Home > News & Blog > Securing IoT Devices

Securing IoT Devices to avoid an Internet of Trouble - Part 1

How do we Guarantee Trust & Privacy in a Hyper-Connected World of Devices?

Securing IoT Devices to avoid an Internet of Trouble

The Internet of Things is one of the world’s fastest evolving technologies. There is 22 billion devices in circulation around the globe, with that number set to increase by 15 billion in the next 3 years. However, as the number of these connected devices surge so do the attack surfaces for potential bad actors.

Over the next two episodes of The Critical Lowdown we are going to ask, “With increased connectivity in consumer, medical, industrial, and critical infrastructure domains, just how do we guarantee trust and privacy in a hyper-connected world of devices, and how can manufacturers ensure the Internet of Things does not become the Internet of Trouble.

Last week the CEO of EPS Global, Colin Lynch sat down with Hayden Povey, founder and CEO of Secure Thingz and the Chief Strategy Officer at IAR Systems, to discuss the topic of IOT security. Hayden has just returned from the World Economic Forum in Davos, Switzerland, where he has been acting in an advisory role on the key requirements for security of connected devices, and on the future minimum standards.

In part one, Colin and Hayden discuss the landscape of IOT security, real world implications and what governments around the world are doing about it. Let’s jump right in.

Listen to Part 2


Transcript of: Securing IoT Devices to avoid an Internet of Trouble

Colin Lynch: Good afternoon, my name is Colin Lynch. I'm the CEO of EPS Global. We're a global provider of Secure Provisioning services. Today I’m talking to my good friend and colleague Hayden Povey, CEO of IAR’s Secure Thingz.

Secure Thingz are a Cambridge-based company who make solutions that simplify security for customers designing connected devices. I’m delighted to have you here today. Hayden, how are you?

Haydn Povey: I'm good. Thank you for having me, Colin.

Colin Lynch: Why did you set up Secure Thingz? What was the problem you were trying to solve?

Haydn Povey: It's a long story and I apologize to your listeners! Basically, I was with ARM for over a decade, having run the microcontrollers, and subsequently the security side of those businesses, working on technologies which underpin Apple Pay, Samsung Knox, and solving those problems around mobility. I saw the same sorts of problems starting to emerge in the Internet of Things, and around how we have to trust our data. We need to trust the systems which are going to surround our lives, and ultimately, which are there to help us.

But unfortunately, if they're not trustworthy or secure, then we are creating an Internet of broken Things, or an Internet of Trouble, instead of an Internet of Trust. We decided we needed to do something about that.

Colin Lynch: That’s interesting. I can remember meeting you around 4 or 5 years ago at Electronica and you had big ideas for Secure Thingz, and it resonated with me at the time from an EPS Global perspective because we're really focused on outsourced services. The area of connected devices contains a lot of security aspects which are tough for companies to navigate, for example compliance, time to market, cost of capital, cost of staffing... And for EPS, I think we realised the need for security, but how it would be far more cost-effective and simpler for companies to outsource rather than to implement it themselves. I think that’s where the two of us came together originally and saw the sense in collaborating.

We talk a lot about the risks of connected devices. Did you want to elaborate on that and talk specifically about what risks you see, and what you're trying to address?

Haydn Povey: Absolutely. I think there are a wide set of risks. First of all, there are a lot of significant business risks in everything that we do. As people build systems and they’re trying to build trustworthy systems, the ability to manage code, keys, and everything else throughout a secure supply chain is obviously a key requirement which we'll come back to, but when I look at the key risks, perhaps the best way of looking at this is some work we did recently with the World Economic Forum.

The World Economic Forum is a very strange group to be thinking about IoT security. They tend to think about macroeconomics and pandemics, yet, they came out with a statement a couple of months ago, which we supported, around some of the key requirements that are needed for IoT devices.

  1. These are things like a need for proper identity, because in the Internet of Things, we're going to have many devices, billions or trillions of devices that we need to make sure have a proper identity, and that there's not traditional passwords which are easily forged, or broken. The consequence of this is that we can't really trust our devices.
  2. We have to be honest about when things break. We're all human, code is not perfect.
  3. We need to be able to manage devices through their lifecycle. That's a very easy thing to say, but it's a lot harder to deal with, because you have to put the right foundations in place which enable us to manage devices through their lifecycle from birth, through production, manufacturing, all the way through their life cycles with updates, and patching and end of life and all those sorts of things.

Colin Lynch: Is there an example of a customer, maybe on a no-names basis that really encapsulates the risks associated with failing to account for these eventualities you're talking about?

Haydn Povey: Oh, there's a number out there. We've recently seen in Central America where energy meters have been hacked, and that stole about $400m worth of revenue from the energy company, that's a pretty big number.

Another example is a company in the Far East which manufacture door electronics for automatic doors in supermarkets and shops who had their IP stolen. They had seen revenue growth in all of their major markets, but in one particular region, the revenue was dropping off quite substantially. They found that it was one of the partners in their own supply chain that was robbing them.

There are many others. I think the most interesting one for me is in the HVAC space, because in reality most people don't know that if you over-pump a HVAC system, you can turn it into a small bomb and actually detonate it. It’s listed on the security services risk register.

As these things become more connected, they have the ability to be attacked and weaponized, and it's this weaponization of standard technologies all around us which people are starting to think about. The events in Ukraine and Russia sharply brings into focus how things can be misused and abused.

Colin Lynch: A bomb on every factory rooftop, that's one I hadn’t heard about before! I guess the government have a role to play. I mean, there's presumably legislative initiatives. Could you frame some of those for us? For example in the UK and EU markets?

Haydn Povey: Yes, there's a lot of legislative frameworks moving forward. In the majority of cases, most of these are based off work which was carried out by the IoT Security Foundation (IOTSF) itself.

It's a global, non-profit, non-government organization, and we've been a member of The IOTSF since we helped set it up. We've evolved what we call the 13 best practices that revolve around IoT and cybersecurity implementation, where we've worked with a number of governments globally, the most advanced of whom is, from the legislative perspective, the UK.

Here in the UK, we have the PSTI bill going through Parliament, it's in its final reading this week. The Product Security and Telecoms Infrastructure Bill basically gives the same sort of framework as we saw previously for GDPR.

It introduces a £10m ($13m) fine for noncompliance. What it requires is 3 real hygiene level pieces of security in every connected consumer device.

  1. Proper identity - using proper cryptographic authentication frameworks.
  2. It requires a vulnerability disclosure on the company. You must tell your customers when something's gone wrong.
  3. You also have to be able to update. We will find vulnerabilities, it's part of life, and you have to make sure that you work with your customers to remediate that.

But the interesting thing here is that security moves from being a cost, to actually being an enabler for business. If I have to update those devices legally, I have to know who those customers are, I can put in place service agreements and service revenues. I can sell to those people and market to them because I know who they are. So security flips from being a cost to a value.

Colin Lynch: Very interesting. What would you say are the timescales? If a bill is in its final reading is going to mandate compliance in perhaps 2 or 3 years?

Haydn Povey: Actually a little bit sooner than that. Typically, as soon as this bill has gone through the Commons, it will go to the Lords for review, just to make sure it's good law, and then get signed off and it will then be law. We're looking in the region of less than 12 months for that to be applicable.

Colin Lynch: And similar pathways in the EU and the US?

Haydn Povey: Yes. In the EU, they've had a standard called ETSI EN 303 645, it's driven by ETSI, the European Telecommunications Standards Institute. That's been picked up by NIS (Directive on security of Network and Information Systems), they will have that in place hopefully in November 2023, and that means everything sold as of November 2023.

If you're shipping something from the Far East, you need to make sure that everything which is going to be sold in Europe as of the end of next year is compliant. That means shipping by the middle of the year, which means manufacturing at the start of next year (2023). So the clock is very much ticking.

Colin Lynch: What do you think companies are doing about this challenge today? Where do you see them moving over the next few quarters?

Haydn Povey: It really has started to come into focus over the last 6 months or so. For a number of years now we've been telling people that security is important rather than having to explain to them why. That's changed over the last 6 months, as the question that is being asked is how? How do I make the certification required?

The reality is that people are not ready for this and there's actually a huge lack of cybersecurity knowledge in the industry. There's a lack of cybersecurity experts, with only around 3.5 million globally. People are having to turn to tools and standard frameworks, and part of what we do to Secure Thingz is deliver tools into the development flow, called Embedded Trust, but then also into the production flow, this is integrated into the manufacturing process, to imbue security directly into the devices when they're born.

Colin Lynch: I assume you’re seeing companies who are leading in the field by implementing this in their systems today, or considering implementing it in your future?

Haydn Povey: Correct. More companies are looking at exactly this. We've dealt with one company in the US recently, and we were talking about their needs in general. They turned around and said, “we just need a Secure Boot Manager now”. This is fantastic, because that's what we offer, but it enables them to bring security into their product very easily.

Some people can do that at the start of the project, other people are already partway through the project and together we can offer tools and solutions for doing that.
Very few people have clean sheet designs these days. We have to add security where we can. People are asking ‘how do I take my existing application and add just enough security, and then I'll step it forward and step forward?’. That's an important aspect for many companies, they have to put in enough security, they have to tick the security box without wishing to become fully experts in every aspect of the field.

Colin Lynch: You mentioned a reference to the Economic Forum in Davos which you attended and spoke at this week. Are there any key takeaways that resonate around some of the problems we've been talking about?

Haydn Povey: Yes, there are two which stand out for me. 1. The first one is really a supply chain issue. Within our food industry, we have Farm to Fork legislation everywhere in the Western world. We can go to the supermarket, we could find a pack of meat, we can understand which farms they came from, the medicines that the animals were given, essentially the full supply chain. However, we can't do that with our electronics.

This creates a real problem when we look at software bill of material and how systems are built. We have to do better about that, we have to be able to look at our carts, at our critical infrastructure and understand that flow. This is being echoed back in a number of ways with delegations from the US and Europe. We have to have a Farm to Fork mentality for our electronics.

2. The other part of it, which really stood out for me was the concept of privacy in a hyper-connected world. As the Internet of Things surrounds us and understands more about us, whether it's smart watches, smart homes, smart cars, or smart transportation systems, these things are going to be connected together.

We have to understand the privacy which goes around those, and how our data is shared. This really moves things from what I would call traditionally embedded, more towards edge processing with more capabilities there. The fundamental of privacy is security. We need to make sure that our devices are protected against third parties hacking into them, harvesting our data, and maybe weighting the dice around decision making.

We talk a lot about fake news, yet we don't talk so much about fake data, and yet the consequences of that could be as strong, which we've seen with various elections and other bad things.

Colin Lynch: We’ve spoken a lot about the problems of security, we're going to come to the solutions very soon. But before I move on, one other question I have from a supply chain point-of-view is the components shortage. I have always considered it as something that has really hampered companies who are genuinely trying to implement security in the very accelerated timelines that you're referring to. Was there any discussion about the easing of supply chain problems? Or is that something you see maybe, if not this year, into the early part of next year?

Haydn Povey: There obviously is some discussion around that, things like the chip legislation, making sure that both the US and Europe have some level of independence away from some of the supply chain issues, especially at a geographical level, if China and Taiwan get into troubled waters again.

So much of our semiconductor requirements are reliant on China and Taiwan, that if something did blow up over there then the US and Europe would need to have some level of independence. That will happen, but I think the key thing around that is that people are again starting to understand the benefits of multi-sourcing, and the need not to be too dependent on a single point of failure or a single vendor.

For example, the automotive industry. If they're very reliant on one vendor and they go on backlog, there's nothing they can do about it. Their manufacturing lines become carparks.

As a broader organization within IAR, we’ve seen the need for people to pick up and support multiple devices. This is also true of security, too. It's great that a lot of these devices have great security or AIML capabilities, but there's also an awareness that being too reliant on those companies is not necessarily a good thing. So this is a way of diminishing risk. Also, from a European and US perspective I think we will see additional investment in fabs and in the silicon ecosystem and around intellectual property in general.

Colin Lynch: I think we've framed the problem. There's a situation where legislatively and commercially, and in the interest of consumers, that companies need to come to the table on security. There's challenges with implementation, but there's good guidelines around what it is people need to do, and in what timeframes.

I guess that segues nicely in our in our conversation this afternoon, as to how our collaboration is helpful to companies in working through these challenges.

Thanks Colin and Haydn for framing the problem that needs to be solved for us so clearly. We’ll discuss how manufacturers can securely provision their connected devices and ensure the Internet of Things does not become the Internet of Broken Things in our next episode of The Critical Lowdown.

Glossary of Terms

  • Secure Thingz: Global domain experts in device security, embedded systems, and lifecycle management.
  • IoT: Internet of Things
  • PTSI: Product Security and Telecommunications Infrastructure
  • GDPR: General Data Protection Regulation
  • ETSI: European Conference of Postal and Telecommunications Administrations
  • EN 303 645: European Standard for Cyber Security for Consumer Internet of Things

Do you have semiconductors you need programmed?

Outsource your IC programming to EPS Global and remove the complexity and considerable time burden of programming from in-circuit test. This will allow you to introduce increased efficiencies on your production line and cost savings to your organization.

We are strategically located in all major automotive electronic clusters worldwide. Our state-of-the-art, fully automated systems will program, 3D coplanarity check, laser mark and tape & reel your product and we can guarantee rapid delivery to help you meet your production deadlines.


Related Posts