Internet of Things Securing the IoT
By Joe Lomako, business development manager (IoT) at TÜV SÜD
Security is difficult to install as a Joe Lomako A
s devices, systems and processes become increasingly digitised and interconnected, the Internet of Things (IoT) opens up a wealth of opportunities for the electronics industry. However, these same technologies which enable value creation, also provide new attack surfaces for criminality. For example, enabling a hacker to infiltrate the networks of companies and critical infrastructure. In the IoT age, every wireless-enabled
product represents a serious potential threat to data security and privacy, but proactive holistic security planning enables a manufacturer to manage cybersecurity risk to mitigate attacks. This will help them to avoid costly product recalls, design changes and possibly heavy penalties as a consequence of any data security breaches. Preventative security measures should begin at the design phase, or even the concept phase, and employ the principle of ‘Secure by Design’. Although, as the name suggests, this is aimed at the design stage, it is important to understand that security is a continuous process, through manufacturing to implementation and sometimes even after product obsolescence.
software add-on after product development, and the levels of difficulty are usually not predictable and depend on security level, system complexity, logistics and costs involved, to name but a few. So, understanding this, the Secure by Design principal probably seems more sensible. However, that in itself has to be defined. This process should therefore begin with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the appropriate security requirements for that product and indeed of the IoT system as a whole. After risks are understood, the next step is to evaluate the hardware and software – the attack surface. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security is very difficult to install as a software add-on after product development. Every aspect of the product must therefore be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications.
Following component testing, an end- to-end assessment should be performed to determine the attack resilience of the individual components and support services. It should be re-iterated that this process is continuous. The questions, “have we found every vulnerability?” or “have we introduced new vulnerabilities?” are always in the air. Thus, implementing a process of security validation for updates during the product lifecycle is also important.
Experienced consumer IoT companies go beyond embedding security into their products, they study customer behaviour to identify and minimise user-generated risks. Product manufacturers must therefore think through unintended misuse by the consumer and ensure that they are
made aware of potential issues. An additional benefit to this approach is that it adds value to the final product. From a regulatory perspective,
standards are being developed for different product types and industries globally. This will assist manufacturers in their design, as well as help them to understand the risks involved. Many are at various stages of advancement and ratification. For example, while the standard for IOT products in Europe is presently in draft stage, the document contains a lot of important information and provides a security baseline of mandatory and non-mandatory provisions. The scope is non-exhaustive but applies to typical IoT products such as smart home devices, TVs and connected appliances, such as washing machines and refrigerators.
Although this standard does assist in defining and verifying a product as having what could be called a ‘first line of defence’, manufacturers should remember that it is not exhaustive and is not presently a mandatory regulatory requirement. So, they should consider their own programs to protect their product. As starting point would be:
• Think “Secure by design” and take a proactive approach to
cybersecurity recognising that attacks are “when not if”. • Ensure up to date compliance with all standards. • Constantly review ‘cyber resistance’ status.
As Industry 4.0 and the IoT advance, systems and installations will become increasingly interconnected on a global scale. While, digitisation and the increasing connectivity provided by the IoT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cybercrime. Both industrial IT security and the security of wireless products which manufacturers produce have therefore become increasingly important.
Whilst having some level of internal security knowledge, many manufacturers will benefit from working with external specialists who have wider exposure to assessing various types of product or infrastructure and be better equipped to help manage new and evolving cyber threats. Tackling the problems of cyber security risks can only be realised by comprehensive planning, periodic evaluation, updates and monitoring - from design through to obsolescence.
tuv-sud.co.uk
30 March 2020
Components in Electronics
www.cieonline.co.uk
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48
