Haydn Povey, CEO and founder of Secure Thingz, an IAR Systems Group company, and Member of the Executive Steering Board at IoT Security Foundation.
In the past, electronic devices had fixed functionality and their actions in the real world were controlled by the user.
Fast forward to today and practically every connected device is equipped with sensors and actuators that interact with the outside world without direct human intervention. This is true across consumer electronics, modern industrial systems and, of course, critical national infrastructures such as oil pipelines, water treatment plants and cityscape lighting.
Unfortunately, this means that if attackers can gain access to these systems, they can alter the decision-making processes that drive these autonomous actions in the real world. This has huge implications for how we build and manage our connected devices, how we manage vulnerabilities over the lifecycle of our products, and how we manage and constrain data and credentials.
Furthermore, the impact of a major compromise can be massive to bottom-line revenues and profitability, with deep brand value ramifications. Beyond the initial business impacts of a compromise, there are other good reasons to implement security – not least to protect critical intellectual property. If you spent millions of dollars on R&D, you really do not want someone to re-use your efforts. The EU has estimated the impact of IP theft in Europe alone as approaching $60 billion, with nearly 300,000 jobs lost to this insidious crime over the past few years.
New regulation and legislation for IoT security and privacy is being rapidly introduced globally, such as Consumer IoT EN 303 645, Industrial IoT ICE 62443 frameworks, and the US IoT Cybersecurity Improvement Act. Demonstrating compliance to these regulations is an emerging challenge for all organisations, especially given these cover technical and operational activities, and require long-term support of products within the end-user environment.
To assist in resolving these tasks, the IoT Security Foundation, a non-profit industry association of which Secure Thingz is a founding member, has developed an IoT Security Compliance Framework, enabling organisations to implement a self-certification methodology that covers the 13 best practices for security and secure by design guidelines. The Consumer IoT Security Standard EN 303 645, based on the 13 best practices, is widely regarded as the security benchmark for consumer IoT. Both the standard and the guidelines contain core requirements for applications, which developers must achieve within their applications.
IAR Systems is the world’s leading provider of software for the programming of processors in embedded systems, with approximately 50,000 customers globally. As a division of IAR Systems, Secure Thingz is a global domain expert in device security, embedded systems and lifecycle management.