Why IoT device manufacturers need to prioritize cyber resilience
What did the launches of Google’s chatbot Bard and Meta’s social media app Threads have in common? Both were big news, but both also went ahead without any presence in the European Union. Why? Because they both fell afoul of EU laws on data privacy.
When the big tech firms are having such trouble playing in European waters, it should serve as a warning to tech firms of all sizes that European laws should not be ignored. And now, the EU is about to bring out new legislation, in the form of the Cyber Resilience Act, which will have a significant impact on manufacturers of connected devices.
See also: Industrial OT widely vulnerable to intrusion, survey finds
This legislation will grant the EU power to remove products from its market (the second largest global market for IoT products after greater China) and impose fines of up to 2.5% of turnover if companies do not comply.
With about 15 billion connected devices now operating around the world, a number that is expected to double by the end of the decade, it’s not just the EU looking to improve security. Governments on both sides of the Atlantic are taking a closer look at how to reduce the security risks posed by IoT devices.
The Executive Order on Improving the Nation’s Cybersecurity, issued in the U.S. in 2021, aimed to encourage manufacturers to increase the level of testing and assessment on IoT products. These types of regulations are becoming increasingly common in the IoT device sector—for good reason.
Defensive difficulties
Due to the nature of how IoT devices are deployed, they can be hard to secure. It can be difficult to stop them from being physically tampered with. When they are in hard-to-reach locations, in transit, or low on power, monitoring becomes difficult as connectivity cannot always be guaranteed. And when malicious attackers do gain access to IoT devices, it can be deeply damaging for customers.
See also: Webinar replay: New SEC Reporting Requirements and Your Cyber Defenses
I’ve also worked on enough IoT product development projects to know that security has not always been a top priority when budgets are allocated. When the IoT sector was in its infancy, best practice security was often a secondary consideration. But this must change.
Given the defensive difficulties of IoT, manufacturers also are going to need to adopt a new strategy. Sticking to the same cybersecurity methodology that has defended products for the last 30 years isn’t going to work.
To address this problem, the industry has already been moving to an alternative approach that assumes defenses will be breached. Instead of focusing on cyber security, and defending the borders, we are now looking to provide cyber resilience.
Building resilience
To be resilient, IoT devices still need to mitigate the risk posed to their products by malicious attackers. This will require manufacturers to utilize the secure elements and security features embedded on the microchips within their products, these support the use of features such as encryption keys and certificates.
See also: Video and podcast: Closing Gaps in Risk Management: Technologies to Ditch Your Old Processes
But they will also need to enable constant monitoring, too. If device defenses are vulnerable or penetrated, then users need to know as soon as possible—and be able to recover and protect against the vulnerabilities at fault. To do this, manufacturers will need to create a comprehensive software bill of materials, including external libraries and product modules, to make sure all potential attack vectors can be monitored.
Users will also need to access a supply of updates that incorporate security patches that can protect against common vulnerabilities and exposures (CVEs) and other known exploits.
A paradigm shift
This all amounts to a complete paradigm shift in the way IoT manufacturers address the weaknesses of distributed and edge computing. Greater emphasis will need to go into mitigating and monitoring risk—and providing users with the ability to protect, detect, and recover.
See also: Podcast: How DIY automation can help small, medium-size businesses
This will also require greater investment of resources, which could raise the bar for startups looking to bring innovative new products into the IoT market.
But as we enter a new era of cybersecurity (with AI also accelerating the arms race), it has never been more important to address this problem and manage the vulnerabilities within connected devices and the wider IoT ecosystem.