Recent events have reminded all of us how much we rely on smart connected devices to accomplish daily tasks, get work done, and stay in touch with our families and friends. It’s very likely that many of these experiences will remain as examples for us in the future.
It’s a good time to revisit the topic of cybersecurity. Specifically, we need to look at the current forecasts that say we will have 75 billion devices connected to the Internet of Things by 2025. The sheer numbers are beyond comprehension. We should work together to seek better standards with adequate certification schemes, including harmonized safety and security provisions to be designed directly into those devices before they arrive in markets.
Do the numbers understate the potential growth in the amount and, more importantly, the use of connected devices?
Devices that can sense, think, connect and act will enable a world to do many tasks that are anticipated. Automation will be making everyday activities “smarter” in ways we can only now imagine. The plethora of devices will not only sense the world, but they also will physically act on the planet. Globally, we should all be safer, and all things more sustainable for individuals and businesses.
Using our devices more often for more things could also make us more vulnerable as we depend on processing and zettabytes of data utilized through increased edge computing (locally, in those devices), along with a growing reliance on the cloud. We must, therefore, step up and assume increased security measures as a core function of these smart devices.
We’ll only realize the full potential of smart, connected devices if we can trust and rely on them to be safe and secure. Here’s what it’ll take:
Currently, services like payments and eGovernment rely on ecosystems that follow globally accepted and implemented security standards, which are supplemented by strong and continually updated commonly trusted certification schemes.
IoT is still in its early stages where products do not interoperate easily, and such standards and certifications are missing, but we can learn from markets with high-security standards. Another brick in the wall that’s missing is standards that entail the appropriate combination of safety and security. IoT standardization has to learn from Healthcare, Automotive, Industrial, and Critical Infrastructure standards.
The trust in future IoT is to be based on independent, economically acceptable assessments and applicable to any type of IoT vertical. NXP advocates here a certification standard called “Security Evaluation Scheme for IoT Platforms” (SESIP), grounded in the Common Criteria certification scheme for highly secure components but covering the full span of IoT devices from low-end low-resources ones to the powerful edge-computing gateways.
In addition, IoT devices will have unmanaged lifetimes. Absolute security does not exist; this implies that we need standards defining ways to recover some baseline functionality in case a system is compromised: resilience is key, and this is where safety and security meet each other. If some level of control can be regained there, is less incentive for it to be attacked again.
IoT devices will be part of large complex systems; this implies that not only devices but also system security requirements standards are to be defined as well, globally with a focus on local requirements. Mutual recognition of security standards is needed to ensure scalability in the industry.
Last but not least, in addition to security and safety, a third pillar is to be considered: privacy. IoT devices are accumulating huge amounts of personal data that needs to be protected in a secure way.
For all those reasons, governments and industry need to redouble their work to develop and embrace common security standards and certification schemes for this next phase of IoT growth. One such mechanism for this collaboration is the Charter of Trust, which NXP co-founded with Siemens and other leading technology businesses. The Charter serves as a common ground for exploring the needs for shared standards, a way to collaboratively develop them, and a platform from which companies can adopt them.
In our era of rapid and continual change, it’s only smart to anticipate that devices will need to either accommodate multiple security requirements and adopt to new ones as they’re developed and deployed. This challenges businesses to consider how to make devices and entire solutions more addressable and flexible too, and by those changing needs.
For instance, there are currently multiple standards for vehicle-to-infrastructure communications (or “V2X”), which is core to enabling smart cars to function as part of integrated, constantly learning, and real-time networks. Add access to all of the less mission-critical functions and services, such as entertainment content and shopping, and it’s vital that designs for new vehicles take into account the likelihood that multiple standards may apply now, and perhaps change in the near future.
This means designing for multiple standards; think product labels in North America that often include descriptions in English, Spanish and French, so the same products can be marketed on shelves in different countries (and made accessible to different users). It also means focusing on the secure connectivity of those devices, not just their functional safety and security, so that devices can be updated (over-the-air, or “OTA”) when needed.
Again, to stretch the language analogy a bit more, many countries use different algorithms to implement similar methodologies to protect against the same sort of security risks (i.e., attacks can be agnostically identified and ranked by likelihood, frequency, potential impact, etc.). Anticipatory development challenges developers to see these common or shared requirements and address them.
Security by Default
Ultimately, security is not only a functional attribute of a product or network but rather an aspect of the design itself; security is something that is inherent, “built-in” versus “added on.” Security and safety are holistic system properties. A key strategy to address the emergent security challenge of 75 billion connected devices will be to continue to produce them with security by default
One way to do this is to physically insert a small component into a device that provides an identifier key and a secure execution environment. Such hard-wiring of one end is what you could call “a secure handshake” (also known as a “root of trust”) makes it incredibly difficult, if not impossible, to hack or trick the device (unless an evil-doer possessed the proper identifier). It’s not a software overlay.
We possess potent tools to address the emergent cybersecurity challenge ahead of us: Pursuing shared standards, anticipating multiple requirements and changes, and building secure components into devices themselves can, when taken together, empower businesses and ultimately individuals and businesses to benefit from the immense productivity and quality of life advances that continued growth in smart, connected IoT devices will bring.
And we have at least 75 billion reasons to build a safer IoT world.