Home > News & Blog > The Building Blocks for IOT Security
For the past decade, manufacturers have been rushing to fulfill the promise of the Internet of Things. The deployment of 5G, which enabled smartphones and smartwatches, has led the way for smart fridges, smart vacuums, smart pacemakers, smart security, and a whole host of connected consumer products.
By the end of 2022, there were an estimated 7 billion IoT devices in the world, each one packed with software. This exponential growth has presented opportunities to malign actors to exploit potential weaknesses for criminal gains. According to Microsoft's 2022 Digital Defense Report, IoT devices are the key entry point for many attacks. In December 2022, the CEO of Zurich Insurance, Mario Greco, said that cyberattacks could pose a larger threat to insurers than systemic issues like pandemics and climate change, and as a result, could become uninsurable.
2022 is seen by many experts as the inflection point for IoT security, and governments have begun to protect individuals, businesses, and key infrastructure. Last year on The Critical Lowdown, we predicted that 2023 would be the year of IoT security, and so it has proved. In the UK, the PSTI Act has passed into law, the EU Cyber Resilience Act is progressing in Brussels, and the US IoT Cybersecurity Improvement Act of 2020 has been bolstered by new cybersecurity measures in the 2022 Appropriations Bill. The legislation is tightening, and the consequences are getting even more significant.
To navigate this complex security ecosystem, we have assembled a panel of the industry's foremost experts to discuss the legislation, threats, technology, distribution, and solutions.
MK: Last year on the critical lowdown we predicted that 2023 would be the year of IoT security, and it has proved to be.
In the UK, the PSTI Act has passed into law, the EU Cyber Resilience Act is progressing in Brussels, and the US IoT Cybersecurity Improvement Act of 2020 has been bolstered by new cybersecurity measures in the 2022 Appropriations Bill. The legislation is tightening, and the consequences are getting even more significant.
To navigate this complex ecosystem of threats and new legislation, we have assembled some of the industry's foremost experts for this panel.
We have:
Welcome everybody. My name is Malcolm Kitchen, I'm the Field Applications Engineer for EPS Global. I support all EPS Global's Secure Trust Provisioning activities. Let's go around the panel and let everyone introduce themselves and their organizations. Haydn, would you like to start please?
HP: Thank you, Malcolm. My name is Haydn Povey, Chief Strategy Officer for IAR Systems, a leading commercial development tools vendor for embedded systems. We are best known for our compiler and security technologies that help engineers and organizations secure their products. Prior to this, I worked at ARM, where I was responsible for security technologies such as TrustZone and SecurCore. Additionally, I have worked with John, who you'll hear from next, as a founding member and board member of the IoT Security Foundation.
JM: I'm John Moor, Managing Director of the IoT Security Foundation. I usually start by saying that I'm an expired embedded systems engineer. I learned my craft in the 80s, practiced in the 90s, and then became a founder of a Fabless semiconductor company. Unfortunately, we faced funding challenges, and I went back to school. I sat on the board of a US industry association called the Fabless Semiconductor Association, which later became the Global Semiconductor Alliance. During that time, the UK's National Microelectronics Institute found me and asked me to help them with their design industry and association experience.
I worked with them for about 10 years, and my focus shifted from corporate business interests to industry-wide problems. In 2015, the chairman of the National Microelectronics Institute asked me to look at IoT security, as it was a growing threat. Although I had no background in cybersecurity, I quickly realized it was a huge problem. We held a summit, and the vote indicated that more needed to be done. That's when we created the IoT Security Foundation, bringing the community together to raise awareness and address emerging threats.
Today, the IoT Security Foundation is a not-for-profit membership organization, and our goal is to help make it safe to connect.
MK: Thanks, John. I believe the IoTSF will play a significant role in advancing security.
SO: My name is Stella Or, and I am a software product manager at NXP, specifically in the Secure Connect Edge business line. My focus is on providing security solutions for our customers. I have a background in the payment industry and MCU security. NXP is a global semiconductor company offering a range of products, including high-performance, low-power consumption options. Most importantly, our MCUs and processors for IoT and industrial applications have built-in security features.
MK: Great stuff, thank you Stella. I know NXP has been involved in security for a long time, it's wonderful to have your experience on board. Thank you, Todd.
TB: I'm Todd Baker, Corporate Vice President of Worldwide Engineering for Future Electronics, one of the world's largest semiconductor distributors. We take pride in providing engineering expertise to our customers, working with them on designs and embedded systems, and bringing leading technologies from partners like NXP. We help them with design, troubleshooting, and anticipating future technology requirements.
One of those things that we've been talking about a lot internally and trying to really impress on the market for the last probably 5-6 years has been this growing need for security. It's been something that we've had a heavy focus on in the realization that our customer base needs to start securing their systems. We've seen mixed reactions to that, where some customers definitely feel it's got to be done, they've got that sense of urgency; and others have put it off a little bit. I think we're going to see a shift, and I'm anxious for this conversation to talk about that inflection point, which I think we're living in today.
MK: Absolutely, Todd. You made some excellent points, and it's fantastic to have a large distributor on board to help bring everything together. I believe that collaboration and combining different pieces is the key to solving this complex problem. John, it would be great to discuss the legislation and its specifics, particularly focusing on the role of the IOTSF in shaping this legislation.
JM: Thank you for the opportunity to discuss this topic. Going back to the date we started, September 23rd, 2015, we initially considered creating a security label for products to help the market determine which ones had security features. However, we realized that it's more important to focus on what goes underneath the label. We began raising awareness and working with the UK government, particularly around 2018, when we were concerned about the consumer market. Governments have a responsibility to protect their citizens, especially in consumer legislation. What we started talking about was: "What can we do for consumers?"
In 2018, we worked on creating the consumer code of practice for IoT security. That then led into a piece of work which was in Europe in the standards organization, harmonized standards organization called ETSI, where we examined requirements and pathways for regulation. We also monitored the market, focusing on vulnerability disclosure as a key aspect of security. This was news to me as part of my journey, as being an embedded systems engineer I never really had to think about connected products. Once you start connecting things up, you suddenly massively expand your attack surface. And one of the things you need to do is you need to keep that security up to date over its operating life. And one of the ways you do that is you allow a channel for people to report security vulnerabilities. We were working up the requirements, but we were also looking at what was going on in the market. Our research found that less than 10% of companies with products on the market had a vulnerability disclosure reporting mechanism, indicating a market failure and justifying the need for regulation.
I'm delighted to say that on December 6, 2022, the regulation reached royal assent. The framework legislation sets up powers for the Secretary of State and applies to 3 significant groups: manufacturers, importers, and distributors of connected products.
The secondary part of the regulation, which defines the specifics of the legislation, came into force on April 29th, 2023. The clock started ticking for one year, meaning that on April 29, 2024, it will be a legal requirement to satisfy those minimum requirements.
MK: Thanks for the explanation, John. It's interesting to hear that the clock has started ticking now, and it's very important.
So Haydn, I have three questions for you:
HP: Good questions, and thank you John for the preamble into this. I think in part, John has answered some of those areas.
The reality of not securing your connected device is like not locking your front door on your house. You are welcoming in all sorts of bad things, and as we all know the generic internet is hosting a whole range of malware and we do see this attacking IoT.
The real challenge with IoT and connected devices is that we're operating in the cyber physical world, things can go physically go wrong. A great example of that is the colonial pipeline attack over in the US, where it shut down major oil pipelines for a very long time. We have seen test firing of cyber weapons. We're all aware of cyber warfare, which is starting to occur already, and we're only in the foothills of where this could go. The next war will likely be fought in cyberspace, but the consequences of that will be felt in the physical world, in attacks on critical infrastructure, water and sewage works; in how people commute, whether it's train, whether it's car; and in homes with smart meters. All of these different facets, unfortunately, are subject to attack.
We know, for example, a lot of smart meter functionality is not switched on right now, because the consequences of a failure of malware being injected would be catastrophic. You could make a whole country go dark if you really had such an advanced persistent threat. The reality is we have to assume the bad guys, the bad actors, have practically infinite resources. They are often state-sponsored, and we know that they will be able to purchase devices, as well as reverse engineer them. If there is any flaw in your device, the reality is bad guys will be able to find it. And this is obviously very much on the agenda of governments around the world, the EU, the US, really everywhere.
So what could go wrong? And the answer is, unfortunately, a lot. We also have to think slightly broader than that. It's very easy to think very negatively about these areas. We need to stop and inhibit malware, but we also know with a lot of connected devices and with a lot of the value that people have today, that IP theft is rife.
Counterfeiting, cloning, overproduction is a challenge. We know governments are very focused on securing supply chains. We've seen that very easily on how a lot of silicon infrastructure is being inhibited to being shipped to China. But similarly, every organization needs to be thinking around their supply chain.
The final answer of this, and this comes back to the legislation, the real challenge is lifecycle. None of the devices that we ship today is in its final state because we know they will be compromised, and a key part of the legislation is now going to be how do we manage the lifecycle of those devices? How do we get past compromises? How do we update? How do we patch? Not just computers, which we're all used to, but internet connected kettles or doors or all of these little things which don't necessarily have a big user interface. All of them are compromisable. All of them will have compromises. It's the nature of software and we have to do the right things to engender that.
We have to adhere to the legislation, as John was saying. There are the 3 pieces to this around identity, around lifecycle management, and around feed in and feed out of compromises and vulnerabilities. These are very simple things to say. They're far more complex to implement at scale across not just a product range, but product ranges across an organization. The balance of risk is an interesting one because of this. There are a lot of challenges for consumers when they buy a connected doorbell. Are they thinking about how that gets updated? Probably not. But they are going to be impacted by it. However, from a corporate risk, you have to think about how your end users, how your consumers, and perhaps even how your customers' consumers, are going to be able to manage these devices long term.
There's a lot of pain, unfortunately, coming onto corporations. This legislation, as John said, is ticking. We have just under 12 months, and that really means that you have to impact devices in production today because it will take 12 months to roll out that type of framework.
There are some positives in this as well. When we look at what are the big existential risks to many corporations, it is IP theft. More and more companies, whether you're manufacturing a car or vacuum cleaner, the real value is not the physical thing. It's the software running it, and if you lose control of that, you're out of the game. Being able to think about protecting your customers, but also protecting yourself, is really important.
MK: Thanks, Haydn. As both you and John discussed, there's a clear progression to this. With the new legislation in force, it's crucial for people to understand that implementing security is a gradual process. You can't achieve the highest level of security right away if it's your first time implementing it. We now have a year to support customers and help them improve their security. It's not about jumping into full security immediately; instead, let's focus on getting started and progressively moving towards a more secure world...
JM: To add, this is all about the journey as far as I'm concerned. I disclosed up front that I had no background in security before 2015, so this has been a learning journey for me, and I think many others will be following that, so if I can just interject a few bits of wisdom at this point to help some of those who are just starting or wondering what to do.
The first thing is that the assumption is that security is absolute. ie., "you have to be absolutely watertight". Now, one of the talks that we had in our first summit was by the then CTO of ARM, and he said, "you have to accept the ugly truth. The ugly truth is that you will be hacked. You will get hacked", and if you acknowledge that up front, that's a good place to start. So do your best up front, but then you need to make sure that you can fix things, as Haydn was saying about lifecycle. Do security by design, security by default, security first.
Don't let perfect be the enemy of the good.
MK: Definitely, thank you, John. I believe, Todd, this leads to my next question regarding your experience with customers. Despite guidance from companies like NXP and warnings from IAR and the IOTSF, do you still see reluctance among engineers in implementing security for IoT devices?
TB: It has been an interesting journey over the past half decade, as we've been emphasizing security and discussing it with customers. For Tier-1 companies, those producing tens of millions of products annually, security has been a necessity. These major companies, whether in the automotive or consumer goods manufacturing industry are fully committed to security without any doubt.
We typically work with distributors whose customers produce between a few hundred thousand and a million pieces per year. In fact, we have noticed some reluctance from these customers. They are interested and want to have the conversation, but when it comes to the extra time required for their design cycle and the additional cost for key storage, they become hesitant. Adding an extra 25 to 40 cents to their bill of materials makes them nervous and they tend to back away. It's interesting to observe how this conversation has evolved in cycles over the last few years.
Around 2017-2018 in the United States, there was a program called 60 Minutes that featured a special on an SUV with IoT implementation and cellular connectivity. A white-hat hacker managed to access the vehicle's system and impact its brake system while it was driving. This incident raised concerns about security, and conversations with customers became more intense. However, some customers felt that security was complex and not as crucial if their systems were not directly related to driving.
A few years later, we saw hacks in other systems, such as a control system for a fish tank in a casino. This type of customer typically produces around 50,000 units a year. That got hacked, and the hackers were able to access the casino's records. We also saw an incident at a major home goods store in the United States, where a thermostat hack allowed the perpetrator to access the financial records of shoppers in that store. Suddenly, everyone wanted to talk about it again. It's been a rollercoaster ride with our customers, as when an incident gets a lot of press, people start to think about their own systems and become more concerned.
As John mentioned, the reality is that there is no such thing as an unhackable system. It doesn't matter if you're the NSA or anyone else; there will always be a way to hack a system. The question is, what cost are you willing to put in place to prevent that? It's encouraging to see engineers and company owners, as well as marketing teams, willing to invest in security measures. The reluctance to do so may have stemmed from the perception of hackers as mysterious, almost magical entities.
We, as engineers and embedded designers, often don't fully understand the capabilities of hackers. This uncertainty can paralyze us, like a deer in headlights, unsure of what to do. For some engineers, there's a sense of security in not taking action. If they tell their boss they've designed a secure system and a hacker breaches it, they look bad. However, if they don't spend time on security due to cost concerns and a breach occurs, it's seen as someone else's fault. It's common for electrical engineers to overlook security aspects, which is not ideal, but something we need to be aware of.
The second part involves a willingness to pay for security measures and learning how to design them. As companies like NXP make security more cost-effective for customers and develop better tools, we can expect improvements in this area. However, we may still need legislative influence to ensure companies prioritize security in their designs, rather than relying on altruistic motives alone.
MK: That's great, Todd. This leads us nicely into discussing how to fix these problems. NXP, with its security background, plays a pivotal role in this. Stella, how does NXP assist customers in preparing their products for the new cybersecurity legislation?
SO: At NXP, we have extensive experience in designing security products for our customers. As John mentioned, it is crucial for our customers to prioritize security during their design cycle. The EU legislation outlines numerous essential cybersecurity requirements, however it currently does not provide guidance on how to fulfill these requirements. For instance, one requirement states the need to protect products from unauthorized access, but it doesn't specify how. Similarly, another requirement emphasizes protecting the integrity of shared data against manipulation and modification, but again, it doesn't explain how to achieve this.
We understand that meeting these legislation requirements can be challenging for many of our customers. Therefore, at NXP, we provide the key building blocks to help our customers build robust and secure products. This includes advanced security features that meet industrial standards. For example, in our MCU, we have secure boot and secure software updates, which are mandatory requirements for IoT products according to the legislation. This is because when there's a vulnerability, we want to have a solution in place to patch the software, ensuring the old software is no longer running. Additionally, it's essential to maintain the root of trust for the product, especially when it comes to software.
We want to ensure that the software running on the device is from a trusted source and not being modified by someone else before execution. This protection can be achieved by our on-chip secure bootloader in our MCU. Our MCU has many security features that meet industry standards. For example, some of our MCUs have received certifications for security standards such as PSA or CSIP, which can be applied to EU legislation to protect devices from physical and logical attacks. These security-enabled MCUs help our customers save significant effort in implementing security protection. We understand that it's not an easy task for our customers, but we are here to help by providing a wide range of security features that they can utilize.
MK: That's brilliant, Stella. Thank you. When we think about security in our day-to-day lives, it relies on face identification and fingerprints. If a semiconductor doesn't have the ability to incorporate a fingerprint, life won't be secure. So, the advanced features that NXP is implementing are crucial.