As 2018 draws to a close, we’ve seen a landmark year in cybersecurity for embedded systems and the Internet of Things (IoT), marked by escalating threats, new regulation, and broader attacks.
Here’s a look back at three important IT security milestones in 2018 and a look forward with some predictions for 2019 and beyond.
2018: Year of Record Vulnerabilities
With a few days remaining in the year, the number of reported Common Vulnerabilities & Exposures (CVEs) has topped 16,000 this year, on pace to reach a 10% increase over 2017’s record count, according to CVE Details.
Obviously, the rising flood of vulnerabilities would present challenges for vulnerability monitoring and patch monitoring, with an average of more than 300 vulnerability notifications being issued each week.
The rise in reported vulnerabilities was paralleled by a continued expansion of the number, types and range of security incidents and confirmed breaches.
The 11th annual Verizon Data Breach Investigations Report released in April revealed security incidents topping 53,000 in 2017, up more than 26% from a year earlier. The Verizon DBIR, which every year provides valuable insight and analysis of the state of cybersecurity, added embedded system breaches to its reporting on IT assets that are under attack.
Indeed, a common refrain among industry observers and security practitioners is that security is getting worse, not better, despite widespread efforts to improve security awareness.
2018: IoT in the Crosshairs
The increase in security failures in 2018 was driven in large part by rising beaches and vulnerabilities involving IoT, Industrial Internet of Things, and similar connected smart devices. The vulnerable nature of these devices became starkly clear in July when a 10-year-old security flaw put almost half a billion deployed IoT devices at risk of a security breach.
Security researcher Brannon Dorsey published his findings about the old DNS Rebinding vulnerability present in millions of IoT devices. The flaw enables an attacker to bypass firewalls and interface with commonly deployed IoT devices.
Air-gapping, in which a critical system is not connected to external networks or the Internet, is thought to be strong way to protect systems. But even air-gapped systems are not immune, as reports emerged that an air-gapped power management system deployed on a ship was found to be compromised.
2018: Be Secure or Be Fined
It might seem logical that the ramping up of vulnerabilities and high-profile breaches in recent years would lead device makers and system vendors to be extra cautious about security in their products.Unfortunately, according to some industry observers and researchers, many IoT device makers are simply ignoring the risks. Penetration testing expert and researcher Ken Munro was quoted by Computer Weekly as saying his warnings about security vulnerabilities to device suppliers go largely ignored.
“My experience with almost every single IoT supplier we have ever disclosed to — and we have done two to three disclosures per week for the past four years – is that they simply ignore us, nothing happens and they carry on selling their product, profiting out of making people vulnerable,” Munro was quoted in Computer Weekly as saying in a conference presentation.
An industry that does not protect its customers often results in new regulation.
And 2018 saw precisely this development, as the state of California passed the first law in the US specifically requiring the makers of IoT devices to deploy certain security controls in their products.
The California IoT security law sparked controversy, with some security experts describing it as too vague and ineffectual, while others said the new law does not go far enough.
Looking Ahead at 2019 (and beyond)
Given the rapidly changing threat environment that encompasses IoT, embedded systems and smart devices, we expect to see new developments in 2019 and beyond.
Here are the Timesys predictions for embedded system and IoT security:
Prediction: Security as a Differentiator
We work with several device makers who consider security of their devices and their customers a top priority.
In many industries, high security is a table-stakes requirement, such as in medical devices that can have a profound effect on a person’s health if they are compromised. GE Healthcare is one such maker of highly secure devices and is a Timesys’ partner.
Roshy J. Francis, Chief Technology Officer of Diagnostic Cardiology for GE Healthcare, said earlier this year: “We chose to partner with Timesys in the development of our new portfolio of medical devices to ensure that they stay secure throughout their lifecycle.“
“Our customers globally face strict information security requirements combined with a heightened threat environment when deploying these devices within their enterprise. Our secure design methodology, partnership with Timesys, and operational policies allow our customers to be confident in choosing and deploying these devices in their healthcare practice.”
We expect that many more makers of products involving embedded systems and IoT will begin following GE Healthcare’s lead and use security as a differentiator, even in industries where a security breach is not a health-affecting event.
Prediction: Expanding Threat Environment
What’s notable about 2018’s increase in publicized vulnerabilities and confirmed breaches is not only the volume but also the scope and variety of attack targets.
As the Verizon DBIR shows, more industries are under attack than before. Of the nine industries tracked in the DBIR, six show increasing numbers of attacks over the past three years. In fact, the proliferation of ransomware means that money-motivated hackers can go after any type of company at all, not just the financial institutions that have been favored targets in previous years.
On top of the rise in new vulnerabilities and attack targets, one of the highest profile IoT security disclosures involved a 10 year old vulnerability. This means not only are devices affected by newly emerging vulnerabilities and zero-day exploits, but very serious security gaps can result from old and known vulnerabilities.
As smart devices are deployed in new ways, in new locations and with new applications, old vulnerabilities that previously didn’t matter can suddenly undercut a device’s security posture and render it vulnerable to attack.
Prediction: Escalating Regulation
It’s the norm in any almost any product space in any market. If defective or dangerous products are common, government regulators step in to establish safety requirements and punish those who violate them.
In the wake of high profile IoT breaches and California’s new IoT law, some in the IT security industry called for broader legislation and regulation. Some say IoT security regulation is needed that mirrors the European Union’s recently enacted General Data Protection Regulation (GDPR).
Aimed to protect the privacy of EU citizens’ personal information, the GDPR includes fines for companies that violate it of up to 4 percent of the company’s annual revenue, or 20 million Euros, whichever is higher.
Will it take fines amounting to tens of millions of dollars to lead to safer IoT products?
Or will the market itself begin to self-correct, with device buyers making decisions based on security and product makers focusing on security as a chief product benefit?
Embedded System and IoT Security Best Practices
Timesys works with a wide range of embedded system and IoT product developers who are dedicated to bringing more secure products to market.
Visit www.timesys.com to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.