Why security is critical for the IoT
The security landscape for IoT devices is checkered. Some IoT products implement robust security measures, while others have not prioritized protection, making them more vulnerable to attacks by malicious actors.
It’s still relatively common to read about attacks (and hacks) on a variety of IoT devices (for example, cameras, wearables, and medical sensors) that consumers assume are secure out of the box.
Being unable to tell a secure IoT device from an exposed one is problematic as it drastically reduces consumer confidence at the time of purchase. That, in turn, hampers the widespread adoption of connected devices.
The two key issues contributing to security confusion are the lack of enforceable regulations that guarantee a minimum level of security across all IoT products and no standardized approach to design, implementation, and certification. However, signs of change on both fronts will result in a much safer IoT.
Business is on the line for IoT
While security represents a cost that must be considered part of overall IoT product development, the cost of an exploitable vulnerability can be many times higher.
The negative impact of successful attacks on IoT devices can take many forms, from loss or theft of valuable data or intellectual property (IP) to costs to fix exposures in products or services, damaged reputation, loss of customers, and payment of fines and penalties.
Furthermore, security breaches of individual IoT products threaten not only the prosperity of companies making vulnerable products, but they also impact entire product categories by giving them a reputation for being insecure.
Such a reputation affects consumer confidence in IoT devices at large. From chip vendors to end device makers, securing the IoT is a vital mission for all companies operating in the sector.
Standardizing the approach to IoT security
The larger the number of IoT devices connected to the network, the greater the risk of an attack. Security is a marathon rather than a sprint as it requires an initial protection strategy and continued security for the lifetime of the connected product.
It’s therefore important that security is considered during the early stages of product design, in the same way that a designer considers product functional and non-functional requirements such as battery life or the user interface.
But implementing protection has historically been made more difficult because IoT security needs to be more cohesive, lacking a common language and standardized processes, implementations, and certifications.
Such fragmentation leads to inconsistent and mostly inadequate levels of security across IoT devices. The PSA Certified IoT Security Framework aims to solve this challenge by offering a standardized approach to secure IoT devices, including security analysis, architecture, implementation, and certification.
Nordic Semiconductor aligns with PSA Certified, a global leader in IoT security ecosystems. PSA Certified Silicon and Root of Trust certification provide security assurance for Nordic silicon as a platform for secure product development.
This ensures product manufacturers creating advanced IoT devices with Nordic’s IoT solutions can follow a guided approach to security. By adhering to PSA’s methodologies and training materials, developers can grow their security expertise with the assurance that they are building on a secure platform.
Regulations and security labels are just around the corner
Historically, the security of IoT devices has been heavily dependent on their category. For example, safety-critical sectors such as industrial and medical have typically been subject to tight security regulations.
Still, more consumer-oriented devices did not have any specific regulatory requirements, leaving the level of protection offered to individual device makers.
New global regulations aim to tackle the vulnerability of some product types, to create a common security baseline for every IoT product. Lack of compliance with that baseline would lead to losing market access.
One example of this regulation is the EU’s Radio Equipment Directive; this was recently enhanced to mandate cybersecurity requirements for connected products sold in Europe, with more protection to come through the Cyber Resilience Act.
In the U.S., the Executive Order on Improving the Nation’s Cybersecurity from 2021 has triggered standardization activities within the National Institute of Standards and Technology (NIST). And in the U.K., the Product Security and Telecommunications Act enforces cybersecurity requirements.
Raising consumer awareness
In addition to regulations that mandate a baseline level of security across all IoT products, various labeling schemes are raising consumer awareness to help them understand the security level of different devices and make more educated choices.
A few examples are the Cybersecurity Labeling for Consumers: Internet of Things (IoT) program in the U.S., the Cybersecurity Labelling Scheme in Singapore and Finland (which has bilateral recognition), and the proposed Australian Cybersecurity Label, which is under development.
Security awareness among manufacturers, installers, and consumers of connected devices is gaining worldwide momentum. As suppliers of silicon and solutions increase their investment in this area, device makers have a more solid foundation on which to create and deploy billions of IoT products.
Security is one of the key pillars required for IoT to scale, just like the Internet and cellular networks that came before.
- Read more: Where’s the hype in IoT now?