The security landscape for IoT devices is checkered. Some IoT products implement robust security measures, while others have not prioritised protection, making them more vulnerable to attacks by malicious actors. It’s still relatively common to read about attacks (and hacks) on a variety of IoT devices (for example, cameras, wearables, and medical sensors) that consumers assume are secure out-of-the-box.
Not being able to tell a secure IoT device from an exposed one is problematic as it drastically reduces consumer confidence at the time of purchase. That in turn hampers the widespread adoption of connected devices.
Lack of enforceable regulations that guarantee a minimum level of security across all IoT products, and no standardised approach to design, implementation and certification have been the two key issues contributing to security confusion. However, there are signs of change on both fronts that will result in a much safer IoT.
Business is on the line
While security represents a cost that must be considered as part of overall IoT product development, the cost of an exploitable vulnerability can be many times higher. The negative impact of successful attacks on IoT devices can take many forms, from loss or theft of valuable data or intellectual property to costs to fix exposures in products or services, damaged reputation, loss of customers, and payment of fines and penalties.
Furthermore, security breaches of individual IoT products threaten not only the prosperity of companies making vulnerable products, but they also impact entire product categories by giving them a reputation for being insecure. Such a reputation impacts consumer confidence in IoT devices at large. From chip vendors to end device makers, securing the IoT is a vital mission for all companies operating in the sector.
Standardising the approach to security
The larger the number of IoT devices connected to the network, the greater the risk of an attack. Security is a marathon rather than a sprint as it requires not only an initial protection strategy but also continued security for the lifetime of the connected product. It’s therefore important that security is taken into consideration during the early stages of product design, in the same way that a designer considers product functional and non-functional requirements such as battery life or the user interface.
But implementing protection has historically been made more difficult because IoT security has been fragmented, lacking a common language and standardised processes, implementations, and certifications. Such fragmentation leads to inconsistent and mostly inadequate levels of security across IoT devices. The PSA Certified IoT Security Framework aims to solve this challenge by offering a standardised approach to secure IoT devices, including security analysis, architecture, implementation, and certification.
Regulations and security labels are just around the corner
Historically, security of IoT devices has been heavily dependent on their category. For example, safety critical sectors such as industrial and medical have typically been subject to tight security regulations, but more consumer-oriented devices did not have any specific regulatory requirements, leaving the level of protection offered in the hands of individual device makers.
New global regulations aim to tackle the vulnerability of some product types, with the goal of creating a common security baseline for every IoT product. Lack of compliance with that baseline would lead to losing market access. One example of this regulation is the EU’s Radio Equipment Directive; this has recently been enhanced to mandate cybersecurity requirements for connected products sold in Europe, with more protection to come through the Cyber Resilience Act. In the U.S., the Executive Order on Improving the Nation’s Cybersecurity from 2021 has triggered standardisation activities within the National Institute of Standards and Technology. And in the UK, it is the Product Security and Telecommunications Act which enforces cybersecurity requirements.
Raising consumer awareness
In addition to regulations which mandate a baseline level of security across all IoT products, various labelling schemes are raising consumer awareness to help them understand the security level of different devices and make more educated choices. A few examples are the Cybersecurity Labelling for Consumers: IoT program in the US, the Cybersecurity Labelling Scheme in Singapore and Finland (which has bilateral recognition) and the proposed Australian Cybersecurity Label which is under development.
Security awareness among manufacturers, installers and consumers of connected devices is gaining worldwide momentum. As suppliers of silicon and solutions increase their investment in this area, device makers have a more solid foundation on which to create and deploy billions of IoT products. Security is one of the key pillars required to scale IoT, just like the Internet and cellular networks that came before.