The continued growth of the IoT industry makes it a transformative force across all industries, with IoT connections expected reach $2.4 trillion annually by 2027. As the IoT continues to gain momentum, trust is more important than ever for today’s innovative use cases. With devices becoming more connected and mobile, embedding trust in transactions and processes is an essential part of supply chain operations.
For many years, the industrial sector used private networks to control crucial operations. But with the emergence of Industry 4.0, manufacturers increasingly want these systems moved online to reduce costs and increase flexibility. However, not all IoT security best practices have developed at the same rate. For example, some manufacturers prioritize authentication while neglecting encryption of sensitive data. Being selective about which security best practices will be leveraged, leaves companies at risk. Organizations need to fully understand their vulnerabilities, and then implement a comprehensive security approach that addresses the risk.
Current IoT security challenges
Security in IoT devices and deployments must be strategically thought through and planned for during every stage of the device lifecycle. For some, IoT security deployments have been an afterthought, such as retrofitted devices containing bolted-on security solutions which expose them and make them vulnerable to malicious entities.
We explore the concept of IoT in a practical sense in the workplace
Even today, disparities in capabilities and maturity models remain. We’re seeing different levels of expertise and execution in companies in terms of technology and security. For example, some organizations are still struggling to protect their firmware and implement basic authentication approaches. Others may not be concerned at all about product security and are only focused on traditional enterprise cybersecurity strategies. While the most basic cybersecurity approaches of authentication, identity and encryption are more broadly adopted, they are still not yet ubiquitous within IoT.
Trust issues may extend farther than you think
One of the top issues for IoT deployments is ensuring trust within a supply chain of a complex ecosystem of suppliers, components, software and service, increasing the risk of cyberattacks. Supply chain attacks increased by almost 80% in the past couple of years, targeting less secure components of systems with the aim to access and steal confidential information, or gain a foothold to springboard attacks into other parts of the system and connected networks.
As embedded systems and networks expand further into enterprises, it is increasingly important that they maintain reliable supply chains. While supply chains have evolved to become highly sophisticated, their interlinked nature makes them increasingly vulnerable to a wide range of risks. A global survey found that 80% of enterprises were not fully prepared to prevent intruders from accessing their networks and targeted data, which could make them succumb to major cyber risks such as large financial loss, operational disruption or intellectual property theft.
To put basic best practices for trust in place, manufacturers need to consider what components, devices, and software is connected to the factory line, and who has access. Manufacturers must also look at what security they have in place for assembly, shipping, import, and export processes. A compliance and supply chain control procedure are paramount to secure device manufacture and delivery.
Enabling trust beyond the factory floor
The need for trust doesn’t end after a device goes out the door, so it is important to consider whether or how a device will communicate after deployment. An organization should be sure that its end product can gather data and communicate in a way that will not expose privacy and data security issues. They will also want to determine whether the component will protect the device from being a participant in DDoS or similar attack vectors that can occur in deployed IoT devices.
IoT was identified as one of the emerging trends for 2020
IT and security teams must also consider the holistic supply chain for the device as it is manufactured, goes out to market, and is put into production. The more they can consider how things are created securely, the more control they will have over limiting that exposure for companies and customers using these devices.
IoT use cases aren’t limited to manufacturing alone. For example, in an enterprise environment, risk can appear in connected TVs, vending machines, and other devices—this is where IoT security and enterprise security meet. It’s up to IT and security teams to determine the level of risk of these common devices, and how they will limit broader exposure to the overall enterprise if a security issue arises.
Today’s IoT devices can pose risks to the entire organization, especially with 59% of enterprises from a Gartner survey having partially or fully deployed IoT across their entire organization. Although the technology has been implemented, most enterprises still struggle to define the best opportunities for using IoT. The size and complexity of IoT components have grown, even as the form factors of devices have shrunk. Many devices support higher Internet throughput, with even faster communication just around the corner as 5G begins to gain acceptance. Bad actors increasingly view these IoT devices as a rich target that can do even more damage than earlier technology.
Basic planning now can shut down future issues
What can manufacturers do to move forward in implementing trust across the supply chain? The first step is to understand what is going into the software. Evaluate your processes to determine what technologies you are including—whether intentionally or not. Consider your commercial software in use as well. Consideration and scrutiny should be used for software, components, and services are shared across product lines within a manufacturer. When looking at these types of elements, confirmation that they have undergone secure code reviews, penetration tests, and audits (as necessary) can help them be safely deployed into a network.
It’s also important to put a readiness plan in place well in advance of device deployment and customers usage. If something goes wrong with firmware, what is your plan to remediate the issue? If something goes wrong with a service your devices depend on, how will you address it? If your device reaches end of life, can it potentially be used to cause damage to other components of the network—even if the license is revoked? Develop a thorough understanding of what it means for your organization’s supply chain to be compromised, and its implications across the business. Based on these insights, you can think through how to manage and control the risk associated with a deployed device. Timing is essential, and what is most important is that you develop your remediation plan well before deploying a device. It’s often more challenging to come up with a plan to address an issue after a security breach has been discovered. And sadly, far too often, we see this become the case.
Digital certificates can be an important part of an overall layered approach to IoT security. The certificates can be used to help with strong authentication, encryption of data in transit, and ensure the integrity of the device execution and updates. When deploying security based on certificates, choose a platform that can enable a holistic approach to managing both the devices AND the certificates. When your needs change, you should be able to quickly update and deploy your certificates from a central location, across your environment—and out to the devices.
It’s clear that the IoT will continue to transform manufacturing, utilities, households, and many other fields. By making trust and identity an essential part of your IoT strategy, you can ensure that your deployment delivers the business outcomes you expect—while minimizing risk across your organization.
This was contributed by Mike Nelson, VP of IoT Security at DigiCert
About the author
Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.
Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.