Secure by design

The IoT industry is coming together to fight the threat of cyberattacks by adopting standardized approaches that build security into connected devices by default

For a short period of time in 2016, the Internet went dark for users of the world’s best-known websites. Twitter (currently rebranded to X), Netflix, Reddit, The New York Times, and dozens of other high-profile sites suddenly went offline, all at once. Millions were left inconvenienced, the result of a cyber security attack several publications later described as having “broken the Internet”.

The devastating outage was soon traced to an unexpected source – home security cameras, baby monitors, thermostats and scores of other everyday home appliances. More specifically, hundreds of thousands of these home appliances that were connected to the Internet had been compromised and then effectively taken over by cyber attackers. In what might be the ultimate show of vandalism for our digital times, the attackers unleashed this newly acquired army of connected devices on a critical system that supported many of the world’s biggest websites, flooding it with internet traffic until it became overwhelmed and the websites that relied on it became inaccessible.

In short

Cyber threats are on the rise, including an
increase in attacks on IoT devices.

IoT devices face particular security challenges based on their 
characteristics, physical deployment and placement in supply chains.

Traditional approaches to IoT security are now shifting, with 
greater emphasis on integrating security into early design phases.        

Unsurprisingly, such a sudden and devastating blackout of a large chunk of the Internet would become a catalyst for global conversations about cyber security. These conversations not only focused on the resilience of the many global businesses and services that had been affected, but—given the attack source—drew attention specifically to the state of security in the emerging world of connected devices, the IoT.

Almost a decade on and many high-profile cyber-attacks later, and with IoT devices even more pervasive in our digital world, getting security right for connected devices is high on the agenda for policymakers, device manufacturers and consumers. Happily, a deeper understanding of the threats to the IoT, combined with the emergence of clearer guidance, standards and regulation, is helping the industry move closer to its mission of embedding security into the fabric of IoT devices by default. The result could be a more trusted and resilient ecosystem that makes it much harder for the bad guys to break in.

Risky business

Most businesses today operate in an environment of heightened cyber risks. Key factors in this increase have been the growing reliance by companies on digital technologies and the simultaneous explosion in the creation and accumulation of data. Both these situations generate attractive targets for maliciously motivated cyber attackers – the former because it offers the potential to cause widespread disruption and the latter because of the financial value of stolen data, which can now be traded on the dark web or used in extortion campaigns.

Cyber attackers have also grown rapidly in number, and evolved and enhanced their capabilities. This is true both technologically through capabilities like artificial intelligence (AI), and organizationally, with attacks coming from a wide range of diverse, well resourced and highly coordinated sets of actors including state sponsored groups, financially motivated cybercriminal gangs and ideologically driven activists.

By 2025, the cost of cybercrime is predicted to reach $10.5 trillion annually, according to research firm, Cybersecurity Ventures. Staggering as that figure may be, the truth of the heightened threat environment is perhaps better reflected in the steady stream of news items about major data breaches and disruptive cyberattacks affecting everyday businesses and well-known brands. These include major banks, telcos, retailers, hotel chains, medical facilities, charitable organizations and more. Customers of these organizations are often the true victims of these attacks, suffering everything from breaches of their private information, large-scale financial losses or being prevented from accessing critical services.

Connected device vulnerability

For cyber analysts, a particularly concerning recent trend has been the increased targeting of critical infrastructure. These are operators of services that governments deem essential for society to function, and typically include organizations in sectors like health, energy, food, water and communications.

The most devastating attacks on critical infrastructure are those that have targeted key critical connected components or smart devices; these often form part of complex industrial control systems such as electricity distribution grids or water pipelines. But for many observers, the broader takeaway from this trend has been the severe vulnerability of connected devices generally, and the need to do more to secure them.

It’s a massive challenge: By 2025, there will be almost 42 billion IoT devices, according to analyst firm IDC. This growth in the volume of connected devices means an expanding target for cybercriminals, for several reasons. Firstly, the more connected devices the larger the so-called ‘attack surface’, or number of potential vulnerable targets an attacker can seek to exploit. Secondly, the large volumes of data generated by and transferred between connected IoT devices is itself a rich target for interception.

Like the attacks on critical infrastructure, disruptive attacks on the IoT can result in serious consequences in a wide range of scenarios. This was made clear by the attack described at the beginning of this article. Known as the ‘Dyn attack’, it remains one of the most prominent cyber-attacks involving IoT. In another infamous IoT attack, hackers stole a U.S. casino’s high-roller database by exploiting a vulnerability in a fish tank thermometer in the casino’s lobby.

The most devastating attacks on critical infrastructure are those that have targeted key critical connected components or smart devices

Other IoT threats illuminate the high stakes for safety. Security researchers have long raised hacking fears involving connected medical devices such as pacemakers and insulin pumps. In 2015, Fiat Chrysler was forced to recall 1.4 million vehicles after a software security flaw was discovered in a Jeep Cherokee. Video baby monitors and home security cameras have also been subject to compromise due to security failings.

Cheap but exposed

Attacks on the IoT appear to be on the rise. According to cybersecurity provider Kaspersky, the first half of 2021 saw 1.5 billion attacks on IoT devices, a doubling from the previous six months. In truth, concerns about the state of security in IoT devices have persisted for some time, among both security researchers and IoT advocates – the latter fearful about the impact security concerns might have on general consumer confidence in the IoT as a whole.

About 30 percent of providers of IoT solutions consider digital trust to be critical, compared with approximately 60 percent of buyers

According to McKinsey, only about 30 percent of providers of IoT solutions consider digital trust to be critical, compared with approximately 60 percent of buyers. While complacency may once have played a role, the increase in successful attacks on IoT devices could also be a result of their inherent characteristics. “IoT devices have much more limited resources in terms of computing power, memory, energy, and also sometimes lack hardware and software security features to protect against various threats,” says Tiago Monte , Developer Marketing Manager at Nordic Semiconductor. “This can lead to simplified or lightweight security implementations on IoT devices, which can be more vulnerable to attacks.”

The physical accessibility of IoT devices—often deployed within reach in publicly accessible locations, as is the case with smart city deployments—also increases their exposure to physical attacks and tampering, says Monte. Remote attacks are equally a threat as they are for any networked device, including those in enterprise computing contexts.

The nature of the IoT supply chain presents its own challenges. Researchers have long understood that cyber attackers love complexity – the more layers or nodes of equipment, the more software integrations or third parties involved, the more likely there will be a gap or loophole that can be exploited. By their nature, IoT deployments involve several vendors, components and points of integration, creating greater risk. This vulnerability emphasizes the importance of having individual components and devices that are themselves inherently secure.

Incentives and the lure of easy connectivity have also played their role. In recent years, the IoT’s potential to deliver benefits including efficiency, innovation and enhanced customer experience has become better known just as the costs of chips fell, making the economic case for turning any product into a connected device somewhat irresistible. “The price of turning a dumb device into a smart device [can be as low as] 10 cents,” renowned security expert Mikko Hyppönen told a European conference recently. “It’s going to be so cheap that vendors will put the chip in any device, even if the benefits are only very small.”

Unfortunately, security costs, so the business case for working to protect these devices didn’t follow as readily, resulting in the development and rollout of many connected devices that had poor or even non-existent standards of security.

Protected by default

But in the wake of heightened awareness to cyber-attacks the tide is now turning. Public expectations of IoT devices have also clearly shifted. A survey by the U.K. government in 2020 found nine out of ten people now expect smart devices to have basic embedded features to protect user privacy and security.

Nordic’s Monte believes the imperative for IoT security is even more fundamental than meeting emerging consumer buying preferences. “Security breaches of individual IoT products threaten not only the prosperity of companies making vulnerable products, but they also impact entire product categories by giving them a reputation for being insecure,” he says. As a result of the wide-scale reputational impacts, securing the IoT is now becoming a serious mission for companies involved across the sector, from chip vendors through to device makers.

The journey towards good IoT security has been long, but ultimately positive. Despite good intentions, early approaches were somewhat “half-baked” and “inconsistent,” says Monte. At a time when security was still not a priority, well-meaning manufacturers were left to do their best with minimal guidance about what was best practice. Security was also often left to the end of the design process, added either as an afterthought or only after the discovery of security issues that would have prevented a product being released. The approach of ‘retrofitting’ security late in the development process not only creates more vulnerable outcomes, “in many cases, it also makes the solution more expensive”, according to a Deloitte report.

Security breaches of IoT products threaten not only the prosperity of companies, but also impact entire product categories by giving them a reputation for being insecure

Happily, we are now seeing a shift in thinking towards making IoT devices that are both ‘secure by design’ and ‘secure by default’, says Monte. In the former, security needs are considered and addressed in the early stages of product design, in the same way a designer might consider functional and non-functional requirements such as battery life or user interface, he says.

The shift towards ‘secure by default’ is clear. The wireless protocols used in the IoT have evolved from having security as optional, to having security built into the specifications by default. And it’s not just at the data exchange level but at the device level too, with features such as secure boot and secure firmware updates.

Companies like Nordic have identified a set of basic security objectives that are built into its products by default, and which Monte says ought to be part of any IoT product. These features include ensuring only authorized software can be executed and updated on a device, separating trusted and untrusted services on devices, and secure storage to ensure confidentiality and integrity of data and assets.

Delivering standardized security

Despite this recent progress, a persistent challenge for IoT security is the lack of standardization, which translates into fragmented, inconsistent and ultimately inadequate levels of security of IoT deployments as a whole. The fragmentation is compounded by the existence of a broad spectrum of IoT products, and vastly inconsistent security expectations across these product categories. For instance, while medical devices must often meet stringent security requirements, for many consumer IoT devices, for example toys, there are no mandatory security requirements.

More recently, the IoT ecosystem appears to have realized standardization is necessary for more consistent, and better, security outcomes. Ninety-six percent of respondents to a survey by IoT industry consortium PSA Certified expressed interest in industry-led guidelines for IoT security best practices.

In response, PSA Certified has brought together major stakeholders to consolidate fragmented security approaches into a standardized approach for the IoT. It developed a four-stage framework that guides developers through the steps necessary to implement the right level of security for a product, providing guidance and technical resources and access to an ecosystem of certified and standardized components. Nordic’s Monte points to an ever growing list of IoT products that have PSA certification as a sign of the framework’s positive impact on the security ecosystem. Nordic itself has aligned with the framework.

Standards and expectations are also being pushed at a national policy level, with regulators in several countries outlining expectations and establishing minimum security standards for IoT products. In the EU, lawmakers recently introduced security standards that require Internetconnected products to have “appropriate levels of cybersecurity”. In the U.S., recent Executive Orders on cybersecurity have led to the development of IoT security standards by respected standards body the National Institute of Standards and Technology (NIST), in much the same way as the European Telecommunications Standards Institute (ETSI) has done in Europe.

Collective efforts are also being directed at improving consumer awareness and trust. Until now, the inability for consumers to distinguish a secure IoT device from an insecure one undermined confidence in IoT devices.

Now, several security labeling schemes for IoT devices are in train. According to the U.S. White House, which announced a labeling program last October, such schemes will provide consumers with “peace of mind that the technology being brought into their homes is safe” and incentivize manufacturers to make secure devices. Similar schemes are either in place or under development in Singapore and Australia.

Need to know

The PSA Certified IoT Security Framework guides developers in securing connected devices, from analysis through to security assessment and certification. It provides standardized resources to help resolve the growing fragmentation of IoT security.

Unlocking the value of the IoT

The benefits of a more secure IoT accrue in many places, not least the businesses that incorporate better security into their products. A survey of businesses by PSA Certified found having security in their products had positive impacts to the bottom line of 96 percent of survey respondents. The same survey found having better IoT security reduced costs and insurance premiums and supported the ability to charge more for products based on their enhanced security features. It also found customers were willing to pay such a premium.

Improved security can also help developers of IoT solutions unlock stronger customer relationships, especially in contexts where resilience and reliability are critical. A prime example is the Wireless Flex Dimming Receiver lighting solution from illumination company Fluence, which is built using Nordic’s nRF52840 SoC and is PSA Certified. The product is targeted at the horticulture sector and enables growers to maximize their yield and produce quality by optimizing lighting conditions. Given the precision with which plants need to be exposed to light, smart lighting solutions such as these must be resilient to disruptions or outside interference. With these priorities in mind, customers likely feel greater trust and confidence because of the product’s inherent security features.

Beyond benefits for individual manufacturers, it’s in the impact on the IoT ecosystem at large where we may see the full return on investment from enhanced security. McKinsey says executives would increase their spending on the IoT by 20 to 40 percent if “cybersecurity concerns were completely managed”.

It’s also worth remembering previous McKinsey projections that the IoT could enable between $5.5 trillion to $12.6 trillion in value globally by 2030. As some have observed, many such predictions about the growth of IoT have yet to materialize.

The IoT ecosystem appears to have realized that standardization is necessary for more consistent, and better, security outcomes

One of the reasons for this is that, in a world of fast-evolving and highly destructive cyber threats, the very feature at the heart of IoT’s promise—its ability to unite large numbers of connected devices to work together in a fully integrated ecosystem—is also the very thing that “creates the risk of vulnerabilities that could have catastrophic consequences”, in McKinsey’s words.

But now, as wireless IoT suppliers like Nordic, industry consortiums like PSA Certified and regulators around the globe work in unison to prioritize the incorporation of security into IoT products, these risks could be mitigated. With a united commitment to ensure better security, we may finally see the injection of trust that unlocks the full value of the IoT.

State of Play

Why are criminals so interested in the IoT?

Experts say 2021 was the year of ransomware, but things changed in 2022 as the bad guys realized the estimated 17 billion IoT devices represent juicier pickings. While IT hardware and software security has dramatically improved, the same cannot be said of IoT devices. According to U.S. media company CNBC, IoT devices with minimal defences represent entry points for attacks on critical infrastructure, or the device itself can be the specific target due to the data contained therein. This is one of the reasons why security cameras are an enticing prey. A weakness that’s now being addressed is a mechanism to make it easier to download regular software updates to provide security patches.