Get started Bring yourself up to speed with our introductory content.

Incentivizing IoT security: Fear is not enough

The recent DDoS attack carried out by hackers using tens of millions of unprotected IoT devices has mainstreamed what security pros have known for a long time: IoT devices are vulnerable to attacks. In this attack, millions of webcams were unknowingly recruited to conduct the attack on major ISPs on the East Coast. Many of these webcams are now being recalled.

This attack was a wakeup call for all IoT device makers who now realize that edge devices such as webcams and sensors must be secured. That said, balancing cost constraints and security requirements remains problematic for device makers. Let’s not kid ourselves, implementing security is a tax; it is a tax in terms of additional hardware required and time spent learning and implementing security solutions. Compounding this problem is the entrance of new developers — ones with very little background or experience in low-level embedded systems programming. These new developers are typically experienced in developing mobile and cloud applications but need significant training in developing for IoT devices. They also require significant training in IoT security.

Given the above situation, how does the IoT security bar advance? To date, predictions of doom and gloom have been the norm for trying to get device makers to adopt security solutions. Fear of getting hacked is a motivator, but often after the fact. Therefore, fear alone will not yield secure devices. A different approach is needed.

Incentivizing IoT security

The answer lies in incentivizing IoT security deployment by making it easier to deploy than before. To illustrate, let’s go back a bit into the history of the PC. There was a time when every application developer was required to write their own printer drivers. This meant that not all printers were supported and each implementation was a little different. It wasn’t until the late 1980s that the OS took on the role of standardizing interactions with peripherals and other devices.

The same is true when it comes to embedded systems and IoT security. Take cryptographic hardware for instance. Each silicon vendor has a slightly different implementation ostensibly to differentiate itself in the market or to support other aspects of the hardware such as power consumption, storage constraints and so forth. The outcome is a greater burden on device makers and application developers who now must sift through reams of data sheets and specifications in order to implement that one specific piece of hardware. The cost implications are significant given that the above effort results in a one-off implementation that is hard to maintain and update. This prevailing approach also prevents any efforts to standardize security practices across different products. In other words, security remains a checkbox and not a strategy.

What if this effort could be reduced? What if it could be done while letting silicon vendors differentiate their hardware offerings? How can IoT device makers be incentivized to deploy IoT security? One part of the answer is to provide security solutions that are foundational in nature. In other words, chips and platforms that are secure by design. ARM, whose designs power the majority of chips used for IoT products, recently made available a new security design, TrustZone® ARMv8-M, for creating secure, low-power, microcontroller-based products. The new security extensions are part of the the newly released Cortex-M23 and Cortex-M33 chip architectures. This, however, is only part of the solution as it does not address the time and labor involved in implementing security. The answer to that lies in developing better software tools and solutions that simplify the effort for the majority of developers.

A number of software vendors are working towards developing products that essentially simplify the task of creating and accessing secured functions. This generally includes providing out-of-the-box, higher-level APIs and services for accessing cryptography, notification, authentication, key management and other security functions. Several solutions are becoming available as well as a result of collaboration between chip makers and software publishers including CoreLockr-TZ from Sequitur Labs, as well as NXP, Renesas, Microchip, IAR and variety of RTOS vendors such as ExpressLogic. These collaborations signal a larger trend that replaces component-oriented selling with a solution oriented approach. That’s good for consumers as it will lead to devices with better security. After all, security is not a “part,” it’s a strategy.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.