This year marks two decades of Cybersecurity Awareness Month. How has our approach to the security of the Internet of Things changed over the past 20 years? What more we can do to fulfil our vision of a secure, interconnected world.
In the early 2000s, the Internet of Things (IoT) was a groundbreaking concept. Now, phones, watches, cameras, and lights are all connected. There are also ovens, coffee machines, sprinklers, and blinds that are online.
However, as the popularity of the devices has grown over time, we have become more aware of the downside of connectivity. The number of cyberattacks on IoT products has increased dramatically over the past two decades. It has tripled in the past two years alone.
Businesses – large and small – institutions and authorities have all become attractive targets for hackers. The products people install in their homes are just as vulnerable to attack. Two years ago, the UK consumer organization, Which?, and its partners set up a smart home. In one week, there were more than 12,000 unique scans or attempts to compromise its devices. A printer caught the attention of many of the hackers.
That was a test but there are several high-profile examples that demonstrate the potential impact of a successful cyberattack. In 2015, researchers showed that they could take control of a SUV by exploiting an update vulnerability. In 2016, a distributed denial of service attack involving insecure IoT devices shut down many prominent websites. In the following year, there were even reports of criminals using an internet-connected fish tank to try to gain access to data at a casino.
Over the years, these newsworthy examples have drawn people’s attention to cybersecurity, and there are now signs that people are not just aware of the threats presented by poorly protected products but are actively looking for devices that have security built in.
Consumers Prioritize Security
We surveyed more than 1,200 technology decision makers for our PSA Certified 2023 Security Report, which was published recently. Seventy percent of respondents said the value they place on security, as a consumer, has increased in the past 12 months. Almost two-thirds (65%) said they value, or look for, security credentials when they are buying devices for themselves. Even more people (69%) told us they would be happy to pay a premium for the extra assurance credentials offer.
Initiatives such as Cybersecurity Awareness Month, which has been running for 20 years, have helped to ensure that security is at the forefront of people’s minds. This year, the campaign is focusing on four key aspects:
- Using strong passwords and a password manager
- Enabling multi-factor authentication
- Recognizing and reporting phishing
- Updating software
Updates Become Increasingly Important
As governments worldwide begin to outline their proposed regulations, it’s clear that software updates are becoming increasingly important. Of course, as a consumer we know that software updates often offer new functionality to our devices, but many of us don’t realise that they also improve security in devices, by removing bugs and addressing security issues. By updating software in devices, you’re not only protecting data, but in some instances, you’re stopping operational failures that may put people or possessions at risk. For example, preventing smart locks or thermostats from failing.
As I touched on above, around the world, governments, industry groups, and standards organizations are encouraging the developers and manufacturers of IoT devices to implement important updates and some will soon legislate to ensure software updates are made available to people for a reasonable period of time after they purchase a connected product. Many of us will be used to installing updates on our smartphones but how many people update other products in the home, such as connected cameras, speakers, or doorbells?
Making it Possible to Update Devices with a Touch of a Button
As consumers, updating devices is a fairly easy process. For most devices, it’s as simple as pressing “update software” from the device itself. However, for the technology ecosystem, building in these proactive measures, take time and investment, especially when you consider that products have a long lifetime, and they must be supported even if technology changes. Secure updates are front of mind for device manufacturers, almost half of the people we surveyed (49%) for our PSA Certified 2023 Security Report said offering over-the-air updates to fix vulnerabilities was one of the most important things they could do to improve security. It was second only to building devices on trusted components.
However, we also know that consumers are looking for more security functionality in devices, so it’s no surprise that the industry is choosing to make these proactive security investments. The PSA Certified 2023 Report showed that security spending is on the rise, rising 15.3% on average across multiple areas between our 2022 and 2023 reports.
Helping the Ecosystem Improve the Security of IoT Devices
We know that updating devices requires significant work for manufacturers: in the past, consistent standards have been lacking, so individual companies must repeat the same work, over and again. So therefore it’s important to do all we can as an ecosystem to democratize security.
PSA Certified is a partnership of industry leaders who have come together to develop a security framework and independent certification scheme so more innovators can build security into their devices. Our collaboration makes it easier, quicker, and more cost effective to implement security into devices. At the center of our approach are the PSA Certified 10 Security Goals, while all the goals come together to ensure device robustness, two of the goals in particular relate to software updates:
Secure updates – ensuring updates can be performed securely.
Anti-rollback – making sure that previous versions of the software cannot be reinstated.
Secure update is assessed at the first stage of PSA Certified’s certification process, which is know as PSA Certified Level 1. So far, more than 150 products have met the requirements and are examples of best practice. To achieve certification, vendors must have produced evidence to show that secure updates are possible, and they also have the option to declare how long those updates will be available for. That includes by ensuring they are validated by the Root of Trust to check their integrity and authenticity immediately prior to execution, and, in line with the security goals, that they prevent the unauthorized rollback of updates and protect the current reference firmware version number.
Looking Forward So that Everyone Benefits from a Secure IoT
We continue to explore what resources are needed to make the maintenance of devices over a complete lifecycle easier. We will continue to invest in necessary projects, like the open, architecture-agnostic PSA Certified Firmware Update API we announced last year.
All the work described above is being carried out by the ecosystem to help ensure we are securing our devices now for a better future. However, we will all benefit from the innovation within the industry whenever we update our smart devices.