As the Internet of Things (IoT) continues to expand, the focus on securing these devices has shifted significantly. Traditional cybersecurity, which typically protects networks and data from attacks, must now extend into the very fabric of IoT devices through embedded security. This necessity is underscored by new regulations like the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, the European Union’s Cyber Reliance Act, the US IoT Cybersecurity Improvement Act, as well as Singapore’s Cybersecurity Labelling Scheme, all of which mandate a security-by-design approach for IoT devices to one degree or another.
The evolution from cybersecurity to embedded security
These regulations represent a significant shift towards more regulated and secure IoT ecosystems. Manufacturers need to ensure that their devices are compliant with these new rules to avoid penalties and to maintain consumer trust. These measures are expected to improve the overall security of IoT devices, making them safer for users and less prone to cyber threats. But they also require a fundamental shift in perspective compared to some of the lax security measures in place in many devices today. Namely, they require a fundamental shift from a cybersecurity paradigm to an embedded security paradigm.
- Cybersecurity has traditionally centered on safeguarding data and systems after devices are operational, focusing on protecting networks and servers through reactive measures like firewalls and anti-malware systems. This essentially makes security the problem of the end user, not of the device manufacturer
- Embedded Security, in contrast, involves the integration of security features at the hardware and firmware level during the design and manufacturing of devices. This proactive approach ensures that security is a foundational component, not an afterthought, aligning with the concept of “security by design”. Here, device manufacturers take fundamental responsibility for the integrity of their product
Understanding regulatory requirements
Though there are regional variations, the good news for device designers and developers is that these regulations have a lot in common. These requirements reflect a global consensus on key principles for securing IoT devices and will help companies effectively design their devices for compliance across many different markets. These include:
- Security by Design: Regulations often emphasise the need for manufacturers to integrate security features at the design phase of device development. This involves considering security issues as part of the initial design and throughout the product lifecycle, not just as an afterthought
- Regular updates and patch management: There is a requirement for devices to support regular software updates to address vulnerabilities. Manufacturers must ensure that devices can be easily updated when security flaws are discovered
- Transparency and disclosure: Regulations require manufacturers to be transparent about the security features of their products. This includes providing consumers with clear information on the cybersecurity measures in place and any potential risks associated with the device
- Data protection and privacy: Measures to protect personal data collected or transmitted by IoT devices are common. This includes ensuring data integrity and confidentiality, often aligning with broader data protection regulations like the GDPR in the EU
- Compliance and certification: Many regulations introduce frameworks for voluntary or mandatory certification that validate the cybersecurity measures of IoT devices. Manufacturers may need to comply with specific security standards and undergo assessments to demonstrate their devices meet these standards
These commonalities reflect a growing recognition of the critical importance of cybersecurity in the IoT space, with an emphasis on making devices secure by design, ensuring they remain secure over their operational life, and providing clear information to consumers about their security practices.
Implementing Embedded security: 4 practical steps
- Begin by understanding the regulations and the threats: A regulatory gap analysis can help companies understand how far they have to go to get to compliance. In addition, conducting a thorough threat and risk analysis of your device will ensure that you are designing in measures that protect your device from the most serious and probable threats that you’ve defined. Once you understand these things, you are ready to create a security architecture that will lead you to successful certification
- Select the right semiconductor partners: You don’t have to design security from scratch. Increasingly, semiconductor manufacturers are offering a robust security infrastructure that includes security measures such as secure boot, cryptographic engines, and hardware-based key storage into the device’s chipset. They are also starting to offer integrated services for secure identity provisioning, key management, FOTA and other security functions with partners like Kudelski IoT. Selecting suppliers that offer these capabilities will reduce the burden on designers and developers to develop such functions themselves
- Implement hardware security measures in software: One of the biggest mistakes developers make is the failure to actually implement available hardware security measures in software, often leaving security gaps that hackers can exploit. A small amount of incremental work to implement hardware-based security features can prevent these threats altogether
- Conduct independent security assessments: Many regulatory schemes require third-party security assessments of devices prior to certification, but it’s also generally a best practice simply to ensure the integrity of your product and the protection of your revenue and reputation. The resulting reports can be used both to improve any security gaps in your product as well as present to certification and standards bodies as evidence of compliance
Conclusion
Embedded security represents a shift towards integrating security at the foundational level of IoT devices, which is critical in today’s environment of sophisticated cyber threats and stringent regulations. By adopting a security-by-design approach, manufacturers not only comply with laws PSTI, CRA, US-CIA and CLS, but also protect their devices and customers from emerging threats. Following the steps above not only ensures regulatory requirements are met, but also positions manufacturers at the forefront of IoT security, turning a compliance necessity into a long-term competitive advantage.
Author: Christopher Schouten, Senior Director, IoT Security, Kudelski IoT
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.