By Caitlin Gittins, Editor of IoT Insider
As IoT devices proliferate to the “tune of billions”, ensuring device security is not left behind is imperative. But this can often happen, as illustrated by Christopher Schouten, Senior Director of IoT security at Kudelski IoT.
The popularity of smart home devices has meant that sometimes the presence of Alexa, the voice assistant created and owned by Amazon, can feel ubiquitous. And a report by YouGov released in January 2024 showed that 65% of American consumers own at least one smart home appliance or device, an increase from 51% in 2020. Perhaps they are ubiquitous, for many consumers.
A Deloitte survey dated September 2023 highlighted that 77% of consumers who have adopted smart home devices believe it has improved their quality of life – but in another survey, also conducted by Deloitte, 62% of smart device users are concerned about data security and privacy.
It is this equal parts growth, equal parts increased surface attack that formed one major talking point in my conversation with Schouten. “Consumers are adopting the usefulness of smart home devices, more and more, which just creates a bigger attack surface in homes,” he said. “Because that market is highly competitive, a lot of these device manufacturers have gone to market without taking the necessary security precautions that they should have to make sure that consumers’ privacy and data and the devices themselves are sufficiently protected.”
This competitiveness has been seen as a barrier to ensuring device security, Schouten said. “The competition in the market … has prioritised functionality and time to market over security in most cases.”
The passing of the Product Security and Telecommunications Infrastructure (PSTI) in the UK on the 29th April, in effect, put into law certain responsibilities for device manufacturers – making passwords more secure; providing clarity around security issues and how long customers will receive support for.
“With the introduction of the PSTI Act we’ve seen some companies have to take their connected devices offline,” Schouten explained, “and publicly announced to their customers that these devices can no longer have the connected services offered, because they don’t comply with the PSTI regulation.” He added this demonstrated a “lack of prioritisation of security,” but that there were developments in the market making it easier to implement IoT security.
The Secure by Design concept refers to not only building cybersecurity into the development and manufacturing of products and devices, but also viewing cybersecurity as a collective responsibility – and not just the responsibility of the IT department, for example. “We think this is an important shift in mindset. It’s what different regulations around the world are demanding, a stronger focus on the security by design aspect.”
“When we got into this business seven, eight years ago, we realised it was going to be a long game. But we see a fundamental shift happening now with the regulations and standards pushing every industry more and more towards secure by design,” Schouten added.
Embedded security is significantly different from cybersecurity. “It starts by understanding the regulations and the threats,” he said. One way Kudelski IoT does this is through its IoT security labs, based in Switzerland, working with different industries and devices around the world. “Before you design the device, a thorough threat and risk analysis will ensure you understand the threat landscape and understand the things that have a negative impact on your product.”
Kudelski IoT is working in collaboration with partners to embed security infrastructure into their chipsets. “Things like Secure Boot cryptographic engines to random number generators, hardware based key storage, secure execution of code, can be done using the tools that we provide within the chipset,” he explained.
Although the threat landscape has evolved over the years, there are no obvious trends in the kinds of cyber attacks committed, based on my conversation with Schouten. “This is something I frequently asked our security labs to give me advice on … The answer to me for the last few years has always been the same: ‘We don’t see any two gaps that are the same among different devices,’” said Schouten.
Failure to comply with the PSTI Act can result in a hefty fine, or even a product being taken off the market. But it shouldn’t just focus on compliance.
“We’re talking not only about regulatory compliance, we’re also talking about your brand’s reputation. Your ability to serve your customers, your ability to not leak their data, which can lead to legal liabilities, you know, outside of the regulatory regime, just from a civil lawsuit perspective as well,” Schouten added. “Most importantly, [you need to do] the right thing for your customer and have a security first approach.”
Schouten stressed that “security is an opportunity,” adding that although people saw it as a cost and hindrance, but the mindset is changing, and people are embracing secure by design and embedded security.
This article originally appeared in the October 24 magazine issue of IoT Insider.