According to IDC, investment in IoT is predicted to top $1 trillion in 2020. As our homes, businesses and cities become more connected than ever before, this number will only continue to rise. However, whilst the desire and demand for all-things IoT has taken centre-stage, it presents numerous challenges to security. If we want the connected age deliver on its promised benefits, security must take front and centre.
IoT devices present an increased attack surface, often in physically unsecured environments. The data they generate is continually transmitted across both dedicated IoT networks and the majority of the public internet.
Historically, many vendors have seen sales being prioritised over security, as DDoS attacks, back-end compromises and device vulnerabilities continue to plague systems and make headlines. In an age where data is now vital in informing actions and decisions, never has it been more important for manufacturers to ensure that security is implemented as a primary parameter during the design phase, and end-to-end in a system.
A lack of device security at any point, from deep-chip level, through cloud aggregation to the enterprise dashboard leaves the door open for hackers to exploit vulnerabilities within IoT systems – providing attackers with access to other devices, servers and networks.
Cybersecurity company Kaspersky detected more than 100 million attacks on smart devices in the first half of 2019; seven times more than the number found in 2018.
So how to do we prevent these attacks from having an impact? Manufacturers need to take a secure by design approach to their product development, embedding a hardware root of trust as a foundation to secure an IoT system end-to-end.
There are several benefits to hardware-based security over a purely software-based approach. Delivered at chip level through a secure core - and present throughout the whole lifecycle of the device - the hardware root of trust is a separate processor element dedicated purely to security tasks.
Embedding a hardware root of trust immutably identifies a device via a unique secret code which can be used as a cryptographic seed. This enables the vendor to manage the access rights for the devices it produces, and assign those access rights to legitimate parties. With this cryptographic foundation, secure communication can be established between the device and those granted access to it, blocking remote access without credentials at a hardware level. It also ensures devices only accept digitally signed firmware specific to the device, securing the upgrade process. These capabilities mean that the device identity, functionality and means of data transmission can be audited and trusted.
If the new decade is to bring with it the full benefits IoT offers, this year’s resolution must be that we design in the protections required to keep systems secured.
Author details: Bart Stevens, Senior Director, Product Management, Cryptography, Rambus