In recent years, the world’s appetite for digital transformation across all industries has led to the rapid deployment of IoT devices. With this opportunity comes an increased cybersecurity threat that needs to be addressed as insufficient security can harm business reputation, has financial ramifications and will ultimately stall digital transformation. Research shows the device ecosystem now recognizes that security is a problem, but significant barriers to security design and implementation remain, including a lack of expertise, fragmentation, and cost.
Last year we launched the #beyondthenow IoT security podcast and it’s been a pleasure to meet and host industry leaders and PSA Certified partners for some insightful discussions. Together we’ve discussed how we can collectively overcome these challenges and build a secure foundation for the future. Our guests offer expert guidance on the steps we should take today to secure the IoT for tomorrow. The podcast episodes are filled with fascinating insights, but I wanted to share my top ten with you today.
1. Embrace Collaboration To Drive Change
Dr. Sally Eaves, Senior Policy Advisor for the Global Foundation of Cyber Studies and Research
Drawing on her breadth of experience across the tech industry, Dr. Sally Eaves explained the IoT security challenges that businesses, and in particular small businesses, face when trying to protect their devices, including a lack of expertise and misconceptions around security access and cost. Sally offers clarity on the solutions, highlighting the important role of ecosystem partners in combating these challenges: “As the sophistication of security attacks gets greater and greater, we need to do the same from a defense point of view. I think collaboration is the greatest armory we have to be able to do that.” When looking to the future of IoT security, Sally recommends adopting a framework and independent assurance scheme, like PSA Certified, to make IoT security more accessible and shift company culture from a reactive to a proactive security approach.
2. Enable Certification To Scale and Be Reused
Mike Dow, Senior Product Manager, IoT Security at Silicon Labs
Mike Dow built on lessons from his 25 years of industry experience as we covered the challenges of securing an IoT device from the silicon vendor perspective. He explained why he’s so passionate about companies using certification to demonstrate a commitment to security. We discussed the importance of innovation and collaboration to develop an approach to certification that will scale to tens of thousands of devices: “We’ve got to allow inheritance, so that if I do PSA Certified Level 2 or 3, any customer that uses that chip should inherit that goodness. That certification should come with it, and they shouldn’t have to do it again.” He agrees that schemes like PSA Certified can enable mass adoption and drive scaling by being easy to adopt, re-usable, and globally recognized.
3. Price Security in Your Bill of Materials, Just Like the Power Supply
Dr. Juan Nogueira, Senior Director of Connectivity Center of Excellence, Flex
Dr. Juan Nogueria shared insights from his experience at world-leading device manufacturer, Flex. Sharing his perspective on the cost of security, he agreed that while the demand for security is growing, “the total cost of ownership is still the main concern of customers when they are architecting a new IoT concept”. To combat this concern, he recommends a change in how we think about security – it is not a traditional feature that can be monetized, instead, it is a critical enabler to a company’s success. Juan believes security should be priced in as other vital components are: “We should not say that security is adding another cost on the bill of materials (BoM). It shouldn’t be considered like that. It should be necessary, like the power supply.”
4. Reducing the Complexity of Security Is Fundamental
Richard Barry, Senior Principal Engineer & Founder of the FreeRTOS Project, Amazon
Richard Barry founded FreeRTOS™ 20 years ago – long before there was an IoT. So, how has it evolved to meet the demands of connected devices? Richard says, “The big difference, I think, is the requirement for security.” The IoT is multidisciplinary which means experienced people often find there are gaps in their knowledge when they are tasked with, for example, sending data to the cloud. Considering these complexities and looking forward Richard cites collaboration as a possible future-proofing strategy that can enable scalable security solutions: “You can see growing coordination between device-side security and cloud-side security to detect threats and isolate misbehaving or compromised devices on the network. I think as time goes on there’ll be more coordination between device and cloud for layered security.”
5. Trusted Components and Standardized Approaches Will Build Confidence in Connected Devices
Peter Armstrong, Cyber-insurance expert, Munich RE
and Duncan Jones, Senior Product Manager, Pelion
Peter Armstrong outlines how digital transformation, the IoT and the new hyperconnected value chains they facilitate are impacting the insurance world. He explains how the fragmented nature of the IoT is making it harder for insurers to quantify risk and determine liability, affecting the availability of capital and slowing down deployment. Peter’s main recommendation is to adopt industry best practices and build on standardized components, like the PSA Root of Trust: “Defined Root of Trust protocols that talk to nuanced issues can provide confidence and an easy win for insurers.” Common security requirements make it easier for insurers to quantify risk and offer warranties to back new technologies, speeding up the adoption and deployment of connected devices.
6. Work With Trusted Partners to Build on Industry Best Practice
Brad Ree, CTO of the ioXt Alliance
Brad Ree joins us to discuss how ioXt Alliance is helping to address concerns about the security of connected devices. With a focus on consumers, ioXt provides baseline requirements for manufacturers, alongside dynamic certification, to recognize the fact that the security of a device changes throughout its lifecycle. Brad recommends that device manufacturers “don’t go it alone!” suggesting “when things go wrong with security, and things always will go wrong, you don’t want to be on your own.” This is something ioXt Alliance are themselves demonstrating with their PSA Certified partnership. Understanding the need for trusted hardware, ioXt are recognizing the PSA Root of Trust as the secure foundation for connected devices: “Why create fragmentation, when we could just partner and inherit those test cases where we require a hardware Root of Trust?”
7. Make Security Your Unique Selling Point
Jan Münther, Head of Digital Product Security, OSRAM
OSRAM’s Jan Münther provides an insight into the digital transformation of one of our most established industries – lighting. Jan says security is beginning to get the attention it deserves in the lighting industry and customer demands are growing. Security is becoming an important part of the value proposition and should be seen as a major unique selling point: “security of a device is added value, in the market you have a better position.” Jan says one of the biggest lessons he learned, and the best advice he has is “to get your foot in the door at an early stage”. He claims the security problems with the highest impact are mainly of a design and architect nature. Implementing security from the beginning of development and creating a secure-by-design company culture simplifies the security journey, reducing cost and time-to-market.
8. Use Lessons of the Past To Secure the Future of the IoT
Peter Busch, Product Owner Distributed Ledger Technologies Mobility, Bosch
Peter Busch takes us on a journey into the future with this episode on cybersecurity in the automotive industry. On the road, the cost of insecurity could be high so it’s crucial we do everything we can to mitigate the risk. Key to this is collecting trusted data. To generate trusted data, we need trusted devices. These devices should be collecting data responsibly and managing it cryptographically in a way that cannot be affected by hackers. As a result, full autonomy could be further away than we might think: “It’s really good that it’s developing slowly because we have to control and manage it.” To move forward, Peter believes established companies like Bosch need to draw on their experience of building security measures into hardware and apply that to the new challenge of securing the IoT. His advice is to embrace new technologies but learn from your experiences of past technologies, so you don’t repeat the same mistakes in new connected devices.
9. Recognize That Greater Transparency Will Earn Consumers’ Trust
Peter Stephens, Head of Secure By Design Cybersecurity, Department for Digital, Culture, Media & Sport (DCMS)
According to Peter Stephens, “there’s this narrative that consumers just don’t care about security.” However, he says: “We did quite a lot of studies into this, and … it’s one of the most important characteristics they look for. But the problem we find is that consumers assume a product’s safe – because it’s for sale.” Educating consumers about device security is just one of the challenges discussed with Peter. We also talk about the importance of security updates to keep consumers safe, and the need for greater transparency to help build people’s trust in connected devices. His advice is to be clear about the level of support product developers offer to consumers throughout a product’s lifecycle: “The more transparent you can be with your consumer I think that’s setting us up for a better relationship between consumers, manufacturers, retailers, and regulators.”
10. Collaboration on an Extraordinary Scale Is Needed To Enable Digital Transformation
David Maidment, Senior Director, Secure Device Ecosystem, Arm
The conversations I have had with industry leaders as part of our #beyondthenow podcasts offer us unique insights into the IoT. The guests represent every part of the value chain, from silicon vendors to device manufacturers, and span multiple vertical markets. We’ve also had insights from other major players in the ecosystem including regulators, certification bodies, and insurance providers. The conversations emphasize the ongoing challenges of IoT security and how we can combat them. However, throughout all my conversations I have found one clear theme that persists- the importance of collaboration through industry partnerships. Whether this is between the different members of the value chain or between the industry and regulators, collaboration on an extraordinary scale is the only way we can secure the future of the IoT and unlock the possibilities of digital transformation. PSA Certified is the fastest growing, rapidly adopted example of a global partnership enabling the ecosystem to work together and build the foundations of a more secure future.
To listen to the podcasts in their entirety please visit #beyondthenow. You can also listen on Anchor, Spotify, or subscribe to our series on Apple Podcasts