Research, reporting and commentary about Internet of Things security has made a flurry of technology headlines over the past several years. And industry observers are commenting that IoT security may finally be gaining the attention it deserves among technology decision makers.
So will 2019 be a milestone year for IoT security?
Or will more IoT security failures lead to more industry regulation, more vendor criticism and more conversation, not enough action?
Continuing Security Shortfalls
TechRepublic described last year’s increase in IoT security failures as “proportionate” to the increase in device deployment. And that seems like it might be an understatement.
In October, researchers announced the finding of a new IoT based botnet, Torii, which CSO magazine described as “much more sophisticated” than the Mirai botnet that crippled huge portions of the Internet in 2016.
“Its sophistication is a level above anything we have seen before,” the researchers told CSO, describing how the botnet malware can run on almost any modern computing architecture.
By coincidence, shortly before Torii was exposed in October, the hackers who used Mirai to launch the devastating 2016 attack were sentenced for their crimes, according to Krebs on Security.
But it’s not only new strains of malware that pose such threats. Security researcher Brannon Dorsey recently uncovered a 10-year-old security flaw that puts a reported half billion deployed IoT devices at risk of a breach.
And undoubtedly the security environment for IoT will not get better in the face of the widespread increase in vulnerabilities across all types of IT. Reported vulnerabilities hit an all-time high in 2018, with Common Vulnerability and Exposures (CVE) notifications reaching 16,555, according to CVE Details. That’s a 12.5% increase over the 2017 figure, which was the previous record.
The Stick, Not the Carrot
The breaches, vulnerabilities and malware news around IoT have attracted increased attention from law enforcement, such as the Federal Bureau of Investigation’s recent warnings about IoT security.
And the problems have predictably resulted in legislation, such as California’s IoT security law enacted in 2018. Some in the industry have criticized the law as not being strong enough, in fact calling for an equivalent of Europe’s General Data Protection Regulation that carries heavy fines for companies that violate a citizen’s privacy.
A great number of emerging technology fields follow this pattern. If the makers of the technology are creating products that fail to protect users in some fundamental way, government or industry regulators of some form step in to create and enforce standards. This results in compliance processes, certification regimes, and a host of other steps that aim to ensure some minimum standard is met.
Will the makers of IoT and smart devices need to be threatened with that kind of stick before they focus on product security? Or will the industry recognize the benefits of marketing secure products, making strong security a differentiator?
A Seat at the IoT Table
A critical factor that will determine how vendors regard security in their IoT products is how the end customers who deploy those products view security. And on that front, some industry observers are describing some progress.
IT industry analysis firm and enterprise advisory group Gartner recently named IoT security as one of the major trends to watch in coming years, citing IoT governance, trusted hardware and trusted operating systems as the key areas of innovation.
In the announcement of the trends, Gartner also mentioned an important organizational shift for the end customer companies deploying IoT, essentially saying that IT security should have a major role in determining technology deployments. Nick Jones, research vice president at Gartner, said, “We advise CIOs to collaborate with chief information security officers to ensure the right staff are involved in reviewing any decisions that involve purchasing IoT devices and embedded operating systems.”
In effect, giving the CISO a seat at the table for IoT purchasing decisions means vendor offerings will be held to a higher security standard.
Making Secure Products Today
In Timesys’ work with leading device manufacturers, we enable embedded system IoT security using the industry’s best practices for designing and maintaining secure products.
Our Timesys Product Protection Solutions enable device makers to produce products that are Secure By Design and that Stay Secure.
We work with companies on embedded system security, embedded Linux security, IoT security, open source software security, and secure system development with Yocto.
Visit www.timesys.com to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.