The True Cost of IoT Insecurity

The Internet of Things (IoT) is growing rapidly, but can it grow securely as well? Growth is a given – Ericsson’s June 2021 Mobility Report says there were 12.4bn IoT connections in 2020, and forecasts this will grow to 26.4bn by 2026. But secure growth isn’t a given. Ensuring that the IoT grows in a secure way will take a broad coalition of stakeholders, some not usually involved in what appears to be a technical issue. At root, though, securing the IoT is not about technology – it is about establishing and sustaining trust.

With trust, the IoT can flourish, enabling a raft of digital services that will improve lives. Without trust, access to these services will be constrained by users’ wariness. This, then, is perhaps the true cost of IoT insecurity – not the losses for a single hacking victim, but slower uptake of the benefits of the IoT for all.

The cost of insecurity

The topic was discussed in November 2021 by a panel of IoT stakeholders from the UK’s Department for Digital, Culture, Media and Sport (DCMS), insurers Munich Re, IoT security certification scheme PSA Certified, Forescout Technologies, and University College London.

The panel was hosted by Dr Sally Eaves, an emergent technology CTO and global strategy advisor. She argued that the true costs of IoT insecurity include lost trust, damaged reputations, and consumer churn.

David Maidment, senior director, secure device ecosystem, Arm, agreed: “If we’re going to go through this digital transformation, it comes back to trust. One of the costs that we think about is the hesitancy, the rate at which the market adopts [the IoT] and understands that you can build compelling business cases around this and deploy with confidence.

“If you can make that leap to business confidence, then consumer confidence will flow from there.”

Madeline Carr, professor of global politics and cybersecurity at University College London, argued that the IoT brings significant additional risks beyond the usual concerns about business resilience and continuity.

“The IoT introduces this capacity to have effects in the physical world, and with that we introduce new liabilities in terms of physical damage, or even loss of life,” she said. “The other way that it introduces new issues is by mass gathering of data, which may not appear to be personally identifiable but, when data flows are aggregated, can change the value and the purpose of that data.”

Elisa Costante, vice president of research, Forescout Technologies, agreed, pointing out that our critical infrastructure, medical devices, and cars are all becoming part of the IoT, “so when we speak about risk in an organisation now, we really have a much wider perimeter that we need to look at.”

Tim Davy, cyber security specialist at insurers MunichRe, pointed out that working with IoT ecosystems is increasing the amount and complexity of the risks that an organisation takes.

“Take away the technology and just look at the business application and the business risk. More business processes rely on technology, and digitalization and the IoT will only expand that”

“It’s not just large enterprises that are affected by cyber. SMEs, mid-sized market, all industries and verticals have this problem. And just to add to the complexity, supply chains are very digital.”

The hardware challenge

It’s hard to secure IoT devices, and even harder to secure IoT ecosystems over the long term. Constante reported on recent work by her team reviewing TCP/IP stacks, the basic technology for communicating over the internet.

“We have found around 100 vulnerabilities that are very common in very different stacks. And what we discovered is that you have 14 pieces of code, which are used by 400 different vendors in hundreds of different products, and this translates into billions of devices being impacted. And there is no tracking back to where the risk comes from.”

In another study, Constante’s team found 179 different vendors of IoT devices for a particular category of medical device. “Imagine what it means if several of them are impacted by vulnerabilities: you need to patch them, you need to understand which ones are vulnerable, which are critical, where the highest risks are.”

She pointed out that many IoT devices are expected to remain in service for years.

“Eventually, there is no hardware solution you can implement unless you reinvest all the huge amount of money you invested 10 years ago.”

A hardware solution

One way to address IoT security issues is to incorporate an immutable, unclonable element into an IoT device, usually within an IC, which can provide designers and developers with confidence that they are working with a unique device. This ‘root of trust’ then acts as the foundation for all the cryptographic processes necessary to enable a device to securely start up, accept remote updates, communicate over the internet, and so on.

“Security requires hardware protection inside the processor, the part of the chip that is running these software stacks,” said Maidment. “Not implementing that in hardware opens you up to vulnerabilities. So, we’re not talking about a software problem, we’re talking about a problem that is ultimately solved through careful design.”

Adding a hardware root of trust adds to the costs of designing and making the IC, and so the product, but PSA Certified argues that its work, which defines the functions required of a root of trust and a certification scheme for assessing the security of the overall IoT device, helps limit those costs.

“What we’re doing with PSA Certified is democratising security design, by making architecture specifications and guidelines available so companies can implement [a root of trust], they can differentiate around that, and then that chip is made available to the people that design the product so they can tap into all that security business in their end product.”

Building trust through collaboration

PSA Certified is an initiative that began at Arm, and Carr praised its focus on hardware solutions to IoT security issues.

“The work that Arm is doing is really important here, because a lot of the innovation in cybersecurity in the US has been focused on software. And it’s that chip architecture and chip design that’s fundamental to make a step change in IoT security.”

She added that the return on the investment involved in implementing better IoT device security is hard to quantify, and for that reason some may need to be encouraged in other ways: “What is really essential is that we acknowledge that not in every sector is there a clear market incentive for investing in security, and that’s where policy comes in.”

Veena Dholiwar is a cyber security expert who works in the Secure by Design team at DCMS, focussing on the cyber security of consumer connectable devices. Dholiwar and her team are developing legislation to mandate a minimum level of cyber-security in connectable consumer devices, and ways to enforce the legislation once it is enacted. A lot of her work is being done through consultation and collaboration.

“We’ve been talking not just to manufacturers of the products, who are responsible for investing that security into the product at the design stage, but to others in that supply chain. We’re getting consultations where there’s many different stakeholders, to understand what their needs are, and in terms of legislation and guidelines that we wish to put into place.”

Dholiwar added that some of her work involves international collaboration. “This work isn’t just about different industry groups. It is also about the fact security doesn’t stop at borders, so having international influence is vital. We’re seeing that countries such as Australia and India recently publishing codes of practice that align with the one that we published.”

This kind of national and international collaboration is vital to effective global IoT security.

“I think fragmentation [of standards and initiatives] is the friend of the bad actors,” said Maidment. “From the very early days of forming PSA Certified we all recognised it wouldn’t be able to do [all it needed to] on its own. It’s something that must be done in an open, collaborative way.

“I think collaboration extends beyond the boundaries of what we normally think about. As an example, with the panellists here, we are way beyond just having a technical discussion.”

Building trust through quantifying risk

PSA Certified provides a certification scheme for measuring device security in a consistent way. This helps designers who want to build secure products to understand the features of a security IC in a consistent way. The fact that the certification of these ICs is handled by an independent lab helps build confidence and trust. PSA Certified is also aligning its efforts with government regulation, in the UK, Europe, and the US, to reflect the borderless nature of the challenge. And it is also helping to codify and evolve industry best practices.

Maidment describes the approach as being like layers of an onion: the chip, the software, and the device. To achieve security, the chip needs to be certified, the way that the software uses the chip must be certified, and the device maker must implement these two layers in a way that doesn’t break the overall security model.

“If you give that information to a company like Munich Re where they are looking at risk at scale, then you’ll say, okay, my deployment is based on these secure components, and by the way, it’s not static, it’s for the lifecycle of the device. So, can I trust it? Can I update software if new vulnerabilities are discovered, can I trust these updates? Having those mechanisms in place allows for that quantifiable risk.”

Davy at MunichRe pointed out that from an insurer’s point of view, being able to codify and quantify risk is very important to the correct functioning of their market.

“The quantification and understanding of the threat landscape and how the technology interacts is really important. To be able to say ‘We know what good looks like’ is very important. And having standards and regulations in place really helps put the yardstick in the right place and set the right direction.”

The emergence of the IoT has significantly increased the complexity of cyber-risk.

“Suddenly you’ve got a significantly more complex breach scenario where the costs of the claim and the response to that claim are significantly higher, which would drive up the prices of the insurance,” said Davy. “Having trusted components within a system would allow us to compartmentalise where we’d see that risk, and so help keep that cost of failure reduction down.”

Eaves closed the panel by reiterating the importance of collaboration in addressing the issue of IoT security.

She argued that there are several common challenges, including converging technologies, an accelerating rate of change, and increasing activity from bad actors. These can be countered by sharing best practices, applying cutting-edge technology, improving education, drawing on more academic and industrial research, and using industry bodies to create new forms of dialogue that engage more types of stakeholder.

“For me the answer is made real by cooperation and collaboration and reducing these threats one-by-one while the convergence is positive.”

You can watch the panel discussion on PSA Certified’s website here or watch below.

Our two products, QDID and QuarkLink help solve the costs of insecurity in the IoT industry. Contact us today to see how we can help you secure your devices and provide a cost safety net in the long term.

Contact us today