Working in electronics comes with some fun challenges. One is that design decisions made today have far-reaching implications for the future. Many of the devices that will be built on the silicon and other components being designed today haven’t yet even been conceived. Equally, components designed for one use case are likely to end up powering entirely different applications.
This requires a long-term view, making sure we bring in a wide variety of experts, and planning for unforeseen eventualities, all as part of an ecosystem where all stakeholders act today to secure the devices of tomorrow. Because just as we can’t always imagine the applications of the future, it’s also hard to anticipate how future hackers will attempt to compromise our designs. As Mike Dow, Senior Product Manager for IoT Security at Silicon Labs says “the sophistication of the attacks will grow over time and, on the silicon side, we have to be ahead of the game, as it takes years to bake it in.”
Living and thriving in our digital-first future relies on the willingness and ability of every part of the supply chain to build-in security from the ground up, especially considering the consequences of inadequate security in these rapidly developing industries.
In our podcast series, we’ve been discussing our tech-powered future, its promise and its challenges, with leaders and stakeholders across multiple sectors. Here, we bring together some of the fruits of those conversations.
Inadequate Security and the Cost of Failure
A key IoT security challenge is a perceived cost versus benefit imbalance.
Manufacturers and consumers alike are beginning to demand IoT security. “Security is now being actively demanded by our customers as a quality criteria. This is something that can make or break your position in the market,” says Jan Münther, Head of Digital Product Security at ams OSRAM.
For some suppliers though, there is a perception that security costs outweigh benefits. When looked at purely as an expense, this is understandable. Secure components, testing, and certification all cost more than not doing these things. However, when we look at the costs of insecurity, they are far higher. The cost of not implementing appropriate levels of IoT security manifests itself in many ways, from data breaches and litigation, to damaged customer trust. Here, we see just how crucial it is to embed security in our DNA, especially when it’s clear that we need to prepare for unseen eventualities.
It’s also true that security is something buyers are prepared to pay for – it’s viewed as a necessity, not an extra. Consumers have the expectation that IoT devices on sale are secure, even if they are not. As Peter Stephens, Head of Secure by Design Cybersecurity at DCMS tells us: “Consumers actually really do care about security. It’s actually one of the most important characteristics they look for, but the problem we find ourselves with is [people] already assume that it’s safe because it’s for sale.”
For businesses to survive and thrive in IoT, the whole ecosystem needs to be implementing best practice security and lessening the impact and chances of an attack. This applies to each player in the value chain, from those designing silicon to businesses harnessing devices into services.
“I used to work in the safety critical field as well. And we would always say that you can’t put safety on afterwards. Not very easily anyway, but I think it’s the same with security. It’s a mindset from the beginning of the design. It’s very hard to put it on afterwards.”
Richard Barry, Founder of the FreeRTOS Project and Senior Principal Engineer at Amazon
Lessons Learned From Securing Mobility
The IoT and digital-first aren’t just about entirely new technology spaces: it’s also about enriching and improving things we already have. It seeks to integrate with existing spaces, improving awareness and control. This aspect adds extra emphasis to the requirement for security.
The automotive industry is a case in point. An area quickly developing in that space is the need to secure vehicles on the tech and IT front. As Peter Busch, Product Owner, Distributed Ledger Technologies Mobility at Bosch, points out: “We do not only see a car, but we also see a moving device, which is interconnected to lots of other devices…And that brings the complete plethora of security challenges that we already have in IT into the car and other mobility parts.” As cars have become more complicated, over time they’ve essentially computers on wheels. The vehicles we see on the road today are increasingly connected – to servers, other vehicles and personal devices. It goes without saying that trustworthy components and security are of utmost importance on the road and as vehicles become increasingly autonomous, there is no margin for error.
The Metaverse and Digital Twin
The world we live in is changing rapidly and as it does, so too does the way we live in it. Stepping further into our digital-first future, we’re seeing first-hand how the reality we occupy is no longer tied to the realm of the physical only. Instead, we’re constantly finding new ways to live at the intersection of the digital and the physical.
An element of that digital lifestyle quickly taking shape is the metaverse, a digital, internet-powered instance of our reality. The best way to envision the metaverse is as a 3D representation of the internet, where users can interact in real-time in a virtual world. While often framed as a space for meetings and entertainment, bolder ambitions for the metaverse collide with IoT and digital twin technology – virtual representations of an object or system – to bring real-world interactions with anything, anywhere, to life.
Combined, the metaverse and digital twins will allow us to do incredible things. The ‘next generation of the Internet’ will bring together real, digital, and virtual worlds into new realities where people will be able to do almost anything: get-togethers with friends and family, learning, working, business meetings, shopping, creating, gaming and entirely new experiences yet to be imagined. At work, we’ll be able to do entirely new things, like designing new products and services in real-time with colleagues around the world or testing new features in virtually real conditions. The metaverse also promises massive scalability but for it to deliver that promise, we need to be able to trust it, which means the devices that power it — and the silicon that powers them — need to be secure and that starts at the Root of Trust.
For the metaverse to exist, therefore, security needs to be at the forefront of our considerations because, as the control we are able to exert digitally over the physical world expands, the consequences of security failures become ever more dangerous. Fortunately, the technology ecosystem has been working hard to create secure foundations for this new wave of technology. That ecosystem will continue to work on solutions that will secure the future metaverse, not as an added cost but as a necessary starting point.
Metaverse and Digital Twin Security
Digital twins and the metaverse create new ways to observe and interact with other places. You can choose to be physically located on the oil rig, or instead operate the controls from a distance, for example. As explained by Tony Shakib, General Manager, Azure IoT, Microsoft, “[A digital twin is] a digital replica of that environment where you are running things. And then we start tinkering with that digital replica…[it is] a virtual way to experiment, figure out the best way, and then apply it to the way you’re running the physical operations.” Ultimately, this framework enables companies to experiment using real data without any impact to current functionality.
But, as with anything reliant on, supported by, or in any way related to the IoT, digital twins are only viable when they are trustworthy. The devices and software that power the IoT also power the metaverse and the digital twins that operate within. Especially when it comes to potentially life-saving devices and features – like vehicle safety measures or medical equipment – is it clear why securing the metaverse and digital twins is vital.
“[A digital twin is] a digital replica of that environment where you are running things. And then we start tinkering with that digital replica…A virtual way to experiment, figure out the best way, and then apply it to the way you’re running the physical operations”
Tony Shakib, General Manager, Azure IoT, Microsoft
Shifting the Security Narrative
As with other elements of IoT security, the narrative is shifting for the better and it is imperative that security importance is highlighted for the metaverse as well. As Dr. Sally Eaves, Senior Policy Advisor for the Global Foundation, Experienced CTO, Professor in Advanced Technology, and Global Strategic Advisor says, leadership is getting more involved in discussions about the security narrative, with CFOs, CEOs, CSOs and CIOs taking an active role in security discussions. As the discussion grows and the dialogue is opened to the entire floor, a digital reality that is supported by security at every turn – the metaverse – is materialising, which will truly prepare us for the digital-first decade we’re entering.
The Generational Shift in 5G
The popular perception is that 5G is simply another step higher for mobile data speeds. It’s much faster, yes, but the standard is also about reducing latency and contention issues, which therefore is lowering two key barriers for real-time IoT devices and services.
Businesses will take advantage of 5G as its full potential is realized: key sectors that could benefit immediately include logistics, utilities and manufacturing, alongside entertainment and other verticals. The key is to incorporate it in tandem with the necessary security, frameworks and components.
5G promises to deliver four key benefits:
- Ultra-fast wireless broadband
- The ability for machines to connect and communicate with one another efficiently, increasing spectral efficiency
- Lower communication latency for time-critical applications
- A foundation for metaverse applications
But what do these benefits mean for businesses, what new innovations will they make possible and what security concerns exist? Much of the answer lies in massive levels of scalability, which we already see developing in practice.
5G and IoT Scalability
5G is a critical element for an optimized IoT network. A functional IoT network is predicated on a number of things – industry collaboration, secure silicon, commercial viability and widespread trust – and in many ways, 5G is the ‘glue’ that enables these elements to come together to deploy the IoT at scale. The 5G network will be deployed not only in public networks but also in the private sphere like factories, replicating the way Wi-Fi provides connectivity today.
In concrete terms, 5G is a building block in the foundation that enables a true IoT. With that, the question of securing 5G must be answered as, if the IoT is to be secure from the ground up, its building blocks must be too.
Securing 5G
There is no doubt that 5G will play a key role in the proliferation of the IoT. But it can only serve that purpose if it is trusted and secure. As Dr. Sally Eaves, Senior Policy Advisor for the Global Foundation, Experienced CTO, Professor in Advanced Technology, and Global Strategic Advisor points out, that 5G is a huge opportunity to democratise the IoT but only when it is secured through an ecosystem approach. The approach to 5G security is thus the same as securing the IoT as a whole – it must be collaborative. Operators in the 5G space are beholden to ensuring that the technology lives up to its potential and enables the scalability it makes possible, especially for the IoT.
“[Well-established 5G networks] will trigger the deployment of IoT devices because you will have 5G networks and then you can deploy as many IoT devices as you like with real control of those devices and a reliable connection.”
Dr. Juan Nogueria, Senior Director of Connectivity Center of Excellence at Flex
The Cloud, the Edge, Trusted Frameworks and Collaboration
Our understanding of IoT is starting to be stretched in two directions. First, towards the cloud where we can aggregate data from millions of sensors to both understand the big picture and aid scalability for services and solutions. Second, devices themselves are becoming more intelligent, able to not just gather information and carry out commands but to analyze data at a local level and make decisions. This is what is becoming commonly known as ‘edge computing’. At the service level, this data forges new pathways for scalability as informed decisions that seemed impossible in the past can now be made with confidence and relative ease. The explosion of data and services can make it hard to track security credentials, but collaboration within the ecosystem and a foundation of trusted frameworks can help everyone thrive and enable these new data-driven services to grow.
A New Currency
The IoT is to data what oil rigs and processing facilities are to oil, suggests Marco Carrer, CTO of Eurotech. In his words, “…the new economy will be actually fueled by data rather than by oil. If data is the new oil, then IoT at the edge is the way to extract that oil and make some use out of it.”
Not only does the IoT make possible the insights necessary to extract maximum value from data, it also guides data collection and extraction and informs data-led service scalability. Data-powered decisions and industries are part and parcel of the future we live in now and for it to power the digital decades ahead, it must be secure and built on a foundation of trusted frameworks, components and collaboration. As Marco says, this is a complex field, but businesses should seek partnerships to ensure they’re able to stake their ground in the space: “You don’t need to do everything yourself. There are companies that can implement those blueprints and that can offer you building blocks that are already certified for this.”
“…the new economy will be actually fueled by data rather than by oil. If data is the new oil, then IoT at the edge is the way to extract that oil and make some use out of it.”
Marco Carrer, CTO of Eurotech
The Cloud and IoT
The sheer scale of the new opportunities made possible by the cloud demonstrates just how crucial it is and will continue to be. But, as the cloud is predicated on an increased level of connected devices, its security is brought front and center. Again, we’re confronted with the reality that, to enable the cloud to reach its full potential, it must be secured.
The cloud can also play a pivotal role in security, as Richard Barry, Founder of the FreeRTOS Project and Senior Principal Engineer at Amazon points out – a single device can only look at itself whereas the cloud-side can look across a whole fleet of devices, notice patterns and spot anomalies that need to be addressed.
IoT and (Data) Services
The IoT is revolutionary not only because of its technological capabilities but also because of the new services it enables and the improvements it makes to the existing processes we rely on. As the world’s population grows, pushing the demand for innovation to new heights, the IoT will come to play an increasingly important role. Some sectors will be more strongly impacted by digital transformation, but we can be sure that most industries we rely on today will change in some shape or form. The macro trend of everything becoming a service (known as XaaS) will not be reversed, and the increasing penetration and power of IoT devices will enable innovative new services to be created and monetized.
The pandemic accelerated the wave of IoT expansion, where factories and buildings standardized production and experienced operational automation. This wave will continue across all industries, especially those environments that rely on frequent measurements — like healthcare and agriculture. When remote sensors are able to perform these measurements, instead of people, their value will be immense.
Where does the immediate IoT value lie in the context of data and how does securing the IoT factor into that?
Data as a Service
Together, data and IoT will unlock new levels of data-driven scalability. A key value proposition of data in the context of IoT is how the IoT can integrate data from different device manufacturers, from different protocols, creating a more knowledgeable user base, says Marco Carrer, CTO of Eurotech. Ultimately, the data that enterprises can collect today thanks to the IoT carries enormous importance in the business operations of the enterprises themselves.
“In the electronics industry, we think about products a lot, but, with the Internet of Things and with digital transformation, the product actually drives the acquisition of data, which is then used to deliver new services or new efficiencies into multiple industries. So that link between product and service is something that, from a digital transformation and IoT point of view, I think as an industry, we need to think about a lot more.”
David Maidment, Senior Director of the Secure Device Ecosystem at Arm and PSA Certified Co-founder
Trust as a Foundation
To unlock the potential of the IoT, it must become designed for security. As Brad Ree (previously at the ioXt Alliance) says, “If you have a vision of a trillion connected devices, you better make sure you have some pretty good underpinning to deploy and scale.” So how do we implement security when industries change as quickly as new technology progresses?
We’re already building the silicon and the other components that will power the future we live in now. Creating and maintaining trust in these components will be vital to bringing the future to life and building the confidence to create. This will require industry-wide collaboration on open standards for security.
These are all key foundations to a secure IoT but what ties all that together? Certification.
Securing the IoT is a collaborative effort and the key to that mission is an equally collaborative approach to certification. There is great value in certification, not only in the form of consumer and industry trust but also in the added confidence to make decisions and innovate.
The IoT is the groundwork for the next wave of innovation. However, innovators will not have the confidence to create if they feel unsure about doing so. PSA Certified has worked towards creating an IoT ecosystem which is proving successful thanks to broad certification adoption from silicon vendors and software providers. This has resulted in an increasing number of certified components that device manufacturers and module makers can trust to act as their secure foundation.
What drives PSA Certifed’s users and where do they see the most potential?
Bridging the Knowledge Gap
The knowledge gap that impacts IoT security adoption is gradually narrowing but it is still very much present. It is imperative that the knowledge surrounding IoT security is shared across the board. “That relatively modest device performing a relatively modest activity actually has a huge impact at scale if you’re connecting hundreds or thousands or millions of those devices. And so, for your end customers to realize [the] relationship between the security in that device and how that would impact their business if it doesn’t go right is really important,” says Dr. Juan Nogueria, Senior Director of Connectivity Center of Excellence at Flex.
It’s not enough that chipmakers or device manufacturers understand this. To create the IoT-powered future, sharing knowledge and uniting behind a common framework is key.
Richard Barry, Founder of the FreeRTOS Project and Senior Principal Engineer at Amazon, argues that the IoT is truly a multidisciplinary ecosystem. Most industries and individuals are in some way influenced by or at least connected to it. For it to function, its key tenets – for example, the cloud or automation – must be understood across the board. While this type of knowledge gap is different to bridging the gap obstructing IoT security knowledge, it’s no less true that a multidisciplinary sector requires multidisciplinary knowledge. As such, operators must understand the products and services they work with, who they sell or market to as well as understanding how to secure the entire package, or bring in specialist partners who can plug any knowledge gaps.
“That relatively modest device performing a relatively modest activity actually has a huge impact at scale if you’re connecting hundreds or thousands or millions of those devices. And so, for your end customers to realise [the] relationship between the security in that device and how that would impact their business if it doesn’t go right is really important,”
Dr. Juan Nogueria, Senior Director of Connectivity Center of Excellence at Flex
The Promise
For the IoT to become a continuous presence, we will need robust device and silicon security as a standard, not a premium. The promise of the future can only be delivered if the foundations on which it is made are secure and trusted.
Thankfully, the industry is showing a readiness to adopt security and secure components to unlock the potential of the IoT, success being predicated on a united effort from the entire industry.
Becoming Secure by Default
Creating this security will require collaboration across the entire industry, from chipmakers to device manufacturers and supply chain operators.
Together the PSA Certified ecosystem began this journey three years ago, by changing the narrative surrounding IoT security. We’ve witnesses first hand what happens when the IoT ecosystem turns the debate about the return on investment (ROI) on its head – chips begin to be built with secure components, starting at the Root of Trust, the device’s trust anchor. This model is the foundation for securing the IoT and in that vein, a lot of the responsibility lies with silicon vendors.
How Silicon Vendors Must Predict the Future
To properly meet their responsibility, silicon vendors need to prepare against the unknown – securing devices against more than current cybercriminal attack techniques. They need to be aware of what their customers will expect from security years before customers ask for it.
While customers and IoT users are becoming aware of the importance of security, it is still sometimes treated as an afterthought or something that’s probably already built-in, and its value and measure not understood.
The tide is turning, however. Our 2022 Security Report found that security was a key concern for 88% of the ecosystem members surveyed, with 96% agreeing that added security increased the value and profitability of products and services. At the same time, though, 52% of tech decision-makers consider the additional cost of security to be a top barrier to improving IoT security. It’s a time of transition: as demand for security increases, which the figures suggest is already happening, vendors will find security best practices will rapidly become a non-negotiable ingredient in IoT solutions, and a business accelerator.
The silicon vendor’s responsibility is therefore large but crucial:
- Vendors must understand and act on future predictions and unknown possibilities to build the appropriate security into their chips
- They must push the idea that security should be baked into the entire industry
“When we have a world that is built to be secure by default, we are not only trying to prevent malicious activity in that world, we are really trying to provide an environment that empowers innovators to be able to innovate without fear of their efforts being undercut,”
Eustace Asanghanwa, Principal Program Manager for Security, Azure IoT, Microsoft
Delivering the IoT Promise
Delivering on the promise of IoT is an ongoing challenge with many moving pieces. Peter Armstrong, previously a cyber-insurance expert at Munich RE, describes it as a “hyper-connected value chain [that] has spawned loads of new devices, new levels of connectivity, new companies, even, and certainly many new value propositions.” However, it all starts with the silicon vendors working from a secure-by-design framework and then pushing the narrative that security is a starting point, not a bonus. Only then can the promise of a secure, trusted IoT be delivered globally.
To learn more about PSA Certified and how we’re helping to overcome key security challenges, download the PSA Certified Program Overview.
In this digital overview, find out why IoT security and certification are becoming increasingly important for business success, learn more about PSA Certified and the key elements to the program, and find out how you can get best-in-class security for your products.