Hitting a moving target: Time is running out in the race to secure connected devices

"Securing this kind of market requires strong working relationships between regulators and manufacturers – across all industries – and willingness amongst vertical leaders to collaborate and share their standards and knowledge with one another," writes Asaf Karas, CTO Security of JFrog

Asaf Karas 09:2630.08.21
Today’s consumer, business, and industrial landscape is increasingly speckled by connected Internet of Things (IoT) and operational technology (OT) devices. Some of these are familiar such as home security cameras, Wi-Fi routers, and robot vacuum cleaners, while others such as medical devices with remote monitoring, programmable controllers, and electrical switchgear may not be as obvious.


At the same time, 5G – a unique combination of communication technologies allowing for high-speed, low latency connectivity, very low latency, and ubiquitous coverage – is practically everywhere now.


Increasing connectivity allows consumers and manufacturers the ability to monitor and interact with products remotely – collecting data from them, observing their performance, turning them on and off, and re-configuring their settings, as needed. Increasingly, connected devices can even connect and communicate with one another without human intervention.


Asaf Karas, CTO Security of JFrog. Photo: JFrog Asaf Karas, CTO Security of JFrog. Photo: JFrog


While great in theory, the increasing number of connected devices has put a lot of pressure on product security teams. After a chaotic period when many first-generation products were subject to proprietary standards that often failed or even ignored basic security principles, manufacturers are now guided by numerous national and global standards that set increasingly demanding baselines for security in every product category.


Standards confusion


Better security standards are a positive development, but under real-world conditions it comes at the cost of increased complexity and confusion. There are up to 80 important standards to consult when manufacturing a product – talk about a major compliance headache. These standards can also be convoluted and divergent depending on the industry or market segment in which they’re applied, which makes expansion into new verticals a difficult undertaking for any company.


Different industry verticals are governed by numerous standards, for example IEC 62443 for Industrial systems and WP 29 for the automotive industry.


While these standards are designed to be clear and actionable, in some cases there has been confusion over interpretation. Some standards are very high level - referencing ‘integrity’ or ‘encryption’ without practical information for the manufacturer or user on what this means. While others have been overly technical, providing hundreds of rules for devices in a single industry vertical. Worse, these standards have been limited in geographical scope, and not effectively or evenly enforced with much consistency.


The need for clarity on these fronts is urgent as threats against connected devices are multiplying rapidly as cybercriminals repeatedly probe them for security weaknesses. New vulnerabilities within edge devices are discovered each day, which means manufacturers must integrate the ability to patch and update their designs once they have reached the customer. The global pandemic exacerbated this pressure, with a significant rise in the volume of cyberattacks targeting home users and connected devices at a time when remote access to company assets and remote device management has become the norm.


International cooperation


Over the last 12 months, we’ve finally seen progress towards edge device standards consolidation, with the automotive industry aligned by the UNECE directive WP29 and industrial control systems aligned and regulated under the ISA/IEC 62443 series of standards developed by the ISA99 committee and adopted by the International Electrotechnical Commission (IEC). There has also been geographical alignment between U.S., European and Japanese manufacturers, with regulators such as the FDA attempting to provide industry-wide standards around connected devices.


An important development in the U.S. has been the IoT Cybersecurity Improvement Act, which enables the National Institute of Standards and Technology (NIST) to formulate standards which will consistently apply to all manufacturers seeking contracts with the Federal Government. This, along with President Biden’s Cybersecurity Executive Order, could eventually result in a set of guidelines from NIST mandating a security baseline.


These regulatory decisions will help the manufacturers of connected devices to unify the standards associated with connected industrial systems, eventually forming de-facto standards for everyone. However, the rate of growth of the industry still outpaces the development of the regulations charged with securing industrial environments where connected products are becoming ubiquitous.


Securing this kind of market requires strong working relationships between regulators and manufacturers – across all industries – and willingness amongst vertical leaders to collaborate and share their standards and knowledge with one another. The biggest challenge to reaching this edge device standards Nirvana is simply time. The landscape of technologies is constantly changing, making the threat landscape a moving target. With increasingly sophisticated cybercriminals targeting connected devices at alarming rates, the industry might find time to be a luxury it doesn’t have.


Asaf Karas is CTO Security of JFrog Security