We recently held a panel discussion with industry-leaders in security from SDT Inc., OSRAM, Signify and Arm to discuss why security and trust are critical for digital transformation and how we can overcome the barriers to security that we face today. This blog looks at some of the highlights of the discussion and offers you the chance to catch up.
Delivering Confidence in New Technologies
Digital transformation is the creation of new services and new opportunities by taking a previously humble product, like a lightbulb, and creating a whole new product with completely new functionality and services. These examples of new connected products can be found across all industries, as more traditional manufacturers capitalize on the opportunity to take their products, make them connected and unlock new business models.
This means that the humble lightbulb we mentioned before can now evolve into a system that makes use of digital capabilities such as using infrared motion sensors to detect if someone is in the room. This introduces the role of security and privacy where it wasn’t before; by connecting these products to the cloud and creating new services, we’re opening up a whole world of opportunity, but also a new attack footprint.
As more devices talk to each other, share data and drive services, we’re seeing growth at an exponential rate. This scale moves us towards an everything connected world, but before we get there, we need confidence. Security delivers trust and allows markets to scale while enabling a zero-touch lifecycle of a device, if all devices are aligned on common security practices, manufacturers can achieve security at scale and deliver confidence in the IoT.
Lessons Learned from the First Wave of IoT
With a large number of traditional products, cybersecurity wasn’t a problem, if we stick with our lightbulb example, historically safety was an issue, but security wasn’t. If we look back to the first connected products (back when IoT was still called machine-to-machine), new opportunities were being explored, they were cool and exciting. For Signify, interactive light installations for streetlights allowed multiple lights to be controlled together, and the focus was on getting the product in this field rather than the security of the products.
Sadly, security only really came to light when a hacks began to happen – in fact, very few manufacturers considered that a product sat in someone’s kitchen in their house would need robust security until it later became glaringly obvious. Even now, with many high-profile attacks shaking the industry, security is seen as a cost, a complexity and a hinderance. However, it’s imperative that we don’t ignore the learnings of our predecessors and instead use them to drive change. All our panellists agreed – the time is now, as industries scale, the cost of failure, and a lack of confidence in the IoT will scale too.
IT vs. IoT Security – A Different Approach?
One not-so-great thing that we’ve inherited from our predecessors is that “security can be patched”. It’s something built into our thinking from the early days of IT security: you’d find a bug and you’d patch it when security issues were identified. What we’re learning with IoT security is that it’s not enough to focus only on software and patches – IoT needs a different approach. Security must be built in from the beginning, starting at the hardware level in the silicon development – the Root of Trust. This puts security at the heart of the chip and when OEMs buy these silicon products, they too can make use of this Root of Trust. This provides an opportunity for alignment, certification and common best practice, ensuring the IoT ecosystem anchor trust throughout the devices and services at scale. This approach also facilitates a secure lifecycle where companies can update and patch, but it’s very different to the IT world that we’re used to. It also builds confidence, aligning to government standards and guidelines with a baseline criteria for any device.
How Can We Overcome the Biggest Barriers to Security?
During our panel, we surveyed our audience to understand their barriers to security. Our poll showed that 38% believe the biggest barrier to security is a lack of expertise and understanding. In fact, our panellists agreed that they’ve seen it in their own companies that security experts have not done a great job of knowledge transfer and that it is clear the security community need to step into action. We need to transition from security being the security experts’ job to security being in the basic vocabulary of a developer, but this must come with tools and best practices so that developers know what they need to do. Putting the cost of failure onto a developer lacking the security expertise and direction isn’t fair and is an unrealistic expectation. Traditional business models need to be changed, with training and processes to make security easier to integrate and overcome this lack of education.
Fragmented standards and regulations were noted as the second biggest barrier to IoT security by 25% of respondents. This is the case not just across geographies but also across industries. While the regulations and standards are a barrier, they serve a purpose of growing awareness and provide a strong forcing function, with a common goal of creating a set of best practices. PSA Certified have recently been comparing standards and regulations – the promising news is that in fact there are commonalities, it’s just being reflected in different languages and approaches. What helps is choosing to follow a baseline criteria (like the one provided by PSA Certified) by aligning to this, companies can proactively get ready for regulation in line with these best practices.
The third is most common barrier with 18% was the cost of security – the panellists agreed that a lot of the time security is seen as a cost. However, a small cost on the device can also become a key competitive advantage and a way to sell more of the devices, providing convenience and transparency for customers. The cost of security should also be viewed alongside the cost, and consequences, of failure; when security is built in from the beginning, the cost of creating the system is not dramatically different to the cost of creating a system without security. This is especially apparent when you take into account the patching, the fixes, the damages when security failures are identified.
A great example of this in the real world is architectural lighting on a bridge, high in the sky in the middle of nowhere: which happens to be powered by connected devices. The ability to control those devices remotely is a big bonus, but imagine the huge cost implications (in terms of disruption of traffic, damages and also the engineering time) of replacing those devices because they’ve been hacked. Building in security from threat modeling and architecture phases saves consequent costs.
Do it Right and Prove You’re Doing it Right
Our second poll in the webinar explored how we can prove that “good enough” security has been implemented. The results showed that actually 56% looked for third-party evaluation as a proof-point of security, 38% wanted methodically developed security frameworks and 6% would rely on internal processes and evaluations. In fact, these answers aren’t mutually exclusive, you should actively trying to improve the culture in your company to ensure that you’re integrating security into your internal processes, making use of security frameworks that are available across the industry and turning to third party evaluation and certification bodies.
The real gamechanger here is the third-party evaluation – without this, there’s no objective measure of security. If someone asked, ‘is your product secure?’ the level of trust given to that answer is the same as asking a second-hand car salesman if it’s a good car. So, the concrete standards with concrete checkpoints and clear verification provides a factual basis for confidence and trust. Do it right and prove you’re doing it right.
Four Top Tips to Secure the Future of the IoT
- Listen to your customers: the ecosystem is shifting and the concerns are no longer just about cost. Instead we’re hearing that customers want to be careful with security and they need us to take steps to implement secure systems. The good news is that customers demand can help drive robust internal change – processes, product managers, developers, all are driven by what the customer wants.
- Build your ecosystem: security is complex, but there is a whole ecosystem that can help to solve this problem. This amortizes the cost across the ecosystem – chip industry provide silicon security with certification, the rest of the industry picks it up and uses it, leaning on education awareness and upskilling.
- Invest in your people: having “one security expert” in your organisation isn’t enough. Use your experts to install knowledge transfer and equip the wider organisation to understand security, give them the right tools and make security an integral part of how they build the products.
- Security isn’t a bell or a whistle: don’t just think about security as a functionality that you add on later, security should be embedded into your culture and your DNA, it should be a pillar that underpins your business.