The IoT Security Challenge: A Digital Assurance Imperative
Sally Eaves
Emergent Technology CTO | Global Strategy Advisor - Blockchain AI 5G IoT FinTech | Social Impact | Keynote Speaker and Author
We are racing to digitalize everything. Seeking to take advantage of the combination of big data insights, improved connectivity and emergent technology integration, from improving business efficiencies, performance and resiliency, to enabling education and training, as catalysed by the hybridisation impact of COVID-19. As a result, we are living in an increasingly interconnected, always on, always sensing and intelligent world and this pace, scale and hybridity of innovation and digital transformation is only set to accelerate. It is estimated that by 2025 the number of IoT connections will more than double to some 75 Billion connected devices creating significant new value. As an example the revenue in the IoT value chain generated from cellular and LPWA connections is estimated to reach some $211 billion by 2028, primarily from applications and hardware (Analysys Mason). And in respect to IIoT, this is estimated to reach over $922 Billion by 2025.
This explosion of IoT has enabled low-cost hardware to be connected to the network - however, many of these devices are vulnerable to attack. And as building and other operations and enterprise management systems become smarter, we are also moving to an IoT space where organisations are finding it easier to integrate their IT and OT to realise new business value, particularly outside “critical” infrastructure. But this drive for IT-OT integration also has the consequence of multiplying the potential entry points for cyber adversaries and hackers, increasing risks and estate threat areas for vulnerability.
Putting this into context, cyberattacks has been occurring every 39 seconds on average 2,244 times a day (Varoni 2020) with the FBI reporting a 300% increase in reported cybercrimes in March alone. From misplaced patches, to reduced security hygiene and temptation for ‘workarounds’, to gaps from misconfigurations, attackers have leveraged the opportunity to target vulnerable networks as office work moved to personal homes with unprecedented speed and scale. And in respect to IoT devices, that threat is now around 5,400 attacks per month on average according to Symantec research. Vulnerabilities here can range from implantable medical devices right through to poorly secured home thermostats.
In terms of the nature of threats, healthcare has become a predominant focus with attackers exploiting pandemic uncertainty through phishing, sending fraudulent WhatsApp and email messages to attempt to trick recipients into opening attachments or clicking on malicious links. There have even been examples of ransomware attacks targeting companies developing tests, treatments and vaccines. Indeed, new research shows the healthcare industry’s risk exposure to be especially high - more than seven times than that of manufacturing (Bleeping Computer) – and with the IoT enabled wearables, devices, apps, data aggregators and platforms which allow measurement, tracking and aggregation of an array of lifestyle/health measures and behaviours becoming a growing risk area. In combination, this is quite a change from the first ever recorded cyber-attack ‘Morris Worm’ in 1988, affecting 6,000 computers which was roughly 10% of the entire internet at that time! How times have changed!
So, whilst it is clear that IoT and IIoT afford huge opportunities, they represent significant areas of vulnerability if/when not properly protected too – how can we best mitigate the risk?
A Holistic Security Strategy
This accelerated rate of adversarial activity drives home the importance of implementing a holistic security strategy as the foundational element of overall digital (transformation) strategy. Today’s digital age requires a continuous assessment of threats to both mitigate risks and build digital right trust across your ecosystem. As we have seen, these threats are growing in rate, scale and sophistication, and evolving quickly across people, process and technology. No one is exempt - no air gap is totally safe. A good example of this is that we now see ransomware attacks, which typically focused on IT alone, now targeting industrial control and other OT systems. Additionally, advanced IT/OT integration (or converged IT/OT) is often dependent upon legacy hardware and software that is not routinely patched and likely brings inherent security vulnerabilities.
To negate this dynamically evolving threat landscape, building a holistic, flexible and scalable security strategy is critical in order to respond to these risks – whether this is from your industry network, your people, your assets or your data. And this is not only about protecting yourself and your business or personal environment - the whole ecosystem must collaborate to raise the bar and develop a collective defence. A holistic strategy means taking a lifecycle approach across technology, processes and people so you can scale and respond to the dynamic nature of the risks. This is a 3 dimensional challenge: 1) Roles 2) Technologies and 3) Scaling out these elements. A holistic approach addresses the dynamic nature of each of these components to improve security across the lifecycle and enabling security assurance can play a pivotal role in its actualisation.
Security Assurance – The Role of PSA Certified
It is critical that all devices have the most up-to-date security at any given point and back in 2017, Arm CEO Simon Segars issued a call to action for companies to sign up to a new digital social contract that obliges them to protect users. Internet security relies on industry teamwork and innovation is best enabled by a robust, structured and shared approach to security levels – vis a vis a ‘breach then patch’ approach.
And moving forward to 2020 - in the context of increasing pervasiveness of IoT and the clear growth trajectory ahead - PSA Certified is supporting exactly this - an industry collaboration by Arm and leading security testing labs to offer an independent trusted comprehensive approach to testing with assurance for IoT devices and digital transformation more broadly. The overarching mission behind its development is to provide a framework for security connected devices that is architecture agnostic whilst ‘opening up’ access to world-leading global security expertise and best practice knowledge.
'Data can only be trusted if it’s generated by trusted devices with security at heart – Digital Transformation starts with trusted devices' (PSA Certified)
The PSA Certified framework provides standardised resources to help resolve the growing fragmentation of IoT requirements and covers analysis, security assessment and certification, helping to ensure that security is not a barrier to product development. A new whitepaper available here offers more details of the 4-stage program which in summary provides:
- A methodically created program offering independent testing and evaluation
- A low cost and minimal risk path for more secure connected devices
- Fast alignment with legislation and standards
PSA Certified matters because it can increase confidence in device security up front and ‘by design’ and also accelerate time to market and adoption rates. Consumers in particular are seeking trusted knowledge sources with the latest update to the Trust Barometer by Edelman reflecting the COVID-19 landscape shift. And as the focus on healthcare increasingly transitions to security, I believe the importance of ‘delivering on trust’ is only set to increase. Having PSA Certified reflects an embedded commitment to security, raises trust in the ecosystem and demonstrates compliance to standards and industry best practice.
And with a plethora of different requirements and emerging legislation that varies by geography, the PSA Certified program also maps products to government-backed baseline requirements, standards, legislation and regulation, personalised to regional context and with full audit trail, all helping to keep development processes in check and removing areas of potentially very costly confusion or ambiguity. Indeed, when you add the element of risk to privacy data, the risk and penalties for compromise elevates and fiscal penalties are substantial. And for the industry as whole, the framework also supports alignment, enabling a transparent dialogue and common language across the electronics industry and developers, whilst setting structured levels of security.
Final Thoughts
Security protection requires a layered approach to address risk that cuts across all layers of the enterprise and across people, technology, processes, culture and skills. It also necessitates a holistic approach to digital transformation strategy with security embedded by design. I believe that the PSA Certified framework and assurance program can be a pivotal enabler in this trajectory, making security a foundational part of every aspect of product development with a clear baseline for connected devices, and independent assessment by leading test labs whilst contributing to a broader ‘defence in-depth’ security posture.
Reflecting further on the key benefits, these come together to afford enhanced peace of mind, trust, tailored management of regulations and standards across geographies, lower ownership costs and overarching it all, the establishment of common beliefs and a collective commitment to security. Finally, for further examples of its application in action, a number of PSA Certified partner stories are available here to help inspire your security assurance certification journey, where certification equals digital assurance, and trust builds value.
About the Author
Prof. Sally Eaves is a highly experienced Chief Technology Officer, Professor in Advanced Technologies and a Global Strategic Advisor on Digital Transformation specialising in the application of emergent technologies, notably AI, FinTech, Blockchain & 5G disciplines, for business transformation and social impact at scale. An international Keynote Speaker and Author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations and has been described as the ‘torchbearer for ethical tech’ - founding Aspirational Futures to enhance inclusion, diversity and belonging in the technology space and beyond.
Using 'Systems Thinking' & Cybernetics (CyberSystemics) to explore #complexity & handle the challenges of #Sustainability & #Technology
3 年Wonderfully articulated post, so much research here and could not agree more, the assurance of #psacertified is a tangible and collaborative step forward to help build #trust in #IoT and #services reducing the biggest threat to #digitaltransformation - #security Highly recommended reading Arm Nordic Semiconductor ASA
Innovative Chief Innovation Officer @ Nebulai | MIT Executive Program
3 年Very insightful, thanks!
Financial Ecologist, Ecosystem Risk Management; Academic & Advisory Boards
3 年?? Hence, in the banking sector, BIS and the Basel Committee have to catch up with the evolution of the business environment and enhance the operational risk management guidelines/principles especially, to go beyond the capital calculation-centric approach to encompass the business process governance at the ecosystem level and cyber environment as well.