The IoT security challenge is a popular topic in recent years - many articles have covered the reasons for the challenge and have extensively discussed its possible implications. What has not been well discussed is a surprising fact – while the cyber-attack landscape for embedded devices is growing dramatically, the level of effort required to carry out a successful attack is decreasing.
These two effects will probably lead to more and more devices being attacked while deployed in the wild unless security is implemented in the near future and in a scalable manner that will provide security coverage, against existing and emerging threats, for every device. For a truly effective security implementation, security must be designed into the product, not added post-deployment by the user.
Lack of security slows IoT growth and weakens trust
Enterprise users are rightfully concerned as the financial motivation for attacking connected devices is constantly growing. While the cost of crafting an attack vector is pretty low, there is a huge potential gain from a successful attack. It is probably only a matter of time before attackers initiate additional widespread and large-scale campaigns targeting IoT devices such as the infamous Mirai and VPNFilter that took advantage of devices with minimal or no security.
Businesses deploying IoT devices understand the impact of cyberattacks to their business continuity and reputation, therefore shifting from insecure to secure devices in order to stay one step ahead of the attackers. For that reason, vendors are advised to enhance the security state of their devices – plenty of research shows that investing in security in the short term will lead to higher adoption in the long term.
But, security is not in the IoT maker’s DNA
Because competition for connected devices is high, time-to-market, functionality, and cost are the priorities for vendors and there is less concern for security. Emerging standards and regulations around IoT security change this reality to some extent, yet when it comes to the device vendors, there are still difficulties in complying with standards, mainly because of limited awareness as well as lack of security expertise. Taken all together, vendors are worried about entering the security arena as it seems like a very costly process as well as a cause for a potential delay in the product release.
Device manufacturers lean on traditional product design approaches established before these devices were aimed to be connected to the internet. There was never a need for security on a refrigerator or a thermostat, so consequently security was more of an afterthought. Based on that, it makes sense that manufacturers do not fully understand why and how to implement security.
The security automation revolution
Security implementation that is based on automated analysis dispels many of the concerns vendors have about security. The industrial revolution allowed humanity to produce food at scale, shifting from manual slow processes to automated and more efficient processes. For the IoT ecosystem, security automation is the same thing – allowing all devices to be secure in a scalable and cost-effective manner.
Security should not be a burden for the vendors to carry by themselves, nor a long and expensive process that needs to be outsourced to third-party manual services. An automated security solution puts the control back in the vendor’s hands –based on analyses of thousands of devices, it offers transparency and deep visibility into all first- and third-party device’s components, and it maps out existing security threats together with a balanced risk mitigation plan. All this allows developers with no security background to implement best practices crafted by industry top experts, in a fast and cost-effective way.
Enabling device-specific protection
When it comes to IoT devices, there is a huge variety – each device is different from another, with different security requirements, so how can one generic security solution address them all? Rather than addressing one device type or a specific protocol, security should be specific to the device, addressing its unique threat landscape and resources. Automation is the key to enabling this at scale. By using machine learning based solutions that quickly define device-specific security customisations, manufacturers can implement security into product design quickly and cost-effectively.
Until the automation era, securing a device required an expensive and long process of manual penetration testing. This process is usually done post device development as part of the system testing phase, at which point changes are costly and usually cause a delay in time to market.
On the contrary, automation can make the security analysis process much faster, where the product security state including a specific mitigation plan is generated in less than an hour. The simplicity of such a process allows easy and continuous integration of security best practices into the design and development phases. It eliminates the time and resources needed to mitigate security gaps after the fact, and it makes security implementation much more affordable.
A foundation for auto-generated security solutions
Not only is automation an incredibly effective method for security analysis, it also serves as a strong basis for additional security solutions. Once deeply analysing the device attributes, tailoring device-specific solutions as additional protection layers is possible and highly recommended. Such solutions are generated precisely based on the device’s specific threat landscape and include products like a runtime protection micro-agent that are designed to consume the minimum of the device’s resources and therefore do not interrupt its functionality. This kind of solution allows protection against known and unknown threats, which is very useful in this ever-changing world of cyber threats.
Whether it is for analysis or for the creation of additional security products, automation is the key for a cost-effective and scalable device-specific security strategy.