In this blog we reflect on the continued success of the IoT in 2021, the impact this has had on the IoT security landscape, and the PSA Certified founders make their 2022 predictions for the future of IoT security.
2021: A Record-Breaking Year for the IoT
Despite the chip shortage and the supply chain challenges of COVID-19, 2021 was another record-breaking year for the Internet of Things (IoT). By the end of December, the number of connected devices is expected to have grown by 9% to 12.3 billion active endpoints, largely fueled by the digital transformation of different markets including industrial IoT, smart cities, and consumer IoT.
However, we have also seen an unprecedented rise in the number of IoT security hacks, with Kaspersky reporting that figures more than doubled during the first half of 2021. Although we have seen growing awareness of the need for best practice security, more work is to be done if we are to ensure that security does not damage confidence and slow the adoption of the IoT.
In this blog, the PSA Certified co-founders make their 2022 predictions on the future of the IoT, including new trends, challenges, and solutions.
Increasing Hacks will Heighten IoT Security Awareness
The PSA Certified 2021 Security Report highlighted that many challenges are holding back device manufacturers from implementing best practice security, including the upfront cost, a lack of expertise, and the fragmented regulatory landscape. These challenges are resulting in critical security functions being missed, insecure devices being deployed and the number of successful hacks rising.
However, this rising number of hacks will also increase awareness, both from consumers and businesses, around the importance of IoT security. In fact, this change in attitudes is already being felt today. Even consumers, who have typically prioritized product features and costs are beginning to understand the implications of using insecure devices within their homes: a third of households who do not own a smart home product do not intend to buy one due to privacy or security concerns. Riscure predicts this growing awareness will be a key trend of 2022:
Multiple security breaches of IoT products will draw public attention to society’s increasing dependency on IoT, and the need to protect this technology better.
This increased number of attacks and heightened awareness of the importance of IoT security will push the industry towards a more proactive approach. Foundational security measures such as a Root of Trust (RoT) and threat modeling will no longer be seen as optional. Arm suggests that for many markets proactive companies will go beyond ‘best practice’ security:
Of course, as digital transformation and the IoT only grows in popularity, we expect hackers and adversaries will continue to take advantage of connected systems. As PSA Certified adoption grows across edge and industrial devices, it’s clear that it’s more important than ever to ensure devices are built with best practice in mind. In fact, many markets will need to go further than “best practice” and we envision that devices will need a more robust PSA-RoT to combat increasingly sophisticated attacks. We’re pleased to see chip vendors taking proactive steps to achieve PSA Certified Level 2 and PSA Certified Level 3.
IoT Security Regulations Will Strengthen
As the number of hacks rises and consumers begin to demand more security, we also expect to see more action from governments and standards bodies to regulate IoT security. There are already several organizations providing guidance on best practices or baseline requirements in a variety of regions and these are increasingly being written into law. CAICT argue that this increase in regulation will again encourage device manufacturers to take a secure by design approach:
As governments of various countries stress the importance of data security and personal information protection, the cybersecurity regulation on related products and services will also be strengthened. In order to meet these compliance regulation, manufacturers and business service providers will increase investment in cybersecurity during the product design, development and production phase.
Device manufacturers will have to start prioritizing security, but for those implementing IoT security for the first time, this will be challenging as they might not have the expertise or the necessary resources. This is particularly true for small businesses where just 41% are satisfied with the level of IoT security in their company. Both SGS Brightsight and Riscure foresee that governments and device manufacturers will therefore look to IoT security frameworks and certification programs for support and assurance, driving adoption across the value chain:
2021 has been a busy year in terms of cyber security standards. 2022 will be similar in this regard, as more security requirements are being introduced for the IoT domain. Security requirements which have already been introduced in the past are steadily being enforced. Many of these frameworks will become part of specific regulations, thereby creating additional drivers for user adoption.
IoT security certification will continue to grow in 2022. Governments will stimulate this in order to get assurance for the technology infrastructure.
Trusted Components and Reusable Certifications Will Speed Deployment
The global chip shortage is expected to continue throughout 2022 and even into 2023. It has already impacted almost all industries, delaying or completely halting the production of products, from cars to appliances. PSA Certified co-founder TrustCB are concerned that this shortage will force device manufacturers to turn away from trusted components to ones that aren’t built on a foundational RoT:
Due to chip shortages and other supply chain issues, device manufacturers will turn to acquiring chips from non-standard sources. Because there is no trusted source and not yet a use of the attestation from the hardware Root of Trust to catch this, the manufacturers end up integrating counterfeit chips with security problems and even malicious backdoors in their products. These security weaknesses are then exploited to great damage to the customer’s assets and the developer’s brand value.
Expanding the number of trusted components that device manufacturers can utilize is crucial to prevent this. Certification plays a key role as it illustrates the security credentials of a component to device manufacturers, who can then use this information to make informed procurement decisions. Independent certification is beneficial for the entire ecosystem as it provides an objective measurement of a product’s integrity based on a common benchmark, speeding time to market and building customer confidence. If we are to combat the chip crisis without reducing the level of security, Applus+ suggest that as we move to more robust security, there will be a rise in in-house production, and site certification services:
Due to the recent chip shortage, many semiconductor companies have pledged to boost their production capacities, building more development and manufacturing sites worldwide. Consequently, we foresee a greater demand for site certification services that will ensure these facilities are protected and fulfill current security requirements.
Similarly, to ensure certification does not impede the development and deployment of the IoT, we must make certifications reusable. More alignment between certification programs will continue to defragment IoT security standards, facilitating greater applicability of products across industries and geographies, whilst also reducing the cost associated with third-party evaluation. SGS Brightsight anticipate that certification reusability will be a major trend of the industrial and consumer IoT markets:
General purpose microcontrollers (MCUs) will find their way into even more applications, potentially filling some of the gaps created by the chip shortage. This combination of an increasing number of security requirements for IoT and single hardware and software components utilized on multiple regions and verticals, calls for efficient reusability of the security evidence of those components for device security. The VRoT, Vehicle Root of Trust, is an example of this. The RoT component serving as the anchor of trust for the Embedded Control Units (ECU), also functions as a reference point for conformance according to standards such as ISO21434 relevant to the automotive market. We can foresee this trend for reusability in 2022 in industrial, consumer and medical devices as well.
Collaboration is Crucial to Combat Emerging Challenges
The PSA Certified 2021 Security Report found that 85% of tech decision-makers are interested in better industry collaboration and cross-market knowledge sharing regarding IoT security. PSA Certified was built on industry collaboration and is seen as the primary route forward for implementing standardized security across the value chain. This need for collaboration will only grow as we start to combat emerging challenges brought about by new technology innovations, from edge devices to the rollout of 5G. Arm predict that these innovations will encourage more players from across the ecosystem to collaborate with PSA Certified and benefit from the value of the PSA-RoT:
Collaboration will be incredibly important if we’re going to unpick the growing number of security challenges. Over 20 chip companies have created a common language for best practice by building on the Root of Trust. This has revolutionized the supply chain, as OEMs and ODMs have a huge catalogue of PSA Certified chips, all of which have made investments to deploy security best practice. We anticipate the PSA Certified community growing larger in 2022, as more partners join the charge towards a more secure future and OEMs/ODMs adopt the RoT into their devices.
2022: The Year of Mass IoT Security Adoption?
While the PSA Certified co-founders all have different predictions for 2022, they are all united by a common trend: IoT security adoption will grow. Bad practices exposed by the chip shortage paired with increasing awareness from consumers and rising action from governments will stimulate this growth and ensure that all companies take a proactive approach to IoT security.
PSA Certified is stimulating this IoT security adoption by providing a framework and comprehensive set of free resources to guide security design and implementation, making security accessible. Our vision is for all connected devices to be built on an independently certified RoT and for all IoT devices to have demonstrable security based on a common language. Achieving these goals will defragment the ecosystem, facilitate better collaboration and the continued success of the IoT.
With nearly 90 PSA Certified products from over 50 partners, join the fastest growing IoT security ecosystem and play your part in securing the future of digital transformation.