As consumer products get smarter, how can manufacturers transfer security best practices from production environments into the devices in consumers’ hands?
Security measures are frequently addressed by manufacturers when designing and manufacturing increasingly intelligent products. Most of the efforts implemented are to protect the manufacturer’s network and production capabilities. But what happens beyond those secure walls? How does that effort continue even when a product leaves the protection of the factory?
Internet of Things
The Internet of Things movement has seen rapid acceleration and change as companies and individuals benefit from the many tasks these devices operate, the data they generate, and how they help facilitate connections between the users and their processes. This movement has seen steady growth with the adoption of smart home devices becoming more mainstream in people’s homes and an uptick in building management systems. A secondary reason for the spike in demand is improved efficiency, enhanced by the increased knowledge gained from the influx of data collected by these IoT sensors.
Enhanced data insights in production are a driving factor in the increased installation base, with around $100 billion in investments from the manufacturing sector alone. Estimates show that 127 new devices are connected to the internet every second, with an estimated $4–11 trillion in expected economic value. Current estimates also suggest that around 75 billion IoT devices will be installed by 2025, with 48 billion of those installed between 2020 and 2025 alone.
On the consumer side, simplifying daily chores and the promise of reducing costs via automation and data insights drive many home device purchases. From the enterprise perspective, real-time data has dramatically improved business efficiency leading to cost savings and increased profits. The return on the investment is relatively high compared to the current cost of most of these devices. While the benefits have proven worthy, the Internet of Things movement has left both producers and consumers more vulnerable and scrambling to offset these gains, searching for tools to improve insights into this newly connected part of the business.
The most crucial question is, what should manufacturers consider when creating secure IoT devices from the ground up? Not only do they want to focus on security during the design and creation, but on implementing security controls and ensuring those same controls ultimately carry over to the end user of the IoT devices. The focus on security for IoT devices usually is not a top priority for consumers who purchase these products, nor should it be. So, how can manufacturers now transfer their security best practices from their production environments into the devices they manufacture, and ultimately into their consumers’ hands?
Designing In Security
Great design starts with focusing on the product and how it will improve how we currently perform some tasks. Security needs to be part of the design process from the initial conversation of core software design into the actual product’s physical structure. The company’s security culture will dictate the whole process’s tone from start to finish, ensuring everyone understands the company’s mission around security will translate from the manufacturer to the end consumer. Manufacturers with a strong security culture will implement and address basic security controls early on. Elements such as passwords, encryption, two-factor authentication, biometrics, and zero trust frameworks provide an in depth defense strategy in the early stages. Each of these will allow the benefits to be carried over to the consumers’ hands to ensure that a product can support any strategy no matter what security approach is used in their own environment.
“While the benefits have proven worthy, the Internet of Things movement has left us more vulnerable and scrambling to offset these gains.”
Software is a fundamental part of most IoT devices, and testing and securing the code is essential. Continuous improvements to the software allow for reductions in risk as the software is constantly changing and enhancing, increasing the difficulty of exploiting a vulnerability. Consumers can directly benefit from advances to the user interface (UI) and enhanced security developments from the updates provided. At this point, the data necessary for the product to function should be separated from usage information. The addition of encryption should also be a consideration so, in the unlikely event data is compromised, it poses another barrier to access. The main design goal should be that information cannot be traced back to the end user.
Manufacturing Out Vulnerabilities
Securing the supply chain can be the most daunting part of the process, with many new variables introduced during this stage. Monitoring components purchased from third-party vendors ensures the same quality of security is implemented into each element not designed in-house. Many manufacturers require suppliers have a level of protection within their production line. This can come in the form of software detection of malware or even the use of an intrusion detection system in the OT environment to ensure visibility in all aspects of production. From the end user’s perspective, the benefits here are less visible if implemented correctly. Reducing vulnerabilities introduced from components purchased from outside sources does not directly add value but gives more peace of mind. This part of the process is crucial because components built locally but shipped globally open up the potential for backdoors to be introduced.
Security Marketing and Selling
Demand creation for products needs to include security as a consideration, not just how the device may make work and life easier. Each step in designing and manufacturing a device developed with security adds value for consumers. Awareness of these efforts can improve the value and ensure security becomes one of the core reasons for purchasing the product. Directly marketing security features to end users allows them to select products that fit into their risk profiles. Consumer awareness and training can help keep high levels of security after the product has gone beyond the walls of the OEM. Marketing should highlight what features support a secure experience and use it as a critical factor in differentiating the product in an increasingly crowded IoT devices marketplace.
“Manufacturers with a strong security culture will implement and address basic security controls early on.”
Cyberattacks are frequent and have entered mainstream consciousness because of news coverage and social media platforms. The enterprise customer has felt these attacks both financially and in brand and reputational damage. Data privacy has become a top concern for everyday users. Implementing perfectly designed security tools is useless if the end user is unaware of the capabilities included in the devices they have procured. Guidance and reminders on password security should not just be implemented but sold as a feature. Most consumers do not use complex passwords and fail to update default passwords due to a lack of requirements built into these IoT devices. For enterprise consumers, selling the concept of zero trust compatible devices is imperative. Ensuring the product is placed in an environment with little to no impact should push that device to the top of the consideration list.
Should manufacturers disclose the risks their products could potentially introduce into the end consumers’ environments? One could argue that knowing where the vulnerabilities lie allows the end consumer, an individual, or a large company to mitigate adequately and improve readiness. Currently, companies are not required to provide this type of information. Generally, it is not considered a great sales strategy to point out the risks a product could introduce in one’s environment. Security vendors often sell manufacturing customers solutions to resolve vulnerabilities. To ensure all customers can maintain a level of security that adheres to best practices, they need to inform and educate to best position and implement an in-depth defensive strategy. Manufacturers cannot protect users in every environment. Still, they should be responsible for providing features that allow anyone purchasing their product to construct a secure environment.
Securing the Future
Customers, whether on the enterprise end or in the consumer market, all deserve to have security embedded into their IoT landscape. Demand will continue to grow for many more years as this market matures. Security will continue to be part of the conversation as devices get more intelligent and handle more personal information from all aspects of our lives and businesses. Ensuring that the effort put into security during the design and manufacturing of products carries on beyond the assembly line is critical.
“Each step in designing and manufacturing a device developed with security adds value for consumers.”
The end user’s level of protection should not drop but should increase, given that the consumers’ risk is at its highest when data collection begins at the first use of the product itself. Consumers all deserve a secure home and business even as the 1s and 0s enter and leave a manufacturer’s control. As a consumer of a product, all devices should carry the highest security standards. Privacy is a fundamental right, yet that can only happen with improved efforts toward security expectations at all levels.
There is a saying that the best implementation of security is the one to which you do not have to give a single minute of thought. As products become smarter, manufacturing’s challenge for the future is to ensure their security strategies successfully extend beyond the production plant and into the products themselves. A moment’s thought about security at the beginning of a product’s lifecycle, could save consumers hours of disruption and frustration further down the line. M
About the author:
Jose Razo is a Senior Technical Specialist in IoT, OT, and ICS Security at Microsoft.