Io Tsecurity 962094400 5f7748bb34a61

IoT Device Security: The Startling Disconnect Between Executives and Managers

Oct. 2, 2020
A June 2020 survey highlights the need for a cohesive security policy with threats on the rise.

The ongoing proliferation of connected Internet of Things (IoT) devices—more than 42 billion by the year 2025,1 according to one estimate—is going to be matched by a corresponding growth in cyberattacks on each of these new points of entry. 

This unavoidable trend is why security is top of mind for every company and organization that designs or deploys embedded, edge, and IoT devices. But how, where, and by whom security will be implemented and maintained is another matter entirely. 

Wind River recently partnered with Electronic Design to survey embedded systems professionals representing multiple industries, such as aerospace, defense, and healthcare. The survey results, discussed in a recent webinar (“The Great Security Disconnect: Real Implementation Versus Executive Perception”), revealed disparities between executives, managers, and individual contributors in multiple areas. 

For example, most engineering managers (64%) considered device failure or takeover to be one of the biggest security threats facing their organizations. Yet only 23% of executives said the same thing. In comparison, stolen credentials were seen as the biggest security threat for executives (40%), while only a small percentage of managers (15%) felt the same way. 

The primary roadblock to securing devices was another area in which executives viewed security differently than others in their companies. More executives identified the primary roadblock as “determining how much security is enough,” while non-executives indicated that “limited in-house expertise” was the main roadblock. These responses could reflect how company leaders have the impression that staffing is in place to support cybersecurity needs, while managers and contributors see a shortage of engineers trained and experienced in cybersecurity. 

Bridge the Gap with a Security Policy 

A solid security policy for embedded/edge/IoT devices can help resolve this disconnect. The National Institute of Standards and Technology (NIST), in its “Guide to Industrial Control Systems Security,” states that, “Security policies define the objectives and constraints for the [overall organizational] security program.” Policies define the threats that need to be mitigated as a team and why. 

Yet, a security policy isn’t easy to create within an organization with diverse stakeholders. Such policies must consider the complex and increasing requirements of regulators, customers, and industry standard-setters, such as NIST, the U.S. Food and Drug Administration (FDA), and the International Electrotechnical Commission (IEC). A security policy for embedded systems might include the following components: 

  • How and when vulnerability announcements are monitored, especially as more functionality is pushed onto edge devices, and much of this functionality includes third-party applications. 
  • The items to include in a software bill of materials, including license compliance, security management, export compliance, and safety certifications. 
  • How and when security testing is conducted. Will testing for security risks be conducted with simulation tools or a hackathon? Or will it be conducted by a third party? Will artificial intelligence (AI) be used to secure embedded devices, and if so, will it be used on the deployed device or during development? 
  • How the organization handles ongoing security maintenance and updates on devices. Updates might be performed manually on the devices, over the air, or by a third party. 

Move Toward a Cohesive Approach to Cybersecurity 

These aren’t idle considerations, especially since cybercrime is estimated to cause $6 trillion in damage per year by 2021.2 Many IoT and embedded sectors, like medical, industrial, infrastructure, and military, use devices that perform mission-critical functions. This means they can’t fail or execute in unintended ways. For mission-critical devices, the cost of a cybersecurity breach goes well beyond the loss of data, intellectual-property (IP) theft, and damage to a company’s brand, and it can result in a catastrophic event or even loss of life. 

Having a rigorous security policy in place can make all the difference in helping to ensure that an organization acts and thinks cohesively on its cybersecurity priorities. It helps to have the right team in place that can evaluate and implement the right security solutions. 

One of the first steps an organization can take is an online security assessment from an experienced cybersecurity solutions provider, such as Wind River. This exercise can help organizations discover what disconnects might exist internally and where to start building consensus. It’s a small but significant step, whether the organization is currently building embedded devices or moving IT applications to the edge. 

Ready to Improve Security on All of Your Devices? 

See what your organization might be missing by taking a quick online security assessment

Learn more about how to improve embedded, edge and IoT device security by watching this series of short videos by Wind River principal security architect Arlen Baker (see figure)

Arlen Baker is Principal Security Architect at Wind River Systems.

References

1. IDC. “The Growth in Connected IoT Devices Is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast.” June 2019. www.idc.com/getdoc.jsp?containerId=prUS45213219.

2. Cybercrime Magazine. “Cybercrime Damages $6 Trillion By 2021.” October 2017. cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016.

About the Author

Arlen Baker | Principal Security Architect, Wind River Systems

Arlen Baker joined Wind River in 2007 as a Principal Technologist for Security within the Professional Services organization at Wind River. Arlen works with customers in the industrial, aerospace, medical, and defense sectors in the securing of their systems. While at Wind River, Arlen has filed several security-related patents, written several whitepapers on security, and has delivered numerous presentations on the topic of security. Arlen has since been made the Principal Security Architect in Technology Office responsible for technical security strategy across products and solutions.  

Prior to joining Wind River, Arlen has worked in various technical leadership capacities within the U.S. Department of Defense arena for more than 23 years on projects for the U.S. Army, the U.S. Navy, Special Operations Forces, and the National Security Agency. Arlen holds a Bachelor of Science in computer science with a minor in mathematics from the University of Nebraska at Kearney.

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!