Secure-by-Design Is Security In The Production Process

The new ‘Internet of Things’ world is characterized by millions upon millions of connected devices. With more insecure devices and network access points than ever before, ‘Secure-by-Design’ principles are essential for protecting against growing cyber security threats.

Internet-of-Things (IoT) world

Over the last few years, digital technologies have transformed the world, affecting all sectors of business activity and daily life. The result is an Internet-of-Things (IoT) world, where everything is instrumented and interconnected.

By the end of 2018, there were an estimated 22 billion IoT-connected devices in use around the world. Forecasts suggest that this figure will increase to 50 billion by 2030, creating a massive web of interconnected devices. To support this highly connected future, thousands of Internet-of-Things (IoT) devices are connected to networks every day.

Additionally, appetite for new features and functionality has created a ‘need for speed’ in terms of the development and deployment of new types of devices.

Integration of AI and ML into IoT-connected devices

Many IoT-connected devices are now highly complex, incorporating advanced AI algorithms Many IoT-connected devices are now highly complex, incorporating advanced AI algorithms and other next-generation features. IP-based video security cameras are a good example of this.

Over the last 15 years, they have evolved from simple analog video cameras into complex, fully digitalized IoT devices driven by Machine Learning (ML) and Artificial Intelligence (AI). Like other types of devices, evolution has been driven by customer demands for improved functionality and connectivity. This demand also created urgency in the development process, with providers competing to offer the most advanced features as fast as possible to win customers and market share.

Balancing development speed with security considerations

The race to develop more feature-rich, more connected IoT devices has fulfilled customers’ operational needs, but there have often been compromised in terms of security.

After all, building security into all aspects of the production process takes time – a precious resource that is not always available. Because of time pressures, several device manufacturers have opted for development and production speed over security.

Global spike in IoT cyber security incidents

The consequences of speed over security have been an enormous increase in serious IoT cyber security incidents. Cybercriminals have been able to access millions of IoT devices relatively easily, simply because these devices were not developed and produced with security-in-mind.

By the end of 2016, for example, the Mirai Botnet had become world news and IoT security started to get some serious attention. This is a clear example of what can go wrong when insecure IoT devices like baby monitors, network routers, agricultural devices, medical devices, home appliances, DVRs, cameras, or smoke detectors are connected to the internet without proper security provision. In the case of Mirai, attackers were able to hack into millions of insecure IoT devices, in this case, cameras.

They then used the combined computer power of the devices to launch targeted DDoS (Distributed Denial of Service) internet attacks.

Lack of cyber defenses in ageing firmware

Often IT departments are not even aware of all these devices on their networks Unfortunately, many more cyber incidents with IoT devices have happened since 2016 and continue to happen every day. Security researchers from F-Secure issued a warning in 2019 that cyber-attacks on IoT devices are growing at an unprecedented rate.

They measured ‘a three-fold increase in attack traffic to more than 2.9 billion events.’ In the research, this growing threat was attributed, in part, to ‘a basic lack of defenses in ageing firmware or architectures and part down to a lack of info-security housekeeping’. Often IT departments are not even aware of all these devices on their networks. 

Critical importance of ‘Secure-by-Design’ production

One key way to prevent damaging attacks on IoT devices is to improve the defenses of these devices.

Unfortunately, it is extremely hard to add effective security after the IoT device is produced and/or installed. Instead, the most effective way to prevent breaches is to implement security during device production, often known as ‘Secure-by-Design’ production. Secure-by-Design is about building security into every stage of the production process, from the conceptual phase to the final delivery phase – as shown in the graphic below:

Secure-by-Design is to building security into every stage of the production process

In the conceptual phase, security requirements are defined – In the design phase, a security architecture is developed for the product design, in the development phase, software code review and code scanning will take place, in the verification phase, pen-testing is executed and in the delivery phase, security training and technical support are provided.

All these security measures in the production process improve the cyber resilience of a video security camera and make costly cyber security improvements afterwards unnecessary.

Making ‘Secure-by-Design’ an organizational priority

Secure-by-Design requires manufacturers to be open to penetration testing (pen testing) by third parties There are several prerequisites for manufacturers who want to integrate Secure-by-Design principles into all aspects of their production process. First, there needs to be commitment at an organizational level to invest in the security of each product.

This may have an impact on production costs, but it will also dramatically improve the security and credibility, and therefore value, of products by providing certain security assurances to customers. As an additional requirement, Secure-by-Design requires manufacturers to be open to penetration testing (pen testing) by third parties, once the devices are designed, manufactured, and operational. This ensures that products are able to withstand new and emerging cyber security threats, as well as existing ones.

Bolstering cyber security

Ultimately, Secure-by-Design principles require manufacturers to be truly serious about bolstering their cyber security and protecting their customers against security breaches.

This is the case at Hikvision, where the use of ‘Secure-by-Design’ principles is carried out to minimize the risk of damaging cyber security attacks across the product range.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *