The recently unveiled US National Cybersecurity Strategy has raised alarm bells about the inadequacy of security measures in place for many widely-used IoT devices against contemporary cyber threats. The strategy also underscores the challenges posed by the difficulty, and at times impossibility, of patching or upgrading these IoT devices.
A pivotal development took place on July 18th, 2023, at the White House when the announcement of a novel US cybersecurity labeling initiative for smart devices was made. This initiative aims to empower consumers to make informed choices by selecting products with reduced susceptibility to cyberattacks. Notably, the program mandates manufacturers to assume responsibility for device security throughout their lifecycle, necessitating regular security updates. Microsoft, renowned for its history of creating secure platforms, stands prepared to aid manufacturers in meeting the requirements of this labeling program. Their line-up includes Windows IoT, Azure Sphere, and Edge Secured-Core.
Commitment to IoT security by Microsoft
While the public is familiar with Microsoft’s focus on securing Windows PCs and servers, their similar efforts to bolster security for business-critical systems, encompassing vulnerable IoT and OT endpoints, often fly under the radar. Microsoft’s vigilant detection of diverse threats targeting IoT devices, spanning from complex malware to malicious cryptomining, underscores their commitment to partners. These endeavours align seamlessly with the objectives set forth in the new National Cybersecurity Strategy and other initiatives championed by the US Cybersecurity and Infrastructure Security Agency.
Implementing security as an intrinsic design element
Developing and implementing software products that are inherently secure is a formidable and resource-intensive endeavour. Secure-by-Design mandates substantial resources to integrate security functions at every layer of the product development process. This approach necessitates early integration into the design, rather than attempting to retrofit security measures later. Microsoft, in line with this principle, has invested $100 billion in its security solutions over five years, employing over 8,000 security professionals. The result of these investments is Windows 11, hailed as the most secure version of Windows to date. Microsoft’s deep-rooted commitment to security extends to their products and programs, assisting partners in creating and maintaining robust IoT solutions.
Zero trust paradigm applied to IoT
In lieu of assuming the sanctity of everything behind a corporate firewall, the Zero Trust model postulates that every request is treated as potentially originating from an uncontrolled network. This approach, advocating for verification over trust, resonates with the principles of the new US National Cybersecurity Strategy and the cybersecurity labeling program. This model transcends traditional network security, adapting to modern organisational needs marked by mobile workforces and evolving threat landscapes.
Zero trust principles and IoT security
Microsoft champions a Zero Trust approach to IoT security, predicated on rigorous identity verification, endpoint security, application integrity, data protection, infrastructure fortification, network security, and orchestration. By subscribing to this holistic strategy, organisations are better equipped to navigate the complex IoT landscape and mitigate risks effectively.
Microsoft’s Edge secured-core initiative
Acknowledging the challenges in implementing Secure-by-Design and Secure-by-Default, Microsoft introduced the Edge Secured-Core program. This initiative streamlines the process by codifying and operationalizing security principles into clear requirements. This framework offers tools and guidance to ecosystem partners, facilitating the creation of devices that adhere to stringent security standards. Partners, including Intel, AAEON, Lenovo, and Asus, have embraced this program, as evidenced by their presence in the Azure Certified Device Catalog.
Securing IoT with Windows IoT and Azure Sphere
Microsoft’s Windows IoT capitalises on its legacy of Windows security, offering a secure and dependable platform for IoT solutions across industries. Its features, including encryption, secure boot, code integrity, exploit mitigations, and device attestation, safeguard devices from modern cyber threats. This platform also enables end-to-end management and updates using the trusted Windows infrastructure, ensuring the timely delivery of security patches and feature enhancements.
Azure Sphere, a comprehensive solution encompassing hardware, operating system, and cloud platform, secures IoT devices from chip to cloud. It combines Arm Cortex-A and Cortex-M processors, fortified by Microsoft’s Pluton security architecture. Azure Sphere devices are protected by layers of security, including secure boot, kernel hardening, and per-application network firewalls, all managed by the Azure Sphere Security Service.
Upholding the National Cybersecurity Strategy
Microsoft’s unwavering commitment aligns with the objectives of the US National Cybersecurity Strategy. By prioritising secure design and development practices, as well as collaborating on secure platforms and defaults, Microsoft plays a pivotal role in enabling partners to deliver and maintain secure IoT solutions. As organisations continue to embrace IoT, fortified security measures remain paramount to mitigate risks and ensure the integrity of digital ecosystems.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.