Developing Smart Lighting Security with ams OSRAM: “If it’s smart, it can be hacked”
Jan Münther, Head of Digital Product Security at ams OSRAM, joins our host David Maidment, on the #beyondthenow IoT security podcast to discuss smart lighting security. We examine the cost of security failure, growing consumer expectations, and how company culture needs to change for us to effectively implement security best practices.
Understanding the true cost of failure of inadequate security.
Why the most common vulnerabilities are found in basic fundamentals in device design and are not carried out by experienced hackers.
Why it’s so important for a company to bring security design into products at the very beginning.
Discover Key Talking Points in this Episode
- More about Jan and OSRAM. [01:00]: “The company mainly consists of three pillars. One is the automotive sector, so automotive lighting in general, both on the outside and the inside. And then there is the whole semiconductor branch where we basically build in all kinds of quality levels. Last but not least, there’s the whole digital sector, which is really my playing ground, where we build such things as well electronic light control, construction, such as smart lighting for urban digital farming, for instance, or building automation, things like these. So those are the three main pillars. The company is pretty big with well over 23,000 people. My area is the security of our digital product lines for basically everything that is considered smart.”
- Why is device security important to OSRAM? [03:10]: “In general, there’s a tendency throughout a lot of classical industries to become smarter and smarter. A lot of technology that previously was controlled by mechanical components that switched something on and off, you now instead have a lot of smart CPU control devices. I usually say if it’s considered smart, it can also be hacked. And that is also something that people noticed at ams OSRAM. They were looking for somebody who has the experience to help in securing the devices that are potentially vulnerable like this. That’s why they hired me. There’s this old joke that the S in IoT stands for security in the first generation of IoT devices. So, we have to say this was the truth. You know, I mean, everybody was just so eager to get things connected that the risks that were attached to that were not a particular concern. And a lot of companies have only noticed this way too late. And it’s really difficult to backpedal in this area, especially since a lot of the IoT devices are not quite as easily patched compared to like a web service. Once the stuff is out in the field, it gets really, really difficult to sort of retrofit security.”
- Are companies starting to understand the cost of failure of inadequate security? [05:28]: “I think some people have had a bit of an uncomfortable wakeup call when it comes to security through incidents, such as a botnet attack, that was something like a worm that ran through the internet, looking for unsecured IoT devices. And this was pretty bad for the vendors whose devices were affected. And this sent a wake-up call throughout the industry. Security is now being actively demanded by our customers as a quality criteria. This is something that can make or break your position in the market. If a customer has their network breached due to an insecurity in one of our devices, they will point their fingers at us. And rightfully so.”
Quote
Security is now being actively demanded by our customers – as a quality criteria. It’s something that can make or break your position in the market.
- Hacks are often carried out due to basic and fundamental flaws, not sophisticated hackers. [07:43]: “I think that the end market becoming more aware of the sort of vulnerabilities and the cost of failure, that then creates a sort of push back in the supply chain. It grows the awareness and I guess it sort of ties closely to the ability to access the markets that you were describing. I mean, the botnet example, I can’t remember exactly, but a lot of these examples, they’re quite simple things, like shipping devices with default passwords or not having secure Roots of Trust, not having taken care of open debug ports, and that kind of thing. So we know that the types of organizations or individuals that do the hacking are sophisticated, but actually, some of the mitigations are industry best practice and common sense. And that is also something that a lot of people in the security industry have been saying when they were looking at this. When it came to the development practices that they saw in the IoT world, they were falling behind the best in the software industry.”
- The balance of digital transformation, cybersecurity, and the cost of scale. [10:05]: “Lighting is a somewhat traditional industry that’s being revolutionized by digital transformation. So, it fits into that example really well actually, where you can realize new services and new efficiencies by connecting devices and managing them in a smart way. And so delivering those new services and efficiencies, the cost of that is that you have to connect them and manage them at scale. And then that brings the risks that we’re talking about. If you go back a decade, it opens an attack footprint where it’s not necessarily the device that’s vulnerable, it’s the service. So I’m not necessarily hacking a light bulb, I’m hacking an industrial operation that’s using those light bulbs to realize its output. And I think it’s that shift that’s creating the opportunity but also the threats if we don’t do this properly.”
- Devices at scale and hacking devices at scale. [11:55]: “When we talk about IoT networks very often we’re really talking about a lot of devices. But we’re also speaking about the possibility of compromising devices at scale, if they are all uniform and you have a vulnerability that affects all of them, you can potentially not just take over a single device, but an entire fleet of devices with the very same vulnerability. So that is also something that is attractive for a bunch of attackers for various reasons. When you look at our industry specifically, there are awesome applications, which may not be so intuitive at first sight, but that have heightened security requirements. We have lights in the medical sector, for instance. We have public lighting, civil infrastructure, lighting on airport runways. If we have our devices compromised in these settings, that can be very palpable damage.”
- Jan’s thoughts on PSA Certified and security baselines. [15:00]: “It’s not just the increased risk of somebody using our devices to pivot into the internal network. You have a very palpable first line of damage and people might get hurt. People might lose their harvest, which is worth millions of dollars, and so on. So, I think this is the reason why it’s a necessity to take security into account at an earlier stage in the life cycle. When I first stumbled across PSA certified. I looked of course at the payload, the actual content that you have, and I was pretty delighted to see that all the things that we consider best practices are condensed so well there. As a matter of fact, until I came across PSA Certified, I was not aware of any standard that I would actually have considered useful.”
Quote
When I first stumbled across PSA certified. I looked of course at the payload, the actual content that you have, and I was pretty delighted to see that all the things that we consider best practices are condensed so well there. As a matter of fact, until I came across PSA Certified, I was not aware of any standard that I would actually have considered useful.
- If we know all the issues – why haven’t we fixed the security issues? [18:10]: “I think there are a couple of reasons why we’re not that great at security yet. Number one, it’s something that I’ve also seen in other sub-industries, such as when telephony went from, you know, classical switch circuits to IP-based voiceover, IP telephony. A lot of people are completely overwhelmed with how quickly the technology is changing. And they’re used to taking care of other things, then a threat scenario where somebody is actively trying to hack their devices. They are usually concerned with questions of safety in normal usage situations but haven’t really been thinking about the possibility that somebody would actively try and attack their devices. I think this is a paradigm shift that is really only just slowly trickling in. Then you have an additional challenge in that you don’t have all that many people in the world really who are truly experts in this area. So, I think this is probably one of the reasons why I consider what PSA Certified are doing as immensely helpful because you provide people really with the condensed output of those who are very capable in the field. And if people stick to the guidance that you provide, they will at least have their basics covered.”
- Awareness of security knowledge and security experts are desperately needed. [20:40]: “We hear it many times about the awareness and the knowledge and the technical ability and how that is accessible through the industry. We view it a little bit like a pyramid where at the base level, you have the chip companies who generally have big investments in security to deliver secure Silicon and secure firmware that runs inside that Silicon. And then you would generally have sort of the middleware operating system companies that can make use of that. And then it moves to an OEM that can wrap that up into a product and make some decisions about what level of security they need to deliver. And then that OEM would presumably deliver it based on a specification, into a company such as Osram, who would then have their own requirements. That’s kind of layers of an onion actually that propagate out from that secure Silicon at the bottom all the way through to making sure that you’re following best practice through to that final product spec at the end.”
Quote
If you want to bring security into your portfolio productively, and with a good effort to success ratio, integrate with your developers, make it part of your development life cycle, of your product development life cycle, and get a foot in the door at an early stage.
- Jan’s predictions and advice for the future [21:45]: “The number one advice that I can give is I’ve learned a bunch of lessons as I’ve been doing this for a while. And one important lesson that I’ve learned is that this basic concept of policing security into a product is really, it’s not helpful, not at all. If you want to bring security into your portfolio productively, and with a good effort to success ratio, integrate with your developers, make it part of your development life cycle, of your product development life cycle, and get a foot in the door at an early stage. I find that the security issues with the highest impact and that cause the biggest problems, in the long run, are of a design and architecture nature. Instead of just testing the security of a product after it has been developed, I think it’s enormously important to already get a foot in the door in the requirements engineering phase, in the design and architecture phase.”
- Myth-busting IoT security not adding value: you can sell it. [24:10]: “This is also a piece of advice to follow. What security offers a device is added value in the market. You have a better position. You might as well have a unique selling point. If you have a device that is actually factually more secure than the competition, it is in any case added value. And that is something that can make or break your position in the market. It’s a tangible part of the value proposition.”
More About Your Podcast Host David Maidment
David Maidment (Senior Director of the Secure Device Ecosystem at Arm- a PSA Certified Co-founder) leads our discussions on the latest trends and developments from the world of IoT security.
Based in Cambridge UK, David brings over 25 years of experience in the embedded and IoT industry. He specializes in the intersection between device security and business assurance to drive best practice security adoption across the electronics industry. In his role at Arm, David leads device security ecosystem activities including the widely adopted PSA Certified initiative.