Digital trust is the cornerstone of all technology today. But who is responsible for ensuring this security?
A recent report on IoT(1) shows that this responsibility is distributed fairly between companies that use IoT devices and their manufacturers. However, if OEMs are to take responsibility for the security of the devices they produce, they believe it must be a collective effort.
48% of professionals believe that the manufacturer of smart objects (IoT) should be largely or exclusively responsible for the consequences of security flaws in their products.
We would tend to assume that, in a report in which user companies and equipment manufacturers participated equally (OEM), this rate would represent the opinion of non-manufacturing entities. However, it is not.
99% of OEMs say they work to secure their devices, and more than 90% believe security should be prioritized over features or functionality. project some products. In reality, the “lack of budget” constitutes, in their eyes, the least restrictive obstacle in terms of guaranteeing equipment.
Overall, OEMs recognize that security complements their value proposition and can even boost their business and differentiate them in the market. The OEM sphere is realizing that with appropriate investments and strategies, security can be more of an issue accelerator business as a cost center.
45% of OEMs say the security of connected objects should be taken into consideration when designing products.
The “shift-left” approach, which is to perform as many tests as possible as early as possible, also applies to security. The latter becomes so essential in all aspects of product creation that it simply cannot be limited to one phase of product development.
It is certain that regulations such as the Cyber Resilience Law will soon reinforce this reality. Digital infrastructure and cyber-physical systems have real-world implications. As public authorities seek to strengthen the security of these systems, they advocate a sharing of responsibilities between product designers, equipment manufacturers and end users.
OEMs are eager to share this responsibility, with more than half recognizing that they have a responsibility to report their security vulnerabilities. If more companies adopted this approach, there would be better collaboration with operators and users in terms of risk prevention.
Lack of standardization and supply chain complexity make IoT security difficult.
Typically, OEMs use three methods to secure the connected devices they manufacture:
- Assign a unique identifier verified using an infrastructure to public key (PKI) before assigning a public identifier.
- Sign the code and check it at startup and at regular intervals during execution.
- Add a lifetime key and certificate to your device to secure your communications.
However, these methods are rarely universal. Just as there are multiple methods of developing and manufacturing products, there are also multiple methods of protecting them, none of which have yet come to the fore. Protecting the Internet of Things is, therefore, not simple. In the wide range of applications IoT, each presents its own set of requirements and restrictions. Hence the increased complexity in designing effective security protocols that can be applied globally.
As this landscape evolves, product designers and vendors will likely move toward a world more focused on interoperability, as evidenced by the release of the standard matter At the beginning of the year. Whatever the turn of events, this new standard will undoubtedly lead to simplifying the security of connected devices designed by different manufacturers.
Supply chain: Key issues raised highlight the need to partner with external publishers of cyber solutions
The life cycle of connected objects (IoT) is complex, from their conception, development, manufacturing and distribution to their constant updating. Each phase has its own vulnerabilities, which constitute potential entry points for cyber threats.
Among the main difficulties that OEMs encounter in ensuring the security of their supply chains, we can mention:
- Lack of clarity regarding best practices for implementing safety mechanisms in production lines
- The fear that a breakdown will compromise production by immobilizing machines
- Increasing risks of cyber attacks
- Lack of adequate digital infrastructure
- Lack of skills or talents capable of managing complex structures
OEMs typically don’t feel prepared to make the changes necessary to keep devices secure at scale. For many of them, updating their systems would require a digital transformation that was too drastic and radical. Others simply lack resources and knowledge in this area.
Only partnerships with publishers and cybersecurity solution providers who are fully aware of these issues and can resolve them will make it possible to protect production lines at scale.
Certificate outages have major financial impact
98% of companies report at least one outage due to the unplanned expiration of a certificate on a machine in the last 12 months. The total average cost of these certificate expirations on the company’s production lines last year amounted to the astonishing sum of 2 million euros for each company involved.
If only 6% of companies do not use a PKI infrastructure to manage the lifecycles of their certificates, 27% manage them with internal solutions. To relieve them of security and maintenance restrictions, partial or total outsourcing of the PKI infrastructure and its management can be an interesting starting point.
Lifecycle management of product-inherent cybersecurity components is emerging as the primary responsibility assumed by OEMs to their customers. It is important that companies understand that this obligation does not end with the sale of the product. In an ever-evolving threat environment, it is crucial for OEMs to provide support and remediation to their customers while continuing to improve their new development solutions.
Communication and transparency about security levels, vulnerabilities and solutions between OEMs, carriers and enterprise users, and even end users, are also essential to achieving true digital trust in our connected world.
(1) “ Digital Trust in a Connected World: Navigating the State of IoT Security » led by Vanson Bourne on behalf of Keyfactor with 1,200 IoT and connected products professionals across North America, EMEA and APAC. All respondents had some responsibility or knowledge of IoT or connected products at their companies, and included original equipment manufacturers (OEMs) and those who use and operate connected devices at their companies.