A series of recent publications in the US and Europe indicate that the industry - and government - are starting to take note, and realize the importance of embedded security for connected products.
When it comes to cybersecurity for IoT edge devices, the writing is on the wall, and people are starting to read it more than ever.
I’ve noticed this development in recent weeks, in a number of publications that have addressed the importance of built-in cybersecurity for devices, the very bread and butter of what Karamba Security has been doing for connected devices since Day One.
Last week, a who’s who of industry leaders – including Audi, BMW, Daimler, FCA, and Volkswagen - published a set of safety and security guidelines for the ultimate connected device - autonomous vehicles. Titled “Safety First for Automated Driving,” it outlines how the automotive industry can address the safety requirements of self-driving cars, including the need for strong cybersecurity measures. These include security controls such as Control Flow Integrity (CFI), according to the publication.
The guidelines were published only a couple weeks after the release of a report by the US National Institute of Standards and Technology (NIST) titled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”
The report describes the security challenges involved in mass IoT adoption, which will require operators “to determine how to manage risk for hundreds or thousands of IoT device types.”
For me the message from NIST couldn’t be clearer: Like with connected automobiles, IoT manufacturers must introduce built-in security in their shipped products.
There is growing awareness across the pond as well. Earlier this year, the European Telecommunications Standards Institute (ETSI) published standards on IoT security. These followed a series of guidelines published by the British Government in October 2018 meant to “ensure that products are secure by design and to make it easier for people to stay secure in a digital world.”
What these publications have in common is that they clearly call for manufacturers to design IoT devices with built-in security, and not as merely a patch you add on later as needed. Consumers and enterprise will demand no less, especially when it comes to edge devices, against which cyberattacks can be deeply disruptive – and very costly.
It’s a given that staying safe requires basic cybersecurity measures like avoiding hardcoded passwords and regularly scanning for vulnerabilities. And while the government of Japan has approved a plan to hack citizens’ IoT devices in order to alert them and manufacturers to security flaws, what is clear from these recent regulatory guidelines is that the industry realizes that relying on consumers and enterprise to police their devices is nowhere near good enough.
Security needs to come from manufacturers, and it must be built-in by design.
Industry publications are repeatedly citing software integrity as a crucial building block of IoT Edge device security. Attackers must not be allowed to interfere with software behavior and carry out Remote Code Execution (RCE). Self-protecting connected systems are closer than ever to becoming the norm in 2019 as manufacturers and standard bodies understand the power of embedded security.