The Internet of Things (IoT) has transformed how we live, work, and interact with our surroundings. From monitoring our health to managing our homes, IoT devices have become so seamlessly integrated into our daily lives that their presence often goes unnoticed. While these connected devices offer obvious value and convenience, they also can introduce security risks that need to be proactively addressed and managed.
Written By François Baldassari, Founder and CEO, Memfault
IoT devices are often a weak link in security
Historically, manufacturers often relied on “security by obscurity.” Attackers often focused their attention on what they would consider more “high-value” targets, leaving connected devices alone for the most part. However, this approach is no longer effective in today’s interconnected world. Attackers are turning their attention to connected devices as they can serve as an entry point for a larger attack, be targeted for the sensitive data they collect, or even be manipulated remotely to cause harm.
The lack of consistent security standards and the risk of harm has prompted governments and regulatory bodies to recognise the need for uniform and stricter rules of engagement. Examples of this include the introduction of the soon to be enforceable European Cyber Resilience Act (CRA) and voluntary standards like the US Cyber Trust Mark.
It’s important that manufacturers understand the nuances of these new laws, not just within their own borders, but also in the markets that they plan on selling their product. As current and new regulations become enforceable, non-compliance can result in significant consequences including exclusion from key markets, significant financial penalties, and reputational damage that erodes consumer trust. This underscores the importance of staying ahead of regulatory developments and prioritising security during every stage of product development. The potential consequences are too great to put security on the back burner.
While the regulatory landscape for connected devices is still evolving, manufacturers can take proactive steps today to streamline the compliance process, ensuring they are prepared both now and in the future. The process of proactive compliance can also lead to operational efficiencies and the creation of better products.
The need for a secure foundation
As security vulnerabilities within IoT devices become more frequently targeted, governments, customers, and manufacturers are increasingly aware of the importance of building and maintaining a secure product.
A robust security strategy should prioritise rigorous software development, ongoing collaboration between embedded engineers and software teams, continuous monitoring, and effective response mechanisms.
Equally important is equipping engineers with the right tools. Observability, for example, provides insights that enable engineering teams to proactively uncover vulnerabilities. The ability to perform behavioural analysis on devices and software to detect deviations from normal behaviour is also crucial, as is generating comprehensive audit trails. Additionally, having over-the-air (OTA) capabilities allows for action to be taken quickly when issues are uncovered, significantly enhancing product quality.
Companies must also extend security considerations into the supply chain, especially when third-party hardware and software are involved. Manufacturers must collaborate closely with suppliers to ensure that all components meet appropriate security standards, which includes conducting thorough risk assessments, implementing secure development practices, and establishing robust access controls.
Developing security resources
While it’s easy to discuss the processes needed to improve compliance, many companies lack the infrastructure or staff to implement these changes. Manufacturers often don’t have dedicated security teams, and roles like Chief Information Security Officer (CISO) are still emerging in the industry. This means many companies will need to start by developing a security infrastructure and building a team/department. In some cases, reskilling current employees is an option, while in others it will require hiring new employees.
Without the right team in place, products can suffer from insufficient testing and reactive issue management, which can leave them vulnerable and at a competitive disadvantage.
Compliance as a competitive advantage
IoT manufacturers in a strong compliance position early on will have an advantage as requirements continue to increase and new global standards go into effect. Partners are increasingly prioritising buying products that have strong security features, and customers are quick to turn to a competitor if a product they use has a security issue.
By prioritising security in every stage of the product lifecycle—from design and testing to ongoing use—manufacturers can build trust, differentiate their offerings, and reduce the risk of costly incidents. Putting processes in place sooner, rather than later, will prevent future project delays and get products to market sooner.
The future of security in IoT
The IoT landscape is expanding rapidly. In 2023 there were 16.1 billion active IoT devices. This number is expected to reach 39.9 billion in 2033. As these devices become more integral to our daily lives, the threat landscape will grow, and in turn, so will the number of regulations and the importance of security.
The changing landscape requires manufacturers to cultivate a culture of security and invest in the right tools. Engaging with industry peers and participating in relevant standards bodies can also offer valuable insights and best practices, enhancing the overall security of the IoT ecosystem.
By adopting a proactive approach to security, embedded manufacturers will not only meet regulatory requirements but also build resilient and trustworthy products. The future of IoT depends on establishing a strong security foundation. As the industry continues to grow, prioritising safety and security will be essential for continued growth and success.
This article originally appeared in the October 24 magazine issue of IoT Insider.