comment on this article

More than 1 in 5 IoT device developers fail to spec security as product design requirement, according to Barr Group

Twenty-two per cent of embedded system developers working on IoT projects do not list security as a product requirement for their current project, while 25% of developers designing products for the IoT are working on devices that could kill or injure people if hacked, according to a preliminary survey by Barr Group.

The 2018 Embedded Systems Safety & Security Survey was completed by more than 1,700 qualified respondents and is designed to gauge the state of worldwide product development practises of embedded systems engineers.

With the growing number of hacks and cyberattacks threatening IoT devices, Barr believes this result should serve as a warning that security breaches and attacks will continue to plague the embedded system industry in the short-term future.

Based on survey data from 2018 as well as results from prior years, the embedded industry is showing modest improvement when it comes to making security a design consideration during product development, rising from 6% in 2016 to 67% in 2018. However, last year's survey generated 2,000 responses from engineers around the world, compared to this year's 1,700.

“Prioritising security in every Internet-connected embedded device is essential to maintaining the integrity of the IoT,” said Barr’s CTO, Michael Barr. “As also indicated by our survey, for both new Internet-connected and non-internet-connected projects, developers are increasingly designing applications that use more than 4 CPUs per system. These complex systems significantly increase the potential attack surface and are inherently more difficult to secure. Failing to focus on security during the design process, especially for Internet-connected devices, may be putting the entire network and potentially the devices’ end users at risk.”

Further compromising the state of IoT security, the survey results reveal that engineers developing IoT devices are still neglecting to implement industry-recommended design practices known to raise security levels of embedded systems. According to Barr’s survey, among the engineers designing internet-connected devices:

  • 54% lack regular code reviews
  • 49% fail to perform static analysis
  • 33% lack a written coding standard
  • 17% lack a bug database

The survey also found that fewer than half of all embedded engineers designing for the IoT encrypt their data.

Last year's report noted that 'a lot of what needs to be done is well understood and easy to implement. What appears to be lacking is motivation.' And it appears that this year has seen modest improvement. In comparison last year it was reported that 17% of the subset didn’t use coding standards, 25% didn’t use code reviews – with a further 16% replying ‘maybe’ – and 32% didn’t use static analysis.

However, Barr believes these results are still ‘highly concerning’ and that there is 'a lot more work to do', despite the modest increase in focus on embedded systems security during product design.

The final analysis will be unveiled on February 27, 2018 at Embedded World.

Author
Bethan Grylls

Comment on this article


This material is protected by MA Business copyright See Terms and Conditions. One-off usage is permitted but bulk copying is not. For multiple copies contact the sales team.

What you think about this article:


Add your comments

Name
 
Email
 
Comments
 

Your comments/feedback may be edited prior to publishing. Not all entries will be published.
Please view our Terms and Conditions before leaving a comment.

Related Articles