This article appeared in Electronic Design and has been published here with permission.
The ongoing proliferation of connected Internet of Things (IoT) devices—more than 42 billion by the year 2025,1 according to one estimate—is going to be matched by a corresponding growth in cyberattacks on each of these new points of entry.
This unavoidable trend is why security is top of mind for every company and organization that designs or deploys embedded, edge, and IoT devices. But how, where, and by whom security will be implemented and maintained is another matter entirely.
Wind River recently partnered with Electronic Design to survey embedded systems professionals representing multiple industries, such as aerospace, defense, and healthcare. The survey results, discussed in a recent webinar (“The Great Security Disconnect: Real Implementation Versus Executive Perception”), revealed disparities between executives, managers, and individual contributors in multiple areas.
For example, most engineering managers (64%) considered device failure or takeover to be one of the biggest security threats facing their organizations. Yet only 23% of executives said the same thing. In comparison, stolen credentials were seen as the biggest security threat for executives (40%), while only a small percentage of managers (15%) felt the same way.
The primary roadblock to securing devices was another area in which executives viewed security differently than others in their companies. More executives identified the primary roadblock as “determining how much security is enough,” while non-executives indicated that “limited in-house expertise” was the main roadblock. These responses could reflect how company leaders have the impression that staffing is in place to support cybersecurity needs, while managers and contributors see a shortage of engineers trained and experienced in cybersecurity.
Bridge the Gap with a Security Policy
A solid security policy for embedded/edge/IoT devices can help resolve this disconnect. The National Institute of Standards and Technology (NIST), in its “Guide to Industrial Control Systems Security,” states that, “Security policies define the objectives and constraints for the [overall organizational] security program.” Policies define the threats that need to be mitigated as a team and why.
Yet, a security policy isn’t easy to create within an organization with diverse stakeholders. Such policies must consider the complex and increasing requirements of regulators, customers, and industry standard-setters, such as NIST, the U.S. Food and Drug Administration (FDA), and the International Electrotechnical Commission (IEC). A security policy for embedded systems might include the following components:
- How and when vulnerability announcements are monitored, especially as more functionality is pushed onto edge devices, and much of this functionality includes third-party applications.
- The items to include in a software bill of materials, including license compliance, security management, export compliance, and safety certifications.
- How and when security testing is conducted. Will testing for security risks be conducted with simulation tools or a hackathon? Or will it be conducted by a third party? Will artificial intelligence (AI) be used to secure embedded devices, and if so, will it be used on the deployed device or during development?
- How the organization handles ongoing security maintenance and updates on devices. Updates might be performed manually on the devices, over the air, or by a third party.
Move Toward a Cohesive Approach to Cybersecurity
These aren’t idle considerations, especially since cybercrime is estimated to cause $6 trillion in damage per year by 2021.2 Many IoT and embedded sectors, like medical, industrial, infrastructure, and military, use devices that perform mission-critical functions. This means they can’t fail or execute in unintended ways. For mission-critical devices, the cost of a cybersecurity breach goes well beyond the loss of data, intellectual-property (IP) theft, and damage to a company’s brand, and it can result in a catastrophic event or even loss of life.
Having a rigorous security policy in place can make all the difference in helping to ensure that an organization acts and thinks cohesively on its cybersecurity priorities. It helps to have the right team in place that can evaluate and implement the right security solutions.
One of the first steps an organization can take is an online security assessment from an experienced cybersecurity solutions provider, such as Wind River. This exercise can help organizations discover what disconnects might exist internally and where to start building consensus. It’s a small but significant step, whether the organization is currently building embedded devices or moving IT applications to the edge.
Ready to Improve Security on All of Your Devices?
See what your organization might be missing by taking a quick online security assessment.
Arlen Baker is Principal Security Architect at Wind River Systems.
1. IDC. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” June 2019. www.idc.com/getdoc.jsp?containerId=prUS45213219.
2. Cybercrime Magazine. “Cybercrime Damages $6 Trillion By 2021.” October 2017. cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016.