Rambus Sr. Director of Security Products Asaf Ashkenazi recently wrote an article for Semiconductor Engineering about encouraging IoT security adoption. As Ashkenazi notes, everyone acknowledges that the clear majority of IoT devices are vulnerable and easily compromised, as many lack even the most basic of security functionalities.
“This is problematic, because an unsecured IoT ecosystem introduces real-world risks that include malicious actors manipulating the flow of information to and from network connected devices or tampering with devices themselves,” he explained. “Nevertheless, a number of IoT security products are presented as ‘super solutions’ that aren’t at all affordable or easy to use.”
According to Ashkenazi, this has led to an unfortunate situation where some OEMs view IoT security as a zero-sum game, with liability, risks and high costs piling up no matter which way they turn. As such, the industry must therefore understand the very real concerns of OEMs who are struggling to implement even the most basic levels of IoT security.
“Clearly, IoT security solutions should be affordable and ready out of the box. Additional layers of security, if needed, can be added based on a changing threat landscape,” he continued. “It is also important to note that a comprehensive IoT security solution is about more than just protecting a specific device in a vacuum, as robust security capabilities should extend to the cloud service as well.”
Put succinctly, says Ashkenazi, the most effective IoT security solution is one that does not disrupt the OEM’s profitability or time to market. A practical and simple, yet secure solution that can be easily and widely adopted by OEMs and services is more effective than a ‘super solution’ with only limited adoption. Indeed, a solution that provides seamless end-to-end secure connectivity – from device to the cloud, as basic as it is, can really help make a significant difference.
“The goal of security technology providers should be to deliver affordable and simple to use security, thereby increasing the adoption of security practices in IoT devices. In addition, IoT security solutions should be ready for the day where they need to be updated or upgraded to keep up with new threats,” he elaborated. “It is important to understand that IoT devices are not always as accessible as laptops, tablets and mobile phones. Some are embedded in smart city infrastructure on rooftops, concrete walls and subterranean pipes in sewage systems. These devices must receive secure over-the-air (OTA) updates, even if they are physically inaccessible.”
In addition, says Ashkenazi, IoT devices are particularly susceptible to security lapses, mostly because they are at once simpler, yet more difficult and costly to protect. Developers of such systems also tend to be less familiar with the importance of security. Nevertheless, the industry can still do its best to safeguard IoT devices by leveraging secure hardware provided by the chipset vendor, as well as utilizing on-chip pre-provisioning of unique keys and IDs.
“Moreover, OEMs should focus on the most critical vulnerabilities and choose the most appropriate levels of security based on plausible risks and attack vectors. A complete and scalable security solution that covers the device and the cloud service is the most effective, as it allows both OEMs to reduce their costs and time to market and services to minimize in-field device setup, customization and maintenance,” he concluded.