DIY solutions can be time-consuming and costly, shares Raul Vergara, Chief Revenue Officer, Thistle Technologies, who explains why platforms are best
Almost all IoT devices either are now, or soon will be, Edge AI devices as well. The adoption of AI technology is adding extraordinary new capabilities to smart devices at the edge of the network. But one consequence of this is that IoT device manufacturers will have much more value at risk from cyber attacks: the intellectual property (IP) bound up in AI models has a huge cost, in terms of development time, the accumulated training data, and knowledge of how to apply the model to real-world applications.
The value of this IP to competitors or others is huge, and can be stolen if not properly protected from cyber attacks.
This has brought the necessity for cybersecurity protection to the front of the minds of IoT device developers everywhere. Their attention to it is reinforced by the requirement to comply with new legislation such as the European Union’s Cybersecurity Resilience Act (CRA) and Network and Information Security Directive 2 (NIS2).
In enterprise computing, applications at risk are commonly hosted in the Cloud, and cybersecurity protection can be applied universally by the Cloud service provider. For IoT devices, no such universality exists: every device has its own unique hardware and software configuration and network connection.
In this highly fragmented market, device manufacturers are used to having to create their own proprietary hardware and software systems. So their first instinct is typically to also create their own cybersecurity solution. As we shall see, this can be an expensive, time-consuming and difficult path to follow. Implementing a common solution that someone else creates, tests, validates and maintains can be a better way.
The CRA was introduced by European Commission President Ursula von der Leyen in her 2021 State of the Union address
Cybersecurity protection requires a complex hardware and software stack
IP theft has emerged as one of the key threats to the business models of IoT device manufacturers, but other forms of cyber attacks also pose dangers. They include:
- Firmware tampering
- Hijacking of over-the-air (OTA) updates
- Credential extraction/exfiltration
To counter these threats, cybersecurity protection needs to be applied end-to-end, starting with a guarantee that the device runs authentic firmware images which have not been tampered with, and ending with secure communication of data between the device and the Cloud. The essential elements of a cybersecurity system to provide this protection are:
- Secure boot – ensuring that only trusted code runs on the device
- Secure OTA update – delivering and installing only authenticated, signed firmware update packages
- Hardware-backed device credentials – providing secure key storage, a unique secure identity, and attestation
- Secure data at rest and in transit
The hardware features to support these security functions are often built into application processors, and can also be provided by a secure element, hardware security module (HSM) or trusted platform module (TPM). But to make these functions operate in an IoT device, a complex software stack with sophisticated security capabilities is required. For instance, secure boot calls for capabilities such as signed and verified bootloaders, an immutable root of trust, and rollback prevention. The OTA update process requires end-to-end signing and encryption of the update assets, as well as failsafe rollback and support for A/B partitions.
DIY efforts to build an IoT cybersecurity system will normally be based on open-source software (OSS) or commercial frameworks for specific functions, such as The Update Framework (TUF) for OTA updating, or binwalk, a tool for identifying files and code embedded inside firmware images. Implementing a complex software stack which integrates products such as these with proprietary code developed in-house might be difficult, but is feasible for a single proof-of-concept or prototype project.
But the task becomes exponentially more difficult and complex as the developer tries to scale it over a heterogeneous fleet of devices, each with its own hardware configuration, and mix of application software and AI models. And even if the stack is successfully implemented a first time, it needs to be continually maintained, to remain compatible with the Linux operating system, to respond to new cyber threats, and to adapt to new systems-on-chip (SoCs) or other hardware platforms.
As manufacturers scale up cybersecurity software to an entire fleet, implementation time lengthens exponentially
Outsourcing the development of a cybersecurity stack to a specialist software development contractor will do little to shorten the length of the development cycle, and – since contractors have little incentive to share the knowledge they gain from a project with their customer – denies the OEM the opportunity to build in-house expertise. And as more and more IoT device manufacturers ramp up their effort to comply with regulations such as the CRA and NIS2, OEMs will soon find that there are too few contractors available to meet the demand.
Platform solutions: sharing resources reduces cost, improves outcomes
Fortunately, there is another way to build and maintain an effective cybersecurity software stack which avoids the cost, complexity and time involved in a DIY effort. Cybersecurity platforms have emerged as an easily configurable solution which can be scaled over a fleet of any size. The best platforms are hardware- and software-agnostic: they will run on any mainstream application processor or SoC hardware, and any Linux distribution.
These solutions are described as a ‘platform’ because they combine runtime software on the device with a Cloud service. For instance, the Thistle Technologies Security Infrastructure platform’s OTA update service uses on-device software to authenticate the device and establish an encrypted communication link with a cloud-based update server operated by Thistle.
The advantage of this type of platform is that the investment in developing the platform solution and providing Cloud-based services is spread over multiple customers. (By contrast, the full cost of the DIY approach is carried by a single OEM). The same applies to maintenance: the platform provider takes care, for all users, of developing and delivering security patches and updating the stack to maintain compliance with regulations.
The result: IoT device OEMs can implement cybersecurity protection for their devices faster, and at lower cost, while enjoying the assurance that their cybersecurity stack is compliance-ready for the CRA, NIS2 and other important regulations. In addition, the platform makes all their current and planned IoT products inherently future-ready, as the platform provider will continually modify its solution in response to changes in both the legislative and the cyber-threat environments.
In fact, many OEMs are finding that a platform solution changes their entire attitude to cybersecurity protection: rather than a necessary evil, and an irritating sink for development time and resources, cybersecurity becomes a strategic tool, a source of competitive advantage over rivals which are more exposed to the financial, operational and reputational risks which arise from vulnerability to cyber attacks.
Raul Vergara is a technology leader with a track record at SAP, Arm, and Edge Impulse, now driving go-to-market strategy at Thistle Technologies. He specialises in securing connected devices from silicon to Cloud, championing a secure-by-design approach that keeps IoT ecosystems resilient, scalable, and trusted.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
