October 19, 2021
What makes the Internet of Things (IoT) such a limitless and rich source of data-driven insights also makes it extremely vulnerable to hackers and cyberattacks. It’s a sprawling and ever-growing complex of connected devices.
Securing these devices presents challenging, relatively new territory for manufacturers, suppliers, system integrators and other IoT stakeholders. New security compliance requirements are developing, like ISO/SAE 21434 in the automotive industry and ETSI EN 303 645 for consumer electronics in the European Union. But frameworks for securing connected devices, like the Industrial Internet Consortium’s IoT Security Maturity Model, have only started to emerge. Cybersecurity frameworks should address both software and hardware, including components.
The growing IoT threat landscape and increasing sophistication of cyber attackers will continue to fuel the need for thorough cybersecurity standards and guidelines. Recent legislation also underscores this need. In December 2020, the U.S. Congress passed the IoT Cybersecurity Improvement Act, which requires the National Institute of Standards and Technology (NIST) to develop and publish guidelines to increase cybersecurity for IoT devices. The act pertains to federal agencies with connected devices. In January 2020, the first IoT cybersecurity laws in the U.S. went into effect in California and Oregon, setting requirements for security features of IoT devices sold in those states, regardless of where the device is manufactured.
In May 2021, President Joseph Biden issued an Executive Order on Improving the Nation’s Cybersecurity, setting forth the federal government’s standards and requirements for protecting its IT and operational technology (OT) systems, whether on-premises, cloud-based or hybrid. The order specifies measures that will:
- Help remove barriers to sharing threat information,
- Modernize federal cybersecurity,
- Enhance software supply chain security,
- Establish a Cyber Safety Review Board,
- Standardize how the federal government responds to cybersecurity vulnerabilities and incidents,
- Improve detection of vulnerabilities and incidents on federal networks, and
- Enhance the government’s investigative and remediation capabilities.
The president’s order also calls for the federal government to partner with the private sector to help ensure products are built and operate securely.
Meeting legislative and industry compliance requirements should be part of a company’s comprehensive product security program. As with protecting IT assets and enterprise networks, you cannot afford to handle connected device security solely in a reactive fashion. A sustainable, lasting product cybersecurity posture requires a thoughtful, holistic approach to governance and processes.
Start by assessing your security maturity
No two organizations will be at exactly the same stage of product security maturity. The maturity path requires periodic evaluation of your cybersecurity posture as it relates to business goals and objectives, along with the people, processes and technology in place to facilitate and maintain product security throughout the entire life cycle.
Governance includes identifying talent gaps in your product security program, which can be significant due to the global cybersecurity skills shortage. You need in-house staff or third-party experts properly trained to anticipate, identify and mitigate potential connected device and system vulnerabilities, network attacks and other IoT cybersecurity risks. In these cases threat modeling expertise can be invaluable, starting early in the product design phase.
Threat modeling can help you determine where your connected device, and the systems surrounding it, are most vulnerable to attacks including potential attack vectors and attack paths to high-value assets. It can also reveal major risks and the controls or mechanisms you need to mitigate those risks. According to Writing Secure Code, published by the Microsoft Press, competent threat modeling can prevent about 50% of potential vulnerabilities from occurring.
In addition, to optimally manage risks and minimize vulnerabilities, you shouldn’t vary governance and processes among product lines within your company. Consistency is important.
Embrace security by design
Few manufacturers have considered security within the context of product design for devices that traditionally have not been networked, making IoT particularly challenging for such products. Building security into all stages of product design, development and implementation proves critical. Patching security holes and addressing vulnerabilities when they’re found will never be as effective as designing devices to be as secure as possible from the start.
Security by design is gaining traction in IoT environments. This approach includes measures such as continuous product testing, authentication safeguards and adherence to best programming practices.
Don’t overlook component security
If your connected device contains third-party components, you need to ensure there’s a process in place to assess potential vulnerabilities that can stem from those components. You will need to inquire about the security posture and security maturity of your suppliers.
Getting transparency and clarity on your suppliers’ components often means understanding the firmware implementations’ security and compliance posture within your connected device. Such checks are typically done by scanning the firmware in development. Organizations often outsource firmware scans to a third-party testing vendor. The vendor provides a report detailing information such as known and unknown vulnerabilities detected in the firmware, compliance readiness analysis according to supported industry standards and ability to generate a software bill of materials that contains essential supplier security data.
Open-source software plays a big role in IoT security, so you should attempt to detect and fix those vulnerabilities by frequently scanning and monitoring components before they become an issue in the field.
Companies need to develop and maintain holistic product security governance and processes in today's highly connected world. Building these practices on a solid foundation will help you keep product development processes in line with industry standards and compliance requirements; proactively identify actions to improve processes, security techniques and controls; and move forward on the security maturity path.