David Maidment, senior director, secure device ecosystem at Arm, shares his insights into how the IoT can be made more secure through certification
As we journey towards the metaverse, digital transformation and the Internet of Things (IoT) device deployment is moving beyond early adoption and becoming mainstream, as businesses and consumers embrace new technologies. As we reach this turning point, organisations must avoid the pitfalls of the past, where security lagged behind the pace of digitisation and technology. There have been lots of examples of services, such as critical infrastructure and supply chains, which have undergone rapid digital transformation over the past few years. Yet the slow pace of security rollouts to protect these innovations has created many vulnerabilities for both consumers and providers.
The same is true for the IoT with cyber-security lagging behind, as IoT devices proliferate. Pressures on the IoT, which include a fragmentation of standards and a complex regulatory landscape, mean that matching cyber-security to the IoT has been difficult. As the IoT continues to expand, the security of these devices cannot be optional. Arm is at the forefront of continued security research and investment, and we believe that security is a shared responsibility. By investing in architecture, software and hardware technologies, programs and initiatives we make security simpler for our partners and IoT developers worldwide.
In 2017 Arm spearheaded PSA Certified, working with other industry leaders to establish a standardised security framework and certification program to help achieve a secure IoT. This year, the PSA Certified 2022 Security Report shows that security has moved to the top of the business priority list, with 90 per cent of organisations having increased the importance they place on security in the past 12 months. However, findings show that there is still a need to democratise the skills and best practice required for security in the connected economy. There are three essential factors – guidance, education and certification – that will unlock the potential of the IoT by ensuring a secure ecosystem.
Better security guidance and education
There has been a strong shift in consumer perspectives towards prioritising security in connected devices, meaning a secure IoT is essential. Nearly a third of those surveyed in the PSA Certified 2022 Security Report noted that their customers demand it, debunking the myth that consumers care only about cost and features.
Manufacturers and service providers in the IoT ecosystem must respond to this and the need for best practice guidance is higher than ever. 96 per cent of research respondents said they would be interested in an industry-led set of guidelines on IoT best practices. Fundamental to this would be a common security language.
Unfortunately, security expertise remains a barrier. Fewer than a third of organisations are very satisfied with the level of security expertise within their organisation. The World Economic Forum estimates that there is a gap of more than three million security experts worldwide.
Organisations understand this, and rank security frameworks and step-by-step guides as the most useful tools for deploying secure products to market. This underlines the criticality of education and guidance in shaping a more secure IoT.
The importance of certification
Certification provided by independent third parties is also critical to ensuring IoT security. Certification moves the industry beyond “marking their own homework” and delivers a clear benchmark of security, measured by independent labs. Customers can use this certification to ensure that the products and services they are buying do not contain unknown and unwanted cyber-security vulnerabilities.
There is still work to do here, as despite 95 per cent noting that certification is useful to the IoT marketplace, the same percentage does not conduct external laboratory-based security testing, despite admitting that they don’t have their own security experts in-house.
Our findings show that the primary reason certification is being skipped is the misconception that testing is believed to be too expensive. However, a standardised testing method under a certification scheme, such as the one that PSA Certified has developed for the new wave of IoT devices, has already lowered the cost barrier. The documentation is open to view, and it takes less time with evaluation labs than pre-existing certification models which were made with previous generation connected devices in mind.
Certifications can also be reused, meaning that you can improve the return of your investment. Once a component has been certified – a chipset, for example – that component can be sold to original equipment manufacturers (OEMs) and used in a range of different products regardless of manufacturer. This means they are all certified, hence bringing down the costs for all concerned.
We’re also seeing that governments, standards and leading IoT companies are adopting or referencing PSA Certified. This momentum towards security certification will only accelerate the path to a more robust IoT ecosystem.
The PSA Certified program is forging a more secure connected future by uniting the industry around security best practice, to deliver consumer and business assurance in connected devices and protect end-users from cyber-risk.
Across the industry, it is accepted that security is no longer optional but foundational to business success. Industry collaboration and cross-market knowledge-sharing are democratising the skills and best practices that are so critical to our connected future.
PSA Certified offers a credible certification system that aligns standards across organisations, IoT trade bodies and insurance services, and we’re proud that PSA Certified is creating an opportunity for the industry to come together and drive IoT security for both businesses and consumers.
Learn more about the IoT security trends and barriers in the PSA Certified 2022 Security Report.
David Maidment is senior director, Secure Devices Ecosystem at Arm. Arm was one of the original co-founders of the PSA Certified initiative.
About the research: The data in the PSA Certified 2022 Security Report was gathered from 1,038 technology decision makers across Europe, USA, and APAC by Sapio Research. PSA Certified is a global partnership of security-conscious companies that are building security best practices that are aligned to the cyber-security requirements of USA, Europe and China and that promote Security by Design across all IoT devices.
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543