This article aims to offers some insights and predictions about how legislation and technology will impact security in connected devices, also often referred to internet of things (IoT) devices, for the complete lifecycle of product development, from design to delivery and beyond, in 2021.
Currently security is primarily implemented only in high-end, next generation, expensive chips designed solely for companies specifying a need for some level of security. However, in 2021, this will no longer be the norm as security becomes – or must become – an inherent design feature of all chips, whether an $0.80 or $8.00 microcontroller. While the level of security may vary based on the protection required and its value, every device will need to have a certain “hygiene” level that is higher than the norm today. Security will thus become mainstream.
Simultaneously, security will become part of the development flow, and not separated. The C-suite executive in a business will realize that protecting code means is directly linked to protecting customers and the business. They will begin to define and set policy to create a secure supply chain where companies can manage the content in each product, including its development and upgrade programs, and protect its IP. These policies will be designed to ensure security at every step, from design to delivery, and to prevent hacks or backdoors.
In addition, these policies will mandate that updates are provided securely and in a timely manner, and that only updates with the right versioning from the right vendor can be applied with proper encryption technology when breaches occur.
Traceability in the supply chain
Finally, we will see the development of a more secure global supply chain that allows traceability much like in the agricultural/food industry. Security must be mandated at every point at which a company sources chips, subassemblies, and other devices from different manufacturers that ultimately are integrated into an end product.
Frameworks are evolving from organizations like the IoT Security Foundation, which require identity to be built into a product and to be included in a production manifest. Companies will have to demonstrate how a product is managed throughout its entire lifecycle to ensure it’s not cloned, not counterfeited, and that it is secure. We will need to ensure the product has traceability much like food can be traced from farm to table today.
This change in mindset and behavior will come in part from legislation and in part from potential threats. For example, the IoT Cybersecurity Improvement Act was passed in the United States on December 4, 2020. It requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget to take specified steps to increase cybersecurity for IoT devices.
This was one of the few bills to receive bipartisan support in 2020, underscoring its importance. Throughout 2021 this will drive the adoption of enhanced devices as it is enforced to meet the mandates. It’s a huge turning point. And they will need products like Secure Thingz Embedded Trust, and IAR Systems C-Trust to help meet those requirements.
Another example is Online Harm legislation that will we expect to become the norm in 2021. Countries around the world are adopting laws that enable them to block services like social networks, search engines, and other services if they are mendaciously enabling harmful content. This type of legislation will force the C-suite to take more responsibility for how their products and services are utilized, including cyber-stalking and coercive manipulation of victims, plus proactively fix or manage known issues.
Other important events to watch for in 2021 include:
- GDPR-level fines. The EU signed onto the EN 303 645 Consumer IoT standard and is expected to adopt General Data Protection-level (GDPR) fines for data breaches, which can range from 10 million Euros to 4% of corporate global revenues. We will see other countries follow this lead.
- Cyber-physical events leading to serious harm or death such as an automotive hack.
- A significant artificial intelligence (AI) poisoning event, either accidental or intentional, that can occur when an AI system learns or is taught the wrong behavior.
These are the most important security developments that will impact 2021, as well as a few predictions about “headline-driving” events that we can be expect. The good news is that technology exists to ensure applications are secure and used as they are intended. Let’s see what the year brings.
Haydn Povey is the founder and CEO of Secure Thingz, and general manager for embedded security solutions, for IAR Systems, a supplier of software tools and services for embedded development. He also currently sits on the executive steering board of the IoT Security Foundation. With over 20 years in management positions at global technology companies, Povey was also at Arm for 10 years where his roles included strategy and product roadmaps for IoT and M2M security, and leading the development and introduction of the Cortex-M microprocessor family.
- Software testing is crucial for embedded system safety and security
- IoT security hinges on effective device enrollment with public key infrastructure
- Cryptographic companion chip upgrades automotive security
- NXP automotive MCUs streamline software reuse, security, assurance and OTA
- Avoid data security vulnerabilities at the edge
- Security-as-a-service embedded software protects IoT data in motion
- A little early effort in security can return a huge payoff
- An introduction to confidential edge computing for IoT security