At the beginning of June, in association with Electronics Weekly, we held an interactive roundtable with industry-leading device manufacturers (OEMs) Eurotech, Flex, and ams OSRAM. Hosted by Arm’s Anurag Gupta, the discussion examined the potential of digital transformation, the security challenges this brings for OEMs, and how the PSA Certified ecosystem is simplifying IoT security.
As more businesses continue to realize the benefits and potential of digital transformation, we’re seeing a rapid increase in the number of smart connected devices. These new IoT devices are revolutionizing even the most traditional products, bringing new innovative functionalities. However, each connected device that is deployed is another potential target for hackers, who are capitalizing on the number of insecure devices hitting the market. It’s estimated that there are 5,400 attacks per month on IoT devices and 7 million data records compromised daily.
Despite a widespread understanding of the risks, security is still not being prioritized. The PSA Certified 2021 Security Report, which surveyed over 600 tech decision-makers globally, found that significant challenges remain when implementing IoT security, many of which sit with OEMs. This includes the growing cost of security, the fragmentation of regulations, and a lack of expertise. In this blog, we ask our panelists to unpick six of the most significant security challenges and discuss how schemes like PSA Certified are providing real value for OEMs.
Challenge #1: Legacy Devices Are Slowing Down Deployment
In many verticals, deployed devices are due to last for “10 to 20 years and often there often there is not the ability to provide the security a customer needs” explains Giuseppe ‘Pino’ Surace (Chief Product and Marketing Officer at Eurotech). Very often companies are looking to Eurotech to offer support and guidance on how gateways can connect to the cloud securely. A lot of enterprises or industrial sites might have hundreds of gateways, so it is not always practical, economically feasible, or even possible to upgrade large numbers of them. There is also not a “one size fits all patch” as legacy protocols and hardware are often “homemade” and specific to certain companies- the lack of standardization makes it difficult to deploy universal solutions.
Challenge #2: Regulations Are Complex, But Ultimately Rely on Best Practice
As more and more insecure devices are released into the market and the number of hacks continues to rise, governments and industry bodies are responding with different regulations, standards, and requirements. Many emerging standards are actually outlining very similar advice, but they are using different language, which causes a lot of confusion. In our recent study, 48% of tech decision-makers identifying the fragmentation of standards and regulations as a key IoT security challenge. This is particularly true for manufacturers looking to sell products across different markets and geographies. “If you try to proactively follow every emerging standard, it’s going to get messy very fast,” says Jan Muenther (Head of Digital Product Security, ams Osram), who recommends instead focusing on what we know works- IoT security best practice. PSA Certified is helping in this space by aligning our PSA Certified Level 1 scheme to emerging standards and law, unifying everyone under a common language.
Challenge #3: IoT Security Is Not Static
One of the biggest challenges with IoT security is that it is not static, as best practices, standards, and requirements are constantly evolving and changing. There are also different needs between markets- a medical device has a completely different set of assets and risks when compared to an automotive application. Security is dynamic, you need to allow room for evolving capabilities and updates. Marco de Angeli (Innovation Director, Concept, Mechanical and System Engineering, Flex) argues this is where third-party labs can really add value. As well as bringing independent certification, they also provide a wealth of security knowledge and expertise that can help guide security design and implementation: “We need support from third-party labs to have a realistic view of the different security issues from different markets.”
Challenge #4: The Ecosystem Has to Evolve
The ecosystem needs to evolve and bring in new members so that we can provide more trust to customers. The traditional members of the value chain can provide the technology and the building blocks for IoT security, but they don’t have the capabilities to provide full assurance and liability. The standardized approach and independent certification of schemes like PSA Certified are helping to build trust in IoT devices and is facilitating better collaboration between internal and external industry players. Looking to the future Pino asserts that “the ecosystem will not only be made up of technology providers, but also external suppliers such as insurers.” This is vital for driving up adoption rates and speeding the deployment of the IoT.
Challenge #5: We Need Collective Responsibility
When we design security into our devices, we need to start by considering what our customers expect from us. For OEMs, the customer is often the end consumer. Jan argues that we need to take the blame away from consumers and supposed ‘user error’- we should be giving them devices that are secure enough that this shouldn’t be possible. Rather than pointing the finger, we need to see the ecosystem work together to raise the level of security: “Everyone in the end-to-end engineering chain needs to take responsibility for the part they build. Ultimately this is about the trust relationship between vendors and their partners.”
Challenge #6: Stop Reactive Security Implementation
When implementing security Marco’s biggest piece of advice for device manufacturers is to “implement security from day 0”. Drawing on his experience of medical IoT devices, he says that even something as simple as leaving a debug port open can leave your device vulnerable to attacks. The industry needs to move away from a reactive security approach and towards a proactive one, where security is considered during the design of the product and after it is deployed in the field. Implementing security in this way helps speed time-to-market and avoids costly ‘add-on’ security.