Seven steps to address IoT security, by PSA Certified and co (Reader Forum)
As industries, businesses and consumers become increasingly reliant on the connected economy, its potential as the bedrock of digital transformation continues to grow. Yet with great opportunity also comes great risk. As IoT adoption accelerates, so too does potential for exploitation from bad actors.
To address the most pressing risks, a collective industry effort is needed. Collaboration is key and as we enter a new year, experts from across the IoT ecosystem – corralled together by Arm / PSA Cerified – have come together to present seven key steps that will reduce the cost of security and forge a more powerful connected future.
1. Move away from security as a software problem: security in device components
A fundamental aspect of IoT security is the components with which devices are built. Security is dependent on hardware protection in the silicon chip at the heart of the device, and if we skip this vital step, we expose both users and manufacturers to vulnerabilities.
“A lot of the innovation in cybersecurity in the past has focused on software. It’s that chip architecture and chip design that’s fundamental in making a step change in IoT security.” – Madeline Carr, UCL
2. Collaborate to accumulate: establishing a baseline of best practice
In a sector as nuanced as IoT, collaboration and trust are fundamental to driving positive digital change. Beyond just the electronics industry, insurance, governance and legislation must come together to form a baseline for IoT security best practice which can be used to catalyze digital deployment globally.
“Good collaboration expands beyond the electronics industry and beyond the boundaries of what we often think about. We have a global vision and we’re finding a way for the world to collaborate on secure digital services. That’s a huge opportunity across the board – from Government, industry best practice, enterprises, all the way through to consumers.” – David Maidment, PSA Certified
3. Build an accurate risk profile to mitigate threats
When it comes to identifying, modelling and establishing a quantifiable level of risk in IoT, the picture is extremely complex. Determining the quantification of risk for a single device is also more nuanced than simply the number of vulnerabilities. It’s a question of how critical the devices are and how trusted the vendors are. Undertaking increased threat modelling, understanding the threat landscape and how the technology interacts to create both visible and silent risk factors is critical to building an accurate risk profile to mitigate against.
“There’s a misconception that risk is simply the number of vulnerabilities that I have on that device. Whilst there’s of course a relationship between those things, they are not to the same factor. If I have a vulnerability, but I also have the right hardware mechanism implemented, then the risk factor is reduced. Without the right hardware security built in, the risk accelerates if a device is connected to the internet.” – Elisa Costante, Forescout Technologies
4. Embrace legislation, standards and regulations to set a minimum standard
Policy and legislation provide incentive for businesses to mandate and implement higher levels of security, especially in sectors where there isn’t a clear ROI. Creating best practices that map across territories and utilize best-in-class technologies, standards and protocols will not only drive consistency across markets and uplevel security, but create a stronger baseline to protect consumers and economies.
“We’re mandating requirements for a minimum level of cyber security for consumer connectable products, to give clarity to device manufacturers on good practice.” – Veena Dholiwar, Department for Culture, Media & Sport
5. Democratize the cost of security
When combining an increasingly complex cyber risk landscape with growing consumer expectation, the economics of security must move away from cost-per-unit and towards having a security baseline to protect against the most common hacks. By building on trusted components, embracing easy-to-use frameworks, evaluations and certifications and designing based on the Root of Trust, there’s a democratization of security and skills. Companies can implement security best practice and differentiate around it, making it possible for all parties to benefit from built-in security goodness.
“Having trusted components within an organization or system helps insurers to compartmentalize risk and reduce the cost of inaction. With more trusted components, comes greater business resiliency and more understanding of supply chains that keeps the cost of failure to a minimum.” – Tim Davy, Munich Re
6. Up-level and translate technical security literacy and skills
How organizations and c-suites up-level and democratize security best practice is what will enable markets to scale. Education and awareness are already building beyond enterprise security, coupled with growing recognition of the importance of hardware security. Further facilitating and translating that technical literacy and encouraging a secure-by-design culture will act as an important catalyst for mitigating future risk and increasing business resilience.
“While more technical literacy is always helpful, board members need to move beyond being intimidated by technology and recognize that they already have the skills they need to evaluate and mitigate against business risk – which is how cyber risk should be understood in that context.” – Madeline Carr, UCL
7. Seek external validation – the role of certification
Establishing best practices that insurers, businesses and the broader ecosystem can rely upon is vital in the context of quantifying risk. Independent certification – through the chip, software and the device – provides an objective view of standardized security, validating that a deployment is based on secure components and devices.
“It’s fundamental that security is built in a consistent way at the chip architecture level, so the supply chain can easily understand and measure levels of security. Having independent evaluation is also important. As an industry we can’t mark our own homework, it needs to be reviewed by independent labs to show it conforms with particular norms and levels. Aligning to Government and regulation best practice is mission critical.” – David Maidment, PSA Certified
To find out more on how prevention over cure and a culture of collaborating on best practice can shift the economics of IoT security, check out the newly-available ‘action plan’ from PSA Certified.
– David Maidment – Senior Director Secure Devices Ecosystem, Arm (PSA Certified co-founder)
– Tim Davy – Cyber Security Specialist, Munich Re
– Veena Dholiwar – Cyber Security Expert, Department for Culture, Media & Sport
– Madeline Carr – Professor of Global Politics and Cybersecurity, UCL
– Elisa Costante – VP of Research, Forescout Technologies