physically reside on the devices.
Taking these seven steps will provide much deeper layers of product protection – helping to increase resistance and resilience to cybercrime. It will also ensure that manufacturers stay on the right side of regulators and, most importantly, allow end users to enjoy the benefits of their IoT devices without having to worry about security threats or compromise.
For more information on how to protect connected products please read the Securing the Connected Future guide, which can be found at Mobica.com.
Moz Ahmed is an Embedded Solutions Manager at Mobica.
Tune in to hear from Chris Brown, Vice President of Sales at CADDi, a leading manufacturing solutions provider. We delve into Chris’ role of expanding the reach of CADDi Drawer which uses advanced AI to centralize and analyze essential production data to help manufacturers improve efficiency and quality.