Since the founding of our company, SAM has welcomed efforts by government agencies and regulators worldwide to raise consumer awareness about cybersecurity in the IoT space. These efforts benefit both consumers and the network operators connecting them to the digital world. Consumers benefit by being better informed about an IoT product’s security attributes at the “point of sale” and operators benefit as this increased awareness amongst consumers will make it easier to develop and sell new network-based security services.

The latest development comes from the United States, where the White House has introduced the “Cyber Trust Mark” program. This program aims to certify IoT devices bearing the label, ensuring they meet essential security attributes safeguarding consumers’ networks and device data. While voluntary, this initiative, led by the Federal Communications Commission, is set to begin implementation in 2024. This is part of an initiative that includes a collaboration between the White House and the National Institute of Standards and Technology (NIST) to establish cybersecurity standards tailored to routers.

These moves will have a positive impact on the IoT ecosystem on a variety of levels. Yet, while product labels will increase consumer awareness and education, they cannot address the ongoing evolution and fragmentation of IoT devices. Thousands seemingly hit the market each year, making “constant” security unattainable. Even a seemingly secure device could falter over time without proper software updates, which in reality, the average consumer does not do.

This fact is part of a trend that has led to a situation where most home and small business devices and networks lack adequate protection. This vulnerability arises due to various reasons, including the widespread use of consumer electronics devices that have become connected IoT devices through home routers. While some vulnerabilities may only be an inconvenience for some users, other can open the door to malicious activities. One of the most pressing challenges in the realm of IoT is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely. This issue highlights a critical gap in home security, where the timely resolution of IoT vulnerabilities should be a requirement, not a “luxury.”

However, for consumer electronics in general, it takes time to create a fix, to test it in the field and then to distribute it. And for IoT devices, it’s a different matter altogether, as numerous devices have minimal security and no ongoing security patch program. Or the devices are no longer on the market at all. This condition creates a significant window of opportunity for hackers who are well aware of these vulnerabilities and often have ample time to exploit them before the vendors issue a remedy, leaving end users vulnerable to attacks. Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app on the smartphone. Others, however, need to be updated manually – a lengthy and quite complicated process for even those who are tech savvy.

Katherine Gronberg, Head of Government Services at NightDragon, who works frequently with NIST and the White House on matters relating to IoT security, has commented: “With the explosion of IoT devices available from a wide variety source, consumers have until now not had any help in deciding what to buy or even to be mindful of security. The Cyber Trust Mark will allow consumers to identify products that have been designed and manufactured according to secure development guidelines and that offer some basic security features, most of which will likely not require any actions by the device user. While this program doesn’t apply to IoT devices that are already in use today, it will create a more informed customer and may make other parties in the ecosystem such as retailers or ISPs more conscious of the problem and might motivate them to take action.”

One action that the industry has seen recently is a renewed focus on routers, as seen in a recent security advisory issued by the US NSA, in which one of its recommendations was for consumers to exchange ISP-issued routers for ones they would purchase themselves. And there is another router-focused technique that more and more ISPs are using to help their customers with IoT network security, namely the “hot patching” measure, which uses a router-based software agent to provide protection for the router itself and every device connected to it.

Hot patching is designed as a “one stop” protection program in which an ISP would download an agent to a router to provide constant real-time monitoring and alerts. Hot patching is based on what is known as “deep packet inspection,” or DPI, which is a well-known and long-standing technique wherein the payload of packets traversing a data network is inspected and analyzed. The result empowers consumers with comprehensive router and device security, eliminating vulnerability monitoring and patching complexities.

While security labeling undoubtedly enhances consumer awareness and overall IoT security, the quest for constant security calls for a gateway-based solution. Such a solution can act as the ultimate backstop to industry and government initiatives, securing IoT devices and the connecting network.

Therefore, we believe the “Cyber Trust Mark” program will certainly be a great benefit for the consumer or “end user” and the increased awareness about IoT security it will raise gives ISPs an excellent opportunity to play a more proactive role that will be welcomed by their customers and which will increase IoT network security in meaningful ways.

The post Nurturing IoT’s Safety Net: Can the ‘Cyber Trust Mark’ Weather the Fragmented Storm? appeared first on IoT Business News.

The Internet of Things (IoT) represents a transformative shift in the way we interact with technology. As physical devices around us become increasingly connected, they offer new levels of efficiency, automation, and convenience. However, this rapid advancement and ubiquity of IoT devices also raise significant regulatory challenges. This article explores the evolving regulatory landscape for IoT, addressing the need for standards, privacy concerns, security risks, international coordination, and the path forward.

Understanding IoT’s Expansion and the Need for Regulation

The IoT ecosystem encompasses a broad range of devices, from smart home appliances and wearables to industrial sensors and smart city technologies. According to Gartner, the number of connected devices will reach over 25 billion by 2025. This expansion is not just quantitative but also qualitative, as IoT technology becomes more complex and integral to various aspects of life and business.

Regulation is crucial in this context to ensure these devices are safe, secure, and respectful of user privacy. However, the unique characteristics of IoT – including its diversity, the volume of data it generates, and its cross-industry applications – pose significant regulatory challenges.

Data Privacy and Protection in IoT

Data privacy is a paramount concern in IoT. These devices often collect sensitive personal information, which can include location data, health metrics, and even personal habits. Ensuring the privacy and security of this data is crucial.

The European Union’s General Data Protection Regulation (GDPR) sets a precedent for data privacy, including provisions that affect IoT. It mandates strict data handling procedures and grants individuals rights over their data. Similarly, the California Consumer Privacy Act (CCPA) in the U.S. provides consumers with rights over their personal information collected by businesses.

However, these regulations often face challenges in enforcement and applicability, particularly with devices that cross international borders. The diverse nature of IoT devices also means that a one-size-fits-all approach to data privacy may not be feasible.

Security Concerns and Standards

IoT security is another critical area of regulatory focus. The interconnectedness of IoT devices creates a broader attack surface for cyber threats. The Mirai botnet attack in 2016, which utilized unsecured IoT devices to launch large-scale distributed denial-of-service (DDoS) attacks, highlighted the potential consequences of inadequate IoT security.

Regulatory efforts in IoT security include the development of standards and guidelines. For instance, the National Institute of Standards and Technology (NIST) in the U.S. has published a series of documents offering guidance on IoT cybersecurity. The UK government has also introduced a code of practice for consumer IoT security and is working on legislation to enforce basic security requirements for IoT devices.

International Coordination and Compliance Challenges

The global nature of IoT poses significant challenges for regulatory compliance. IoT devices often cross international borders, and data collected by these devices can be stored and processed in different countries. This scenario necessitates a coordinated international regulatory approach.

Efforts in this direction include the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) working on international standards for IoT. These global standards aim to provide a common framework that can be adopted by different countries, fostering interoperability and easing compliance challenges.

Consumer Protection and Transparency

With IoT devices becoming a staple in consumer electronics, there’s a growing need for regulations that protect consumers. This includes ensuring that IoT devices are safe, reliable, and do not engage in unfair or deceptive practices.

Transparency is also crucial. Consumers need to be informed about what data their devices are collecting and how it’s being used. The U.S. Federal Trade Commission (FTC) has been active in enforcing transparency and has brought cases against companies that fail to adequately disclose their data practices.

The Road Ahead: Adaptive and Inclusive Regulation

As IoT continues to evolve, so too must its regulatory framework. This requires a balance between fostering innovation and protecting public interests. Adaptive regulation that can evolve with technology is key, as is the inclusion of various stakeholders in the regulatory process. This includes not just governments and industry, but also consumer groups, academia, and civil society.

Engaging in ongoing dialogue and partnership can help address the dynamic challenges IoT presents. It is also important to foster public awareness and education about IoT, empowering consumers to make informed decisions and advocate for their interests.

Conclusion

The regulatory landscape for IoT is complex and multifaceted, reflecting the diverse and rapidly evolving nature of the technology itself. Effective regulation requires a nuanced approach that addresses privacy, security, international coordination, and consumer protection. As IoT devices become more ingrained in our daily lives, the importance of robust, flexible, and forward-looking regulation cannot be overstated. The future of IoT is not just about technological innovation but also about creating a regulatory environment that supports sustainable and responsible growth.

The post The Regulatory Landscape for IoT: Navigating the Complexities of a Connected World appeared first on IoT Business News.

In the ever-expanding universe of the Internet of Things (IoT), security is not just a feature but a foundational necessity. With billions of devices connected and communicating, the potential for data breaches, unauthorized access, and other cyber threats grows exponentially. In this context, IoT security protocols are essential to ensure that the communication between devices, and from devices to servers, remains confidential and tamper-proof. Here, we explore the current landscape of IoT security protocols, the challenges they face, and the future direction of securing IoT networks.

The Current State of IoT Security Protocols

IoT devices, ranging from consumer products like smart thermostats to industrial sensors monitoring critical infrastructure, are often built with convenience and cost-effectiveness in mind. However, this focus can sometimes come at the expense of robust security measures. The protocols governing the security of these devices are as varied as their applications.

1. Transport Layer Security (TLS) and Secure Sockets Layer (SSL): TLS and its predecessor, SSL, are cryptographic protocols designed to provide secure communication over a computer network. In the IoT space, TLS/SSL is commonly used to secure the connection between a device and a cloud server, ensuring that data remains private and integral.

2. Datagram Transport Layer Security (DTLS): For IoT devices that rely on UDP, which is common in real-time applications, DTLS offers a way to secure these communications. It is similar to TLS but adapted for datagram protocols.

3. Extensible Messaging and Presence Protocol (XMPP): XMPP is an open standard for message-oriented middleware based on XML. It offers a set of protocols for message-oriented communication with mechanisms for security.

4. Constrained Application Protocol (CoAP): CoAP is a specialized web transfer protocol for use with constrained nodes and networks in IoT. It can be used with DTLS to provide a secure communication channel.

5. Z-Wave and Zigbee: These are communication protocols for low-energy radio waves often used in home automation, with built-in security layers to encrypt messages between devices.

6. Message Queuing Telemetry Transport (MQTT): MQTT is a popular IoT publish-subscribe network protocol that can be secured with TLS.

Challenges Facing IoT Security Protocols

The challenges in IoT security are manifold, stemming from both the variety of devices and the complexity of the network architectures. Here are the key challenges:

1. Resource Constraints: Many IoT devices have limited computational resources and cannot support traditional web-grade encryption methods.

2. Diversity of Devices: The IoT ecosystem is vast, with a wide range of devices that have different capabilities and security needs.

3. Scalability: Security protocols must be able to scale effectively as billions of new devices come online.

4. Lifecycle Management: IoT devices often have long lifecycles, and security protocols must be updatable to respond to new threats over time.

5. Interoperability: With so many different protocols and manufacturers, ensuring that security measures are interoperable across devices and systems is a challenge.

Advanced Security Protocols for IoT

As the IoT industry evolves, so do the strategies to secure it. Here are some advanced protocols and techniques being developed and implemented:

1. Lightweight Cryptography: NIST is working on standards for lightweight cryptography intended for constrained devices, which will be more suitable for the IoT environment.

2. Public Key Infrastructure (PKI): PKI provides a scalable method for secure device authentication and encryption key distribution.

3. Elliptic Curve Cryptography (ECC): ECC provides the same level of encryption as RSA but uses smaller keys, which are more suitable for IoT devices.

4. Quantum-resistant algorithms: With the potential threat of quantum computing, there’s a growing focus on developing security algorithms that would be resistant to quantum attacks.

5. Secure Software Updates: Ensuring that devices can be securely updated is crucial for responding to vulnerabilities as they are discovered.

Implementing IoT Security Protocols

The implementation of robust security measures is as critical as the development of the protocols themselves. Here are key considerations for implementation:

1. Default Security: Devices should come with security features enabled by default, requiring little to no configuration from the user.

2. Regular Updates: Manufacturers must provide regular firmware updates to address security vulnerabilities and ensure devices stay secure over their lifespan.

3. User Education: Users should be informed about the importance of security and how to manage their devices securely.

4. Multi-layered Security: Security should be implemented in layers, including secure boot, transport layer security, secure storage, and intrusion detection systems.

The Future of IoT Security

Looking forward, the IoT industry must continue to prioritize security to protect against evolving cyber threats. Here are potential future developments:

1. AI and Machine Learning: These technologies can be used to detect anomalies in network behavior, potentially identifying and neutralizing threats in real-time.

2. Blockchain for IoT Security: Blockchain technology could enable secure, tamper-proof systems for IoT device authentication and firmware updates.

3. Integration of Security in IoT Standards: As new IoT standards are developed, integrating security as a core component will be crucial.

4. Government Regulation and Compliance: We may see more government regulation aimed at improving IoT security, similar to the GDPR for data protection.

5. Universal Security Standards: Efforts may be put toward creating universal security standards that can be applied across devices and industries.

Conclusion

The complexity of IoT security is significant, and the stakes are high. As the IoT continues to grow, effective security protocols must be developed and implemented to protect privacy and ensure the safe and reliable operation of connected devices. The future of IoT depends not just on innovation in connectivity and functionality but equally on the strength and adaptability of its security protocols. The journey toward a secure IoT ecosystem is ongoing, and it requires the concerted effort of manufacturers, software developers, security experts, and regulatory bodies.

The post Fortifying the Internet of Things: Navigating the Landscape of IoT Security Protocols appeared first on IoT Business News.

Findings indicate that leveraging PKI solutions effectively is key to solving IoT security challenges

Keyfactor, the identity-first security solution for modern enterprises, and Vanson Bourne today released findings from an independent survey and analysis that examines the state of IoT security for both manufacturers and end users.

The report, “Digital Trust in a Connected World: Navigating the State of IoT Security,” reveals concerns and challenges modern businesses face when establishing digital trust in today’s connected world, and shows nearly all organizations (97%) are struggling to secure their IoT and connected products to some degree. The research survey also found that 98% of organizations experienced certificate outages in the last 12 months, costing an average of over $2.25 million.

“Organizations worldwide are under mounting pressure to ensure their IoT and connected devices are protected while navigating an increasingly complex digital landscape that requires complete trust,” said Ellen Boehm, Senior Vice President, IoT Strategies and Operations at Keyfactor.

“The results of this survey demonstrate the importance of identity-first security for those who manufacture IoT devices and those who deploy and operate them in their environment to establish digital trust at scale. Most organizations implement PKI solutions in their IoT security strategy, which is a huge step in the right direction. However, it’s clear that with 97% of organizations facing IoT security challenges, security teams are struggling to leverage their tools efficiently.”

“Ensuring that IoT device security is managed throughout its lifecycle will go a long way in both eliminating costly certificate outages and enhancing the long-term viability of IoT within the enterprise.”

The costly outages organizations have faced in the past year are not the only expense of inefficient IoT security. The report found that 89% of respondents’ organizations that operate and use IoT and connected products have been hit by cyber attacks at an average cost of $250K. Furthermore, in the past three years, 69% of organizations have seen an increase in cyber attacks on their IoT devices. The March attack on Amazon’s Ring that exfiltrated sensitive customer data such as recorded footage and credit card numbers is an example of the increase in IoT attacks.

“Many IoT security strategies fail to prevent and protect against IoT-targeted cyber attacks because organizations lack the proper education and support needed to fully understand the task at hand,” said Boehm. “Over half of respondents agree that their organization doesn’t have the proper awareness and expertise to prepare for IoT device cyber attacks, spotlighting the need for more guidance to fully secure their devices. Organizations can’t protect against what they cannot understand.”

Other key themes and findings from the report include:

• Proliferating growth of IoT devices and connected products in organizations: In the past three years, respondents reported a 20% average increase in the number of IoT and connected products used by organizations.

• IT professionals are not fully confident in the security of their IoT and connected devices: Most organizations (88%) agree that improvements are needed in the security of IoT and connected products in use within their organization, with over a third (37%) of respondents reporting that significant improvement is needed and 60% reporting that some improvement is needed. When it comes to specific strategies, 4 in 10 organizations report that they strongly agree they would benefit from using a PKI to issue digital identities on the IoT and IIoT devices in their environment.

• IoT security budgets are increasing but are being used to cover staggering costs from certificate outages: While budgets for IoT device security are increasing year over year, with an anticipated increase of 45% in the next five years, half (52%) of that budget is at risk of being diverted to cover the cost of successful cyber breaches on IoT and connected products.

• Organizations and manufacturers are split on who is responsible for IoT security: Of the respondents surveyed, 48% believed that the manufacturer of IoT or connected devices should be at least mostly responsible for cyber breaches on their products.

The post New Global Survey Reveals 97% of Organizations Face Challenges Securing IoT and Connected Devices appeared first on IoT Business News.

October, recognized globally as Cybersecurity Awareness Month, is a timely reminder of the ever-present threats in the digital realm.

It underscores the importance of fortifying our digital defenses, especially in the corporate environment where the stakes are high. As businesses increasingly integrate Internet of Things (IoT) devices into their networks, this month’s spotlight is on the significance of a detailed cybersecurity strategy for these devices.

The Growing Threat Landscape

The allure of IoT devices lies in their ability to enhance operational efficiency, offer real-time data, and improve overall business processes. However, this interconnectedness also presents a double-edged sword. If left unsecured, each device can be a potential entry point for cybercriminals.

Hackers are becoming more sophisticated, leveraging advanced techniques to exploit vulnerabilities in IoT devices. From Distributed Denial of Service (DDoS) attacks using botnets of compromised IoT devices to data breaches that siphon off sensitive information, the threats are multifaceted and evolving. A single breach can result in significant financial losses, reputational damage, and operational disruptions.

The Perils of Unapproved IoT Devices

One of the growing concerns for businesses is the proliferation of unapproved IoT devices within their networks. In their quest for convenience or enhanced functionality, employees might plug in devices that still need rigorous security vetting. These devices, often with weak default passwords or outdated firmware, can become easy targets for hackers. It’s not just about the immediate threat of a breach. These devices can be co-opted into larger botnets, used in more extensive attacks, or even as silent listeners, collecting data over time and sending it to malicious actors.

This is why businesses need stringent policies in place. Employees should be educated about the risks of using unapproved devices and the potential consequences for the entire organization. A clear policy, combined with regular audits and checks, can significantly reduce the risk these rogue devices pose.

The Need for a Comprehensive IoT Security Strategy

Given the expanding threat landscape, it’s clear that more than a piecemeal approach to IoT security will be required. Businesses need a comprehensive strategy that encompasses:

• Device Authentication and Authorization: Every device connecting to the network should be authenticated. This ensures that only approved devices can connect and interact with the network.
• Regular Updates: IoT devices should be regularly updated with the latest firmware and security patches. This can address known vulnerabilities and protect against known attack vectors.
• Network Segmentation: IoT devices should be on a separate network segment. This ensures that even if a device is compromised, the attacker can’t quickly move across the corporate network laterally.
• Real-time Monitoring: With advanced threat detection systems, any unusual activity can be detected in real-time, allowing for swift remedial action.
• Employee Training: Employees should be trained to recognize potential threats, understand the importance of using approved devices, and know the latest best practices in IoT security.

Industry Leaders Weigh In on IoT Security

As businesses grapple with IoT security challenges, industry leaders’ insights provide valuable perspectives on the path forward.

Ashu Bhoot of Orion Networks remarks, “The adoption of IoT has accelerated the digital transformation journey for many businesses. However, this rapid integration has also exposed many to vulnerabilities they weren’t prepared for. At Orion Networks, we believe that a proactive approach and continuous education are the keys to staying ahead of potential threats.”

Aaron Kane of CTI Technology offers a forward-looking perspective: “The future of business is undeniably intertwined with IoT. But as we embrace this future, we must also be cognizant of the security implications. At CTI Technology, we focus not only on providing solutions but also on empowering our clients with the knowledge and tools they need to secure their digital ecosystems.”

Jorge Rojas of Tektonic Managed Services emphasizes the collaborative approach, noting, “IoT security is not a challenge that businesses should face alone. It requires collaboration between service providers, device manufacturers, and businesses. At Tektonic Managed Services, we’re committed to fostering this collaborative spirit, ensuring our clients access the best security solutions and practices in the industry.”

These insights from industry leaders underscore the collective responsibility and collaborative approach required to address the challenges of IoT security. As businesses continue integrating IoT devices into their operations, partnering with knowledgeable and proactive IT service providers will be crucial in navigating the complex landscape of IoT security.

Conclusion

As we observe Cybersecurity Awareness Month, the focus on IoT security has never been more critical. Integrating IoT devices brings immense benefits but also introduces vulnerabilities that cybercriminals can exploit. By understanding the threats, implementing robust policies, and adopting a comprehensive security strategy, businesses can harness the power of IoT while ensuring that their networks remain secure.

The post October: Cybersecurity Awareness Month and the Imperative of IoT Security appeared first on IoT Business News.

IoT Analytics, a leading provider of market insights and strategic business intelligence for the Internet of Things (IoT), has published its latest research on the global cellular IoT module and chipset market for Q2/2023.

The report reveals that 66% of IoT modules shipped in Q2 2023 had no dedicated hardware security and 29% had no security features at all, exposing them to potential risks and vulnerabilities.

The research analyzes the security features of 772 unique modules from 36 vendors and 150+ chipsets from 13 vendors that IoT Analytics tracks. It shows that only 30% of the modules available on the market, had dedicated hardware security features. Additionally, the article highlights the differences between the global and North American markets, where the latter has a higher share of non-dedicated hardware security features, such as TrustZone or secure boot.

KEY QUOTES:

Commenting on the importance of IoT security, Principal Analyst Satyajit Sinha noted:

“As cybercrime operates much like a business, criminals invariably opt for the path of least resistance. Implementing multiple layers of security increases the time and cost required for hackers to breach a system, thus making it more likely for them to abandon the effort and seek out less well-protected targets.”

Mr. Sinha added, “Cellular IoT modules are crucial for connectivity in IoT devices across industries. They provide a vital connection to the internet and are managed remotely. Ensuring their security is vital for safeguarding the broader IoT ecosystem.”

KEY INSIGHTS:

• The cellular IoT module market was stagnant in Q2’23 according to IoT Analytics latest data.
• Although IoT modules with dedicated security features are increasingly adopted, 66% of IoT modules shipped in Q2’23 had no dedicated hardware security and 29% had no security features at all.
• Recent demonstrations of vulnerabilities in non-dedicated hardware security features should drive the market further towards hardware-based security. Post-quantum cryptography is also an important consideration in IoT module security.

Updated cellular IoT module market

29% of cellular IoT modules shipped in Q2 2023 had no dedicated security features and only 34% had hardware-based security. Overall, the shipment and revenue of the $6.7 billion market (2022) remained generally flat in Q2’23 quarter-over-quarter, with 0% shipment and 0% revenue growth. Reasons for this stagnation include a weakened demand environment, which we discussed in our Q1’23 analysis of the cellular IoT module market.

IoT module security at the center of attention

With markets stagnating, we are putting a spotlight on cellular IoT module security by looking at the security features of 772 unique modules from 36 vendors and 150+ chipsets from 13 vendors that we track. IoT module security is of particular interest right now in light of the US Congress’ 7 August 2023 letter to the US Federal Communications Commission (FCC) regarding potential security risks of using Chinese cellular IoT modules.

Our analysis of the updated tracker and forecast shows the following breakdown of IoT module security features out of the aforementioned modules/chipsets available on the market in Q2’23:

• 30% had dedicated hardware security features, often embedded in chipsets or standalone components implemented through hardware security modules
• 42% had non-dedicated hardware security features, or features used to either create secure environments for processes to run or ensure only authorized firmware is loaded on the device
• 28% had no security features

However, the share of purchased/shipped modules with these security classifications in Q2’23 differs, with a significant difference between the global and North American markets as well:

While the global market shows a relatively balanced share of these three categories, the North American market skews heavily toward non-dedicated hardware security features. The low share of cellular IoT modules without security features in the North American market indicates that module security is a concern for its consumers, though there appears to be a reliance on non-dedicated hardware security features, such as TrustZone or secure boot.

This indication is consistent with recent concerns that the US Congress expressed to the FCC regarding the security of Chinese-made cellular IoT modules within US infrastructure (either directly or as part of the manufacturing supply chain), such as FirstNet Authority networks and devices used by first responders across the country (Quectel and Fibocom have published press releases responding to the US Congress’s concerns in early September 2023).

Why dedicated hardware security is the way forward amid supply chain concerns

Software and network security solutions have historically overshadowed dedicated hardware security features in IoT since they are more visible and easier to address, while dedicated hardware security features can be more complex and costly to implement. An alternative to software and network security solutions are non-dedicated hardware security features, such as ARM’s TrustZone, which creates a secure environment for processes to run, and secure boot, which ensures systems boot without intrusions.

Unfortunately, researchers recently demonstrated side-channel attacks against TrustZone during the Black Hat Asia 2023 conference. For their part, ARM has responded to this demonstration by stating that the attack is not unique to ARM’s Cortex-M architecture or TrustZone; rather, it’s a failure in application code—such attacks “may apply to any code with secret-dependent control flow or memory access patterns.” However, such attacks, no matter the core system they possess, demonstrate that adding dedicated hardware security solutions to these non-dedicated hardware security solutions can enhance the overall security of a module.

Shahram Mossayebi, Ph.D., founder and CEO of Crypto Quantique, explained the following to IoT Analytics when asked about cellular IoT module security:
“[W]e rely on security features such as TrustZone, but to achieve trust, we need to go beyond them. A root of trust is a set of cryptographic features (which soon must be quantum secure) for encryption, digital signature, and device identity. The hardware root of trust is the foundation for building trust with any IoT [device] and it is a crucial part of hardware security.”

With a hardware-based root of trust, manufacturers and consumers can ensure the authenticity of the modules—helping to address cloning and counterfeiting—and protection of the device’s keys. Once manufacturers can guarantee the authenticity and security of these keys, they can add additional security components like TrustZone and secure boot.

Where hardware security should be implemented

Implementing security measures at the device level during manufacturing is a foundational step, aiding in establishing device authenticity and partially curbing the infiltration of counterfeit components in the supply chain. However, this strategy only offers a partial solution since vulnerabilities still exist, particularly in the potential theft and cloning of device identities within supplier factories. Thus, an even more nuanced approach is required to bolster the defenses against such nefarious activities that seek to undermine the system from its very core.

To combat these risks more effectively, embedding hardware security at the MCU level within typical modules is highly recommended. This strategic positioning not only presents a formidable barrier against cloning and counterfeiting issues but also fosters the establishment of secure authentication protocols and the creation of unique device identities. Secure MCUs can provide a seamless integration of essential security features, such as robust authentication processes, potent encryption capabilities, and secure boot functionalities. These functionalities come together to create a fortified environment, essential for the optimal functioning of connected IoT applications, thereby ensuring a safer, more reliable network where devices can communicate and operate with an enhanced level of security and trust.

IoT module security outlook: Post-quantum security is becoming crucial for IoT

Currently, the general life span of most IoT devices is 8–12 years, with automotive 5G module applications lasting 10–15 years. With these long life spans, when building cellular IoT modules, it is essential that manufacturers look beyond current threats; specifically, they should start planning for the commercialization of quantum computing and the potential for state actors and cybercriminals to crack complex, commonly used encryption methods.

In October 2019, Google announced quantum supremacy in the journal Nature with its 54-qubit Sycamore processor, which Google claims was able to perform a complicated task in 200 seconds that would take the world’s most powerful supercomputer 10,000 years to perform. Many countries and companies are also advancing with quantum computing, such as the Chinese Academy of Sciences and QuantumCTek, a quantum information technology developer. Other Google competitors, such as IBM, Microsoft, Amazon, and Intel, along with several new startups, have all invested heavily in developing quantum computing hardware in recent years.

While quantum chips have not reached widespread commercialization yet, manufacturers can start considering quantum security solutions today. Governments are already looking at standards and quantum-proofing solutions for their agencies and companies, and the following are just some examples:

• In January 2022, the French National Agency for IT Systems Security (ANSSI) published its views and recommendations for PQC transition, offering a 3-phase process expected to last at least until 2030.
• In July 2022, the US Department of Commerce’s National Institute of Standards and Technology (NIST) announced its selection of four quantum-resistant cryptography algorithms, constituting “the beginning of the finale of the agency’s post-quantum cryptography (PQC) standardization project,” which NIST expects to complete and publish in 2024.
• In August 2023, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and NIST published a PQC migration readiness sheet to help the government and private sector start planning their quantum readiness.

Further, some companies are already developing post-quantum solutions. For example, Thales Group offers 5G security solutions with end-to-end encryption and authentication to safeguard organizational data as it moves across front-haul, mid-haul, and back-haul operations. These solutions rely on Thales’ 5G Luna Hardware Security Modules (HSMs). Further, in February 2023, Thales Group announced that it successfully piloted what it called a post-quantum resilient, end-to-end encrypted call using its Cryptosmart mobile app and its 5G SIM.

What it means for cellular IoT module manufacturers

5 key questions that cellular IoT module manufacturers should ask themselves based on the insights in this article:

1. Product strategy and security implementation: How can we realign our product strategy to prioritize the implementation of dedicated hardware security features without significantly escalating costs?
2. Response to political and legislative changes: How are we positioning ourselves to address the potential political and legislative changes affecting the market, particularly concerning the US Congress’s concerns regarding Chinese cellular IoT modules?
3. Security standards and compliance: Are we in line with the recent security standards and guidelines issued by agencies like ANSSI, NIST, and NSA, and are we preparing for the expected security transitions in the coming years?
4. Consumer education and advocacy: How can we educate consumers on the importance of dedicated hardware security features and advocate for a broader shift towards these in the market?
5. Post-quantum security solutions: Are we collaborating with communications companies and other stakeholders to develop and pilot post-quantum security solutions that can safeguard organizational data across various operations effectively?

What it means for users of cellular IoT modules

5 key questions that device/equipment makers and end users that adopt cellular IoT module should ask themselves based on the insights in this article:

1. Security implementation: Given the demonstrated vulnerabilities in non-dedicated hardware security features, what strategies should we adopt to integrate dedicated hardware security features without escalating costs significantly?
2. Compliance and legislation: In light of the concerns raised by the US Congress regarding the use of Chinese cellular IoT modules, how can we ensure compliance with evolving regulations and maintain the trust of our North American consumers?
3. Post-quantum security: Given the advancements in quantum computing, what steps should we take to incorporate post-quantum security solutions in our cellular IoT modules, keeping in mind the projected long life span of these devices?
4. Research and development: How can we foster innovation in our R&D department to develop unique hardware security features that offer robust protection against present and future threats?
5. Customer education: How can we educate our customers on the security features we use, developing trust into the security of the devices they use?

The post Cellular IoT module market Q2 2023: 66% of IoT modules shipped without dedicated hardware security appeared first on IoT Business News.

“Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk” details the challenges that hospital systems now face, and the increasingly urgent need for modernized risk mitigation.

Asimily, an Internet of Things (IoT) and Internet of Medical Things (IoMT) risk management platform, today announced the availability of a new report: Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk.

The full report highlights the unique cybersecurity challenges that healthcare delivery organizations (HDOs) face and the true costs of their IoT and IoMT security risks. HDOs have a low tolerance for service interruptions to network-connected devices and equipment because of their crucial role in patient outcomes and quality of care. Resource-constrained HDO security and IT teams continue to face operational difficulties in sufficiently securing critical systems from increasingly-sophisticated attacks, as their vast and heterogeneous IoMT device fleets complicate management and, left unchecked, offer a broad attack surface. The report concludes that adopting a holistic risk-based approach is the most cost-efficient and long-term-effective path for HDOs to secure their critical systems and IoMT devices..

Among the key findings and analysis included in the new report:

• Emerging cybersecurity trends and challenges: The report reveals the top cyberattack strategies impacting HDO medical devices right now: ransomware attacks that spread to devices and disrupt services, third-party-introduced malware that impacts device performance, and devices communicating with unknown IP addresses to enable remote breaches. Cyberattacks on healthcare providers have become remarkably common: the average HDO experienced 43 attacks in the last 12 months. Unfortunately, many of those attacks are successful, with 44% of HDOs suffering a data breach caused by a third party within the last year alone.

• The high cost of doing nothing: For HDOs, today’s high-failure status quo can be catastrophic. Cyberattacks cost HDOs an average of $10,100,000 per incident. Worse, cyber incidents are directly responsible for a 20% increase in patient mortality. 64% of HDOs also reported suffering from operational delays, and 59% had longer patient stays due to cybersecurity incidents. Those financial and operational burdens are pushing many HDOs to the brink: the average hospital operating margin sits at 1.4% in 2023. Currently, more than 600 rural U.S. hospitals risk closure, in an environment where a single cyberattack can put a smaller HDO out of business.

• Poor device health leads to poor outcomes: HDO security and IT teams face a high-risk environment where the average medical device has 6.2 vulnerabilities. Adding to this challenge, more than 40% of medical devices are near end-of-life and poorly supported (or unsupported) by manufacturers.

• Cybersecurity resources and staffing are limited: Even when device vulnerabilities are recognized, HDO security teams are able to fix only 5-20% of known vulnerabilities each month.

• Cyber insurance is no longer enough: As ransomware attacks and breaches have skyrocketed in recent years, cyber liability insurers are introducing coverage limits and capped payouts, making it a less and less effective recourse for HDOs. At the same time, cyber insurance also fails to address the costly reputational damage an HDO suffers following a breach.

“This report details the very current and very significant challenges that HDOs face in defending themselves from cybersecurity risk, and the profound need for holistic and optimized risk reduction strategies as they implement and scale a cybersecurity risk management program for their connected devices,” said Stephen Grimes, Managing Partner & Principal Consultant at Strategic Healthcare Technology Associates, LLC. “Asimily’s risk prioritization capabilities and clear device vulnerability scoring enable HDO security teams to overcome limited resources and accurately focus on remediating the greatest risks to their organizations, achieving a ten-fold increase in cybersecurity productivity. We invite HDO leaders and their cybersecurity risk managers to read and absorb the lessons of this report, and to take the steps necessary to mitigate IoMT device risks with the strategic efficiency and effectiveness these risks demand.”

“As a growing healthcare organization acquiring clinics and offering new services like ambulatory clinics, you have to stay in front of the risk,” said Kevin Torres, the VP of IT and CISO at MemorialCare, an Asimily customer and leading nonprofit health system in Orange County and Los Angeles County that includes four hospitals along with other specialized clinics. “You need to make sure that you’re effectively onboarding these environments and matching their security posture to yours. Using Asimily, we gained full visibility into connected IoT and IoMT devices and their associated vulnerabilities. Our security program achieved 98% NIST compliance while the average of 60 similar HDOs is 71%.”

The post IoT Security Report Sheds Light on Hospitals’ Device Risks appeared first on IoT Business News.

The Internet of Things is everywhere, from weather sensors and industrial control systems to smart watches, refrigerators, and implanted medical devices. The number of IoT devices in use worldwide is expected to exceed 15 billion this year (three times the number of human users on the Internet), and will almost double that amount by 2030.

IoT devices hold so much potential for positive change – but their ability to connect objects, share information, and perform actions is precisely what makes them intensely vulnerable. The proliferation of devices creates a lot of risk, as attack surface of connected devices is expanded to practically every level of society.

Given that IoT devices abound in applications for critical infrastructure, healthcare, and consumer use, it’s important to get IoT security right. Some of the most notable examples illustrating the vulnerabilities of IoT devices include compromised medical devices like cardiac devices and insulin pumps, and flawed wireless connections in cars that allowed a hacker to cut the brakes, shut off the engine, or take control of the steering. There are also chilling personal accounts, such as an incident where a compromised baby monitor let a hacker watch a baby and audibly threaten their parents with a kidnapping. Unfortunately, a recent survey by Pulse and Keyfactor found that while 62% of product and manufacturing leaders are concerned about their IoT device security, only 42% felt they had a clear strategy for securing device identities.

As often happens with new technology, the explosive growth of the IoT has outpaced security. But as IoT devices become even more commonplace, the risks increase significantly, even to the point of putting people’s lives at stake. IoT security must become a priority – and it’s every organization’s responsibility to take the necessary steps to ensure any IoT application or device in use is secure.

Prioritizing IoT Security at Every Step

Device manufacturers often have no clear security standard to work with, resulting in a lot of ambiguity and inconsistency in the market. That ambiguity can flow downstream, resulting in inconsistencies in authentication practices, ongoing security updates, and communications between connected devices. While there are changes afoot, such as the Matter smart home standard, efforts to establish minimum security standards for IoT devices are not yet widespread enough.

To overcome the growing risks associated with IoT devices, organizations need to take the same type of approach that is applied to software development—introducing security early in the development process, and prioritizing it every step of the way thereafter. With this mindset, teams can create trusted device identities, ensure data confidentiality, and maintain the integrity of the data and firmware running on each device. Adhering to the following best practices will help strengthen IoT device security.

Create unique credentials for each device. Digital certificates are used to verify the identity of the sender of an electronic message by creating a highly secure, unique authentication method for each device. Providing each device with a unique digital certificate is significantly more effective than merely using default passwords or even using shared keys for symmetric encryption. This is because symmetric encryption does not differentiate between devices, making it impossible to share information with a specific connected device or to know which specific device data originated from. Using asymmetric encryption with unique digital certificates enables manufacturers to share information with a specific device and to know which specific device data originated from—enabling highly secure authentication of each device and ensuring the integrity of the data.

Take extra precautions for private key storage. Creating unique credentials for each IoT device requires the use of asymmetric cryptography, which generates a public and private key pair. While public keys can be shared, private keys need to be stored securely. The best way is with hardware-based security such as Trusted Mobile Platform (TPM) or Secure Storage. A TPM chip, for example, protects keys and digital certificates via a hardware-enabled secure crypto processor, providing strong protection against being compromised.

Verify firmware and software updates. The ability of hackers to install malicious software on connected devices is a significant threat. Using a public/private key pair and requiring that development teams sign their code reduces that threat. Each device would require a public key that matches the development team’ private key, which would verify that the update did come from the team and that it was not modified in transit.

Provide ongoing lifecycle management. Any static system is inherently insecure, and the digital certificates and key pairs in use will weaken over time. Without proper management, there is a huge chance that certificates can either expire or serve as an infiltration tool for cybercriminals, unbeknownst to the team. This is because a certificate continues to remain valid, even when certificates have been cycled out of use before their 398-day lifespan. With the increasing quantity of IoT devices, tracking inventory across the field and detecting device changes are the most substantial security challenges for organizations. To enact proper lifecycle management, teams should map everything of all devices and associated digital keys and certificates within their organization. This helps establish an exact inventory of what’s in use and allows for easier monitoring of all certificates and keys, particularly when updates are needed or when teams need to revoke a certificate for a device that is no longer in use.

As the IoT ecosystem has grown and matured, severe security issues have cropped up that could cost device manufacturers millions of dollars and an unquantifiable loss of trust. In a worst-case scenario, a security flaw could put lives at risk. The sheer number of IoT devices in the world, and the fact that they are now performing mission critical functions in a variety of fields, means it’s time to get serious about IoT security. By prioritizing IoT security through encryption, unique credentials, and ongoing lifecycle management, organizations can rest assured that the innovative new devices they introduce to the market – as well as the devices that are used for their own operations – will not introduce any disruptive risks.

The post Addressing the trust gap between IoT design and development appeared first on IoT Business News.

Today, U.S. Deputy National Security Advisor Anne Neuberger, Chairwoman of the Federal Communications Commission (FCC) Jessica Rosenworcel, and Laurie Locascio, Director of the National Institute of Standards and Technology (NIST) unveiled the U.S. national IoT security label at the White House.

Infineon Technologies AG supports this action to address the growing need for IoT security. The new label supports the IoT security requirements under NISTIR 8425, which resulted from an Executive Order to improve the nation’s cybersecurity. This label will recognize products that meet these requirements by permitting them to display a U.S. government label and be listed in a registry indicating that these products meet U.S. cybersecurity standards.

Thomas Rosteck, President of Connected Secure Systems, Infineon Technologies, said:

“Security is crucial for the Internet of Things. Without sufficient cybersecurity, there cannot be any IoT.”

“As a leading provider of semiconductors for security and IoT devices, Infineon welcomes the step the U.S. government has made and fully supports programs to boost cybersecurity for the Internet of Things. The U.S. label is a significant milestone towards strong global cybersecurity standards. We believe the implementation of this program will empower consumers and further boost the adoption of IoT products in the U.S. and beyond.”

Infineon semiconductors provide a secured foundation for many IoT devices. To demonstrate how easily Infineon products can be used to build secured IoT devices, Infineon’s IoT development kit (CY8CKIT-062S2-43012) will seek to obtain the U.S. national label. Certification of this development kit will help our customers to create IoT products that are compliant with the U.S. national label.

Infineon was involved in the development of the IoT label program through its participation as a member of the Connectivity Standards Alliance (CSA). The U.S. cybersecurity guidelines are closely aligned with several CSA standards, including the Matter standard. Matter provides device manufacturers with a secured communication standard for a wide range of smart home applications and thus improves connectivity between smart devices from different manufacturers. CSA’s Product Security effort (chaired by Infineon) will certify that IoT devices meet global security requirements, including those used by the U.S. national label. Together, these standards move the IoT to a higher level of interoperability and security.

The post A Milestone for securing the Internet of Things: Infineon welcomes introduction of a voluntary U.S. IoT security label appeared first on IoT Business News.

When it comes to internet-connected devices one of the biggest concerns is the chance of hacker attacks that can lead to a loss of critical data. Today, in the era of the Internet of Things technology, when attackers are continuously looking for more sophisticated approaches to get access to users’ data, it’s obvious that IoT security should be taken as one of the core priorities by development companies.

The number of IoT-connected devices is actively growing all over the world. And while today their number is around 15 billion, it is expected that by 2030, this figure will be over 29 billion. They all are different but the main approaches to ensuring their security stay the same. And while some issues can be caused by the user’s behavior, a lot of vulnerabilities should be addressed already at the stage of system design by manufacturers and software developers.

Key IoT risks

To begin with, it is important to understand what issues and risks you can face if you work with Internet of Things systems. If you work with a reliable IoT development company, you will be warned about them as professional software engineers should be aware of them and know how to deal with them. It is demonstrated by the results of their work, and IoT development by Cogniteq can be named among the examples that prove these words.

• Low authentication requirements. If your password is weak, the risks to get your account or device hacked are rather high. It may sound surprising but a lot of IoT devices are not protected by passwords at all which makes it absolutely simple for hackers to reach them.

• Legacy software. Some IoT-powered systems work with software that initially wasn’t developed to be compatible with the cloud technologies or that can’t support modern encryption standards. That’s why it is rather risky to use such apps in IoT solutions.

• Lack of timely firmware updates. The necessity to regularly update your firmware and fix all the bugs as soon as they are detected is a must. The longer you postpone these processes, the higher your chances are to face security issues.

• Shared access to the network. Many developers prefer to connect IoT devices to the same network that other users’ devices are connected to. For example, it can be LAN or WiFi. But in such a case, the whole network can face quite serious vulnerabilities because just one device can be used for hacking the entire system. That’s why it is highly recommended to use a separate network for every IoT app.

• Vulnerabilities caused by physical access to devices. Some IoT devices can be placed in remote areas and be operated fully at a distance. However, it is not always possible. Very often people can physically contact devices, which may pose additional threats. Just a simple example: if a specialist who has access to such devices forgets to close the door to the room where they are placed, an unauthorized person may easily come in.

How to increase IoT security?

Though it is crucial to know the key threats, it is not enough to increase the level of protection of your IoT-powered systems. It is much more important to understand what are the ways to minimize the risks of external attacks.

• Physical security. Though this principle is a very simple one, unfortunately, quite often companies that operate IoT-powered systems forget about it. You should carefully track the number and roles of people who get access to IoT devices. If you deal with cellular IoT devices, critical data is usually kept on SIM cards that can be easily stolen. That’s why devices should be well-protected.

• IMEI lock. IMEI can be explained as the unique identification number of a mobile device. Thanks to an IMEI lock, you can ensure that a SIM card can be used only with an indicated IMEI, which means only with a chosen device. As a result, even if the card is removed, nobody will be able to use it on other devices.

• Introduction of private networks. When data is sent from one device to another, this simple action is already a rather risky one for the security of the transferred data. And when you use any public network like WiFi for it, your solution becomes easy prey for hackers. One of the things that are important to do is message encryption. But even this step may not be enough. That’s why we highly recommend you use private networks that will prevent your data from getting to the public internet.

• Detection of abnormal behavior. When there are attempts to breach IoT-powered devices or there is any suspicious activity on your network, you should be notified about that. To reach this goal, engineers should introduce specific tools for monitoring activities on the network, detecting the level of threat, and sending notifications to system admins who will have the possibility to timely react to any risks.

Final word

Data is one of the most valuable assets for any business that’s why hackers always try to get access to it. When you implement IoT solutions in your business processes you need to think not only about their functionality but also about their security. Without proper protection of your system and, consequently, your sensitive data, you won’t be able to leverage the benefits of even the most powerful and innovative solution.

The post IoT Security: How to Protect Your Solutions appeared first on IoT Business News.

Intrinsic ID Zign Gives Every Connected Device a Unique Identity and Strong Security Basis to Protect Against Malicious Intrusion, Ensure Trusted Communication and Comply with Latest Legislation.

Intrinsic ID¹, today announced a new software-only solution that enables every connected device to have a unique identity and hardware-based security anchor, improving the reliability and trustworthiness of these devices, their networks and communications.

The IoT security lately has been the subject of international legislation, underscoring the importance of the challenge for worldwide cybersecurity.

Zign provides a cost-effective security solution aimed at a broad range of sectors, including business, manufacturing, banking, critical infrastructure, medical and automotive. Easy to deploy on any type of new or existing IoT device, Zign can encrypt any IoT data, both in transit and on the device. Zign works in compliance with the most stringent security standards of both the US and EU Governments. The Intrinsic ID Zign solution combines proven, patented PUF technology with National Institute of Standards and Technology (NIST)-certified cryptographic algorithms to ensure a high level of security with unclonable, invisible keys, and encryption protections for even the smallest devices.

Dr. Pim Tuyls, CEO and co-founder of Intrinsic ID., said:
“Governments around the world are waking up and realizing additional security standards for consumer devices are needed to address the growing and important role the billions of connected devices we rely on everyday play. The EU Cyber Resilience Act, and the IoT Cybersecurity Improvement Act in the United States are driving improved security practices as well as an increased sense of urgency.”

“With the immense diversity of IoT devices supplied by various vendors, a device-agnostic security solution is key. Zign enables a more trustworthy and reliable IoT by providing every device with a security anchor based on the unique hardware properties of the device. This level of security helps build resilience and trust in our connected world.”

Cryptographic keys are essential for devices to encrypt data and secure communications. Traditionally, these keys are programmed into devices at secure manufacturing facilities and require costly, dedicated hardware for secure storage. Zign changes this by offering a highly secure solution implemented totally in software. Zign leverages the proven and patented SRAM PUF technology from Intrinsic ID to derive device-unique keys from tiny variations in the silicon of every chip, eliminating the need for programming keys or dedicated security hardware. With Zign, the keys are never stored and never leave the device, so they are invisible to attackers, unobtainable, and cannot be copied or altered, providing unmatched data security for an already huge and still growing market.

Key features and benefits of Intrinsic ID Zign include:

• Improved security and compliance with upcoming legislation and standards, even for existing devices: Zign enables device makers to add basic security properties meeting NIST certification standards to any device, regardless of the type of hardware, even on devices already deployed.

• Cost-effective to deploy: Zign can patch lacking security remotely, avoiding expensive recalls of unsecure devices and eliminating the need for trusted facilities to provision keys or for dedicated security hardware.

• Strong and proven security: Zign provides the highest level of security based on patented PUF technology that has been stringently tested and certified by, among others, the US Department of Defense and EU governments, and has been field-proven in more than a half-billion devices.

• Future-proof solution: Zign provides all required security functions to protect IoT devices during their entire lifecycle by enabling users to securely onboard and authenticate devices to services, set up secure communication, protect data at rest and in transit, and even de/re-commission keys at end of life.

Standards, Pricing and Availability

Zign is a NIST/FIPS-compliant software solution that enables IoT device makers to create a hardware-based root of trust. It has been validated for NIST CAVP and is ready for FIPS 140-3. Randomness is according to NIST SP 800-90A/B. Zign is available immediately and can be implemented at any stage of a device’s lifecycle, even after a device is already created and/or deployed in the field. Pricing is based on features and volume.

The post Intrinsic ID Launches Software to Protect Billions of Smart, Connected Devices Addressing Worldwide Cybersecurity Challenges appeared first on IoT Business News.

• Market trends: growing need for protecting connected devices & moving from software-only to hardware-based security
• Intrinsic ID SRAM PUF technology provides a strong, scalable and cost-effective foundation of trust
• Intrinsic ID solutions skyrocket in adoption, driving exponential growth of secure hardware technology

Intrinsic ID, the world’s leading provider of Physical Unclonable Function (PUF) technology for security and authentication applications in embedded systems and the Internet of Things (IoT), today announced that it is now protecting 500,000,000 devices worldwide with cutting-edge security technology.

This milestone achievement has been fueled by the vital need for security that our connected world is experiencing. With the rapidly growing number of devices that make up the IoT, it is no longer possible to connect these devices without having proper security in place. On top of the increasing need for protecting IoT devices comes an industry-wide shift from software-only to hardware-based security solutions, especially when it comes to protecting cryptographic keys.

The combination of these two trends has resulted in an exponential adoption rate of Intrinsic ID SRAM PUF technology. SRAM PUF facilitates the creation of a root of trust in hardware without the need to store keys in an easy and flexible manner at low cost. These benefits of Intrinsic ID technology have given the company a strong position in the security markets for government and defense, industrial IoT, and data centers, while aiding expansion into new, high-growth vertical markets including automotive, wearables, healthcare, AI, and smart cities and homes.

Recent key achievements of Intrinsic ID include:

• Exponential adoption of Intrinsic ID PUF technology. The number of new devices deployed with Intrinsic ID technology in 2022 was almost double compared to the number of devices in 2021.
• Customer retention. A rapidly growing number of license deals is coming from recurring customers, which shows strong customer retention.
• Strong 2022 financial performance. In 2022 revenue grew to a new record high, more than doubling 2021 revenue and making Intrinsic ID highly profitable in 2022.
• Team Growth. During 2022 the Intrinsic ID team grew by about 20%. Team Growth continues in 2023 with vacancies across different departments inside the company.

Creating a better world that can be trusted

Dr. Pim Tuyls, CEO and co-founder of Intrinsic ID, said:

“Ensuring the reliability and trustworthiness of our electronics systems has become a critical concern worldwide, and is at the forefront of our remarkable success.”

“Our cutting-edge security IP is now integrated into more than half a billion devices, found everywhere from your wrist to data centers, and even in space. We closed out 2022 on a high note and are eager to continue this momentum in 2023 as we collaborate with our customers and partners to build a more secure and trustworthy world. With high growth potential in verticals such as automotive, data centers, and AI, we are confident in our continued success and we are actively expanding our team to support this growth.”

Intrinsic ID security solutions offer the best combination of security, flexibility, and cost and are used by leading global technology companies to authenticate devices, protect data, secure communications, and establish a secure root of trust.

The post Intrinsic ID Protects 500,000,000 Devices Globally appeared first on IoT Business News.

Würth Elektronik has signed a partnership agreement with Crypto Quantique.

Collaboration with the specialist in quantum-based cyber security in the Internet of Things (IoT) enhances security for Würth Elektronik’s wireless modules.

Würth Elektronik boasts a broad portfolio of modules for wireless communication and sensors for IoT applications. The modules support connectivity with Bluetooth, WiFi, Wireless M-Bus, Wirepas Mesh and proprietary radio protocols. Würth Elektronik offers components and development support for faster and more cost-effective development of market-ready IoT solutions—from simple cable replacement to radio chips with integrated GNSS modules.

Combining Crypto Quantique’s QuarkLink security software platform with Würth Elektronik’s wireless modules enables automatic and secure connection of thousands of sensor nodes to local or cloud-based servers. The platform allows device provisioning, onboarding, security monitoring, renewal and revocation of certificates and keys, performed with a few keystrokes on a GUI. Users have all the functions at their disposal required to manage IoT devices in their lifecycle.

“Würth Elektronik is often the first choice for radio modules, especially with industrial IoT applications. The spectrum of products offered, combined with wide-ranging support and application expertise, is outstanding,” Dr. Shahram Mossayebi, CEO of Crypto Quantique, explains the cooperation.

“Expanding the offering with QuarkLink also raises the appeal of these products. This makes implementing and managing secure IoT networks faster and easier. At a time when the global threats to such networks are greater than ever, this is an important advantage.”

“We are always interested in providing our customers with the best IoT technology, reducing their development costs and workload, without compromising performance, reliability or security. QuarkLink is an important new building block here,” says Oliver Opitz, Vice President, Wireless Connectivity and Sensors at Würth Elektronik eiSos GmbH & Co. KG.

The post Würth Elektronik partners with Crypto Quantique for IoT Security appeared first on IoT Business News.

Company to leverage 30+ years of security lifecycle management expertise to bring trust and interoperability to consumer IoT devices.

Kudelski IoT, a division of the Kudelski Group, the world leader in digital security and IoT solutions, today announced that it will provide a wide array of security services and technologies to device manufacturers adopting Matter, the leading standard for smart home devices from the Connectivity Standards Alliance (CSA).

Kudelski IoT has also been approved by the CSA as a Product Attestation Authority (PAA) and Certificate Authority (CA) and will deliver signed certificates to manufacturers whose devices have been Matter certified, allowing them to create trusted devices that provide a frictionless and secure smart home experience.

The Kudelski IoT Matter CA Service enables companies to quickly and easily get scalable access to Device Attestation Certificates (DACs). The service is a managed, scalable “PKI as a Service” platform with Hardware Security Modules (HSMs) on Kudelski premises to secure private keys. Each manufacturer using the platform can manage the security lifecycle of certificates and devices in their own dedicated, cloud-based application. Kudelski IoT can also provide solutions for the secure provisioning of certificates into devices, both in the factory and in the field.

Kudelski IoT’s Certificate Authority is not only cost effective, but device and silicon manufacturers will also have access to a more complete portfolio of services to help them effectively design, build and test security as well as manage it throughout its lifetime. These services include threat & risk assessments, security architecture, device security assessments, firmware monitoring and secure firmware update services. Kudelski IoT also provides a Secure IP portfolio for silicon manufacturers interested in embedding lifecycle security into their chipsets.

“The Alliance is honored to be working with experienced security partners like Kudelski IoT to provide manufacturers with a Matter device attestation resource,” said Chris LePré, Head of Technology at the Connectivity Standards Alliance. “Device attestation is an integral part of ensuring new devices can be properly and securely accepted into a Matter network. Kudelski IoT is providing a very important resource that ultimately benefits consumers, who simply need to look for the Matter logo to receive a secure experience.”

Kudelski Group companies have worked with device manufacturers to enable and protect their devices and associated services for more than 30 years. Kudelski is a pioneer in pay media and has been protecting digital cable, satellite, terrestrial set-top boxes, and streaming services since their inception, providing a wide range of security technologies and services with a strong focus on device security and certification. The company has provided certificates, keys, and credentials to more than over 500 million devices.

“Matter is clearly becoming an important force in creating a more secure connected home where everything just works, data and devices are protected, and consumers can enjoy devices and services without having to worry about privacy breaches,” said Hardy Schmidbauer, SVP of Kudelski IoT.

“We look forward to helping all the members of the Matter ecosystem create trusted, safe, and profitable connected devices and services, and to supporting the Matter ecosystem’s growth with not only Product Attestation, but also a range of other services and systems that help secure long-term success.”

The post Kudelski IoT Launches Matter Certificate Authority and Broad Security Portfolio for Manufacturers Company appeared first on IoT Business News.

Disappointing Results and the Enactment of the UK Product Security and Telecommunications Infrastructure Bill Means Firms Could Face Monetary Penalties for Non-Compliance.

The IoT Security Foundation has published its latest influential research report which monitors the security management behaviour of consumer IoT product companies.

The study reviewed the practice of 332 companies identified as selling IoT products for consumer and commercial uses such as appliances, routers, audio, smart home, lighting, mobile, tablets and laptops. This is the fifth published report in the series, plotting industry progress since 2018 with prior versions cited as evidence in global standards and regulatory processes. The desk-based research was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.

Key Findings

Vulnerability management is critical for connected product security and is widely accepted as a basic hygiene practice for vendors. It features in nearly 30 cybersecurity guidance initiatives [1], including IoTSF’s highly popular IoT Security Assurance Framework [2]. Easy reporting of security issues is therefore regarded as essential for security lifecycle maintenance.

Once again, the main finding is that vulnerability disclosure practice remains at a disappointingly low level. In 2018 we found that just 9.7% of firms in the study had a disclosure policy and in this latest report that number is just 27.1%. This is still far below the near-100% the researchers would like to see.

Whilst it is not always easy to determine the origin of products, the analysis also indicates the best-performing region to be Asia, with European suppliers trailing significantly behind (34.7% vs. 14.5% respectively).

Evolving Practice

The report was originally conceived to raise awareness of vulnerability management and the likelihood of legislation, and it has also served as an ongoing commentary on the evolution of industry practices. As part of the study the researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions. Two policy maintenance trends are also identified; a noticeable rise in the number of companies that are failing to keep their policies up to date and an increase in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

Regulation has arrived

As anticipated, the UK’s long-awaited Product Security and Telecoms Infrastructure (PSTI) Bill achieved Royal Assent on December 6th, 2022, meaning it is now law [3]. Within the legislation, there are responsibilities for manufacturers, importers, and distributors to provide a vulnerability disclosure policy [4]. This means that the 72.9% of companies identified in the report who do not have a policy, will be in breach of UK law.

John Moor, Managing Director of IoTSF said:

“Naturally it is disappointing to see so many consumer IoT companies still not taking basic steps to maintain their product security. IoTSF members are strong advocates for building secure IoT systems and we work together to help others by sharing knowledge and publishing how-to guides, for those in need – many resources are published for free. There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.”

David Rogers, CEO of Copper Horse Ltd., said: “The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

HackerOne Inc., supported the creation of the 2022 report and Laurie Mercer, Senior Manager of Security Engineering said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle. It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice. The fact that the UK has seen higher adoption speaks to the impact government legislation and policy can have on cybersecurity. Mandating VDPs is going to be the most effective way of ensuring consumer safety.”

Moor concluded with an optimistic outlook: “We should also praise those who made it their business to be on the 2022 green list and look forward to the next report, when we trust the legislation, with a possible penalty of up to £20,000 per day, will provide the necessary motivation to get off the red list of companies contained in the report.”

The report can be downloaded here. More reports from the IoTSF can be downloaded for free and without registration here.

The post IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status appeared first on IoT Business News.

In the coming year, it is predicted that there will be more than 43 billion devices connected to the Internet. With the speed at which the Internet of Things (IoT) industry is growing, 2023 is sure to be a year of exciting developments in the enterprise IoT space.

Yet the flip side of growth is that cybersecurity threats not only remain persistent but likewise grow. These include weak digital links, like unsecure connections and legacy devices, which can be taken control of to spread malware or gain access to confidential data.

As we head into 2023, IoT cybersecurity will play a greater role than ever before, with enterprises making important decisions on how best to shore up security in the digitally connected present and future.

Those decisions are the trends that drive the industry towards meeting the heightened demands of an increasingly connected world and the smart solutions that power it.

Here are two key IoT security trends we see unfolding in 2023.

The rise of private networks in the form of ENOs

While private networks have always existed, they’ll start to come to maturity in 2023. Enabling secure and seamless roaming between private and public networks is vital since switching between the two is not intrinsically safe. In addition, new technologies are giving rise to solutions in this space. In particular, Enterprise Network Operators (ENOs) play an important role here.

Traditionally, enterprises have worked with either MNOs or MVNOs to power their mobile networks. However, neither of these have been ideal solutions to meet enterprise needs properly, given the drawbacks of siloed networks with complex roaming agreements — all of which lack centralised control and increase IoT security threats. As a result, enterprises need tailored network services now more than ever and in 2023, this need will be met by ENOs.

ENOs combine the best features of both MNOs and MVNOs to put owners of the network into the hands of the enterprise and provide completely tailored solutions, including more secure IoT connectivity. The coming year will see more of this technology taking root within business as enterprises seek to regain control over their data security and fortify their digital assets.

In fact, 92% of enterprises say they plan to use private networks by 2024, so expect 2023 to be the head start towards that future.

The rise of eSIM in B2B IoT

eSIMs are industry-standard digital SIMs that allow enterprises to activate a cellular plan without the need for a physical SIM. Just this year, Apple was one of the first consumer device makers to go mainstream with eSIMs, unveiling its iPhone 14 with the technology.

As opposed to physical SIM cards, eSIMs are soldered directly into the device, preventing them from being tampered with or removed to be used fraudulently. As a result, their use in the security of internet-connected devices is significant.

This is useful since it removes the requirement for an expensive genuine SIM tray installation and makes it harder to tamper with the device. In addition to form factor issues, new SIM-based solutions, such as IoT Safe or more complicated domestic counterparts, are broadening the spectrum of security protections available down to the SIM.

Following Apple’s lead, we can expect to see more companies turn to this technology, not only because of its security benefits but also due to the supply chain cost savings of not needing to add a SIM tray to each device.

Furthermore, unlike physical SIMs, eSIMs allow new profiles and agreements to be updated OTA, future-proofing each device’s connectivity and removing the need for a physical swap-out of the SIM. As a result, expect to see more enterprises move towards eSIM this coming year.

Bottom line: Security and IoT in 2023

In the coming year, we’ll increasingly see security considerations factored into the earliest stages of IoT product development, both of devices and of software in a process known as ‘Security by Design.’ With security taking the front seat, 2023 is poised to be a banner year for the IoT sector, delivering its most compelling — and most fortified — solutions yet.

The post Key IoT security trends for 2023 appeared first on IoT Business News.

Healthcare providers are always pushing innovation to stay on the cutting edge of their industry. Quickly embracing technology that could provide improved healthcare to their patients. They might not always be willing to invest in IT and cyber security, which is a gamble with people’s lives just as much as using archaic medical techniques.

Securing all networked devices in the healthcare industry is crucial, especially IoT devices. IoT devices are some of the most overlooked networked devices due to their ease of connection and mobility. Security teams might easily lose sight of where these devices are and when they are in use. Healthcare IoT security can be improved greatly through AI-driven monitoring software and some best practices.

Healthcare IoT Security Best Practices

Attack Surface Visibility

For any cyber security approach to be successful and comprehensive the entire attack surface needs to be completely visible.

This implies that network engineers need to be aware of all the devices that are connected to the network of the healthcare institution. The attack surface, more often than not, extends beyond the physical network in the institution. Many institutions connect to external services, sharing and collecting information from the cloud or over VPNs. This is especially true when dealing with information about patients billing information or medical history.

Security professionals need to understand this and implement solutions that can monitor and continually discover the institution’s attack surface. If a parent or partner system does not adhere to the same level of cyber security standards, they become the weakest link and could compromise the entire chain of trust.

Segregated Internal Networking

Healthcare institutions have a multitude of disparate end nodes connected to their network. These include devices like stationary patient monitoring systems, file servers, security systems, workstations, and a great amount of mobile IoT devices.

Under normal circumstances, any type of network breach could be potentially devastating to an organization. Moreso when it comes to the healthcare industry, the lives of people hang in the balance, not to mention a treasure trove of personally identifiable and medical information.

Therefore, healthcare intuitions need to have segregated networks. The IT term for this is subnetting. Essentially various systems need to be grouped and isolated from other systems and devices on a hospital’s network. This allows for a basic countermeasure in the event of a network breach by threat actors. What it achieves is that it limits the threat actor’s ability to move laterally throughout the network.

This aggregation of devices can greatly limit the impact of a data breach as well as provide network monitoring systems with closed sectors for accurate and efficient monitoring.

Zero-trust Approach

Although this might seem like the latest buzzword in the cyber security industry, the zero-trust architecture can greatly increase the cyber security posture of any organization, not only healthcare institutions.

Zero-trust is an implementation of multiple technologies driven by user rights and authentication mechanisms. How is this different from the traditional method of authentication and trust paradigm? Legacy network security followed an approach where users were given access to trusted resources based purely on the fact that they form part of a specific user group or collection us users.

Users often ended up receiving more access than they needed to perform their duties. This meant that in the scenario where their user account was compromised the threat actor would gain access to multiple systems at once.

By implementing a zero-trust architecture the effective access that users must network resources is not only greatly reduced since they have to be given explicit access to what they need, but their access is also constantly being reviewed and adjusted.

In Conclusion

The importance of IoT Cyber security in the medical industry cannot be overstated. Not only is the institution’s business data and reputation at risk but also the lives of patients who are relying on necessary medical equipment. Threat actors can potentially cause irreparable damage to innocent people’s lives or even cause their death.

Health institutions need to make cyber security a clear priority by implementing practices as described above. Some hospitals, for example, even implement AI-driven attack surface scanning software that can alert them in real time about potential cyber risks.

The post Security IoT in Healthcare: Cybersecurity Best Practices appeared first on IoT Business News.

Internet of Things (IoT) technology offers a growing number of businesses a wide range of benefits, including better communication, speedy operation, and automation for improved efficiency and productivity. However, with these benefits also comes a silent and stealthy threat: radio frequency (RF) attacks.

Wireless devices and the risk of RF attacks

There are up to 22 billion mobile, wireless, and IoT devices in the world, and about 15 billion of these devices operate within the RF spectrum. Without effective RF cybersecurity protocols, these devices can represent a serious blind spot that allows cybercriminals to roam freely in corporate airspaces, where they can steal intellectual property and sensitive company data.

The issue is compounded by the fact that most current cybersecurity protocols cannot detect devices that operate within the RF spectrum. As such, it is vital for businesses to take this threat seriously and understand how they can stop these attacks.

The hidden danger of RF

Over the years, cybersecurity professionals have gotten pretty good at protecting Ethernet systems, i.e. with hard-wired components connected through cables. Attacks and data breaches still happen, but provided that effective cybersecurity protocols are in place, cybersecurity teams can at least detect when a breach has occurred and take appropriate countermeasures to limit the damage.

However, standard cybersecurity protocols have been turned on their head by the rise of Bluetooth, BLE, and IoT devices that communicate through radio waves on the RF spectrum, connections that are usually unencrypted and operate on unsecured radio channels.

What’s important to understand is that the vulnerabilities in RF devices reside not so much in their operating systems or applications, but in how signals are sent from one RF device to another. Because these devices use the same unencrypted data key each time they transmit information, they can be easily attacked by malicious third parties. This can lead to data tampering, eavesdropping, or even piggybacking, all of which could compromise sensitive company secrets. The security team may not even learn of the breach until obvious red flags occur, such as locked user accounts, sudden file changes, or an abnormally slow network performance, at which point the damage is already done.

The security challenge is even more intractable because of the widespread nature of RF devices today. They exist everywhere as smartphones, medical wearables, laptops, keyboards, and any other type of wireless tech you can think of, a good deal of which are built by manufacturers more concerned with cost-cutting than proven security measures.

Worse yet, company devices or personal gadgets can be easily compromised outside the facility, such as cafés or restaurants that employees frequent. The unsuspecting employee will then carry the infected device back to the facility where it will serve as a launching pad for a wider infiltration.

Creating greater RF security

Businesses can better safeguard their intellectual property and sensitive data with a robust security system that closes as many blind spots as possible. Companies should take the following steps toward securing their RF air space:

1. Establish control of your radio airspace

Conduct an assessment of all devices operating in your radio airspace that use Wi-Fi, Bluetooth, BLE, and cellular signals. Determine whether these signals are encrypted and, if not, bring their firmware up to date. It may also be necessary to implement strict policies that forbid employees from taking company devices outside the facility while also disallowing personal devices that aren’t fully secured.

2. Evaluate RF security technologies

Placing safeguards against the use of unsecured RF devices in your facility will go a long way toward improving your security. But what’s even more important is evaluating and deploying effective RF security technologies that can detect, analyze, and alert your security team to the presence of an unsecured RF device.

Whatever your choice of vendor, the key thing is to ensure that unsecured devices can be detected in real-time, 24/7. It’s no good if the system can only detect devices during one-off security scans; it needs to work at all times and provide immediate alerts when a foreign device is detected.

3. Integrate RF security into your infrastructure

Deploying any new piece of technology requires an assessment of how it will fit within your larger technological landscape. The new system must work in conjunction with the rest of your cybersecurity systems, with no room for hiccups, security gaps, or incompatibility issues. Depending on the new system, this can require a detailed plan for a testing phase, a limited launch phase, and a facility-wide launch once all the kinks have been worked out.

Even once fully launched, the new system will need to undergo regular monitoring and reviews to see if it’s working as it should and whether there is any room for improvement. Companies should also prioritize future-proofing to ensure the system can continue working for many years with only occasional updates to meet new threats and attack vectors.

Final thoughts

Most businesses and their cybersecurity teams have a high appreciation for how dangerous security breaches can be, especially when it comes to their intellectual property and other closely guarded company secrets. That said, companies need to develop a greater appreciation for the potential threats of RF attacks that target unsecured wireless devices. As we move towards greater use and integration of IoT devices in our daily business operations, it becomes more important that companies recognize this unseen threat.

The post How Radio Frequency Security Can Ensure IoT Safety appeared first on IoT Business News.

Zero Trust Security Leader Brings Lightweight, Easy-to-Use IoT Security Capabilities to the Enterprise and Mid-Market.

Portnox, a proven leader in cloud-native, zero trust access and endpoint security solutions, today announced the general availability of the first cloud-native IoT security solution to help mid-market and enterprise businesses address rising Internet of Things (IoT) security threats.

Now available via the Portnox Cloud, Portnox’s new IoT fingerprinting and profiling capabilities empower organizations to easily and accurately identify, authenticate, authorize, and segment IoT devices across their network to ensure an effective zero trust security posture.

“No organization is immune to the inherent and increasing number of security risks IoT devices pose as they are more susceptible to vulnerabilities and, therefore, prime targets for cyberattacks. Companies of all sizes must properly secure these devices to prevent them from serving as a gateway onto the corporate network by cybercriminals. But as networks become more complex and distributed, and as the number of IoT devices continues to grow, it’s becoming more and more difficult to identify and control access for these devices across a given network, let alone secure them,” said Denny LeCompte, CEO, Portnox.

“As we bring our vision of simplifying access control and endpoint security for mid-market IT teams to fruition, adding a solution for IoT fingerprinting to our cloud-native platform was the natural next step. Portnox now gives customers full visibility of IoT devices in use across their respective networks.”

Juniper Research predicts that the total number of IoT connections will surge to 83 billion by 2024, while Ponemon Institute found that most (94 percent) organizations think that a security incident related to unsecured IoT devices or applications could be “catastrophic”. Large enterprises are not alone when it comes to rising IoT security headaches – organizations of all sizes are actively trying to strengthen their security postures to account for the surge of threats tied to the rising operational dependence on IoT. With so many IoT devices – printers, cameras, thermostats, sensors, monitors, etc. – now in use across all types of organizations, the ability to automatically onboard and enforce IoT device authentication, control and security policies across the network is mission critical.

Already helping more than 1,000 organizations navigate ever-changing cybersecurity threats, Portnox solutions are purpose-built to be exceptionally easy-to-use, scale, and manage. With the addition of IoT fingerprinting and profiling to the Portnox Cloud, Portnox customers can now enjoy enhanced confidence in the security posture of their network with respect to IoT – without the cost and resource demands associated with traditional on-premise IoT security solutions that can often be complex to configure, deploy, and maintain.

With the latest solution expansion, the Portnox Cloud now provides organizations with:

• Complete device visibility and access policy enforcement across the network for all major device groups – IoT, bring your own device (BYOD) and managed devices
• Enhanced IoT fingerprinting and profiling accuracy powered by artificial intelligence and machine learning
• Strengthened organizational zero trust security postures, accounting for all devices and access layers – on-site and remote

This technology will unlock a tremendous number of additional capabilities, such as automatic policy mapping based on fingerprints and leveraging fingerprinting data to thwart potential MAC Address spoofing risks. Portnox customers can also use fingerprinting information to provide EoL/EoS dates, as well as list potential security vulnerabilities on the endpoint to augment network access and remediation policies.

Portnox continues to rapidly expand its zero trust security offerings across the Portnox Cloud. The company is currently exploring new ways to add agentless risk assessment policy enforcement, as well as data capture options to increase IoT fingerprinting access and automate micro-segmentation and quarantining for IoT devices in future iterations of the solution.

“Providing intelligent insight and visibility into IoT devices connecting to a business’s network with absolutely zero on-prem footprint required is absolutely unprecedented,” said Portnox Vice President of Product Management Jeremy Morrill. “From somewhat basic IP phones, security cameras, printers, TVs and streaming appliances, to complex medical devices and manufacturing equipment, the need for comprehensive IoT security has never been more critical – especially as the proliferation of IP-connected devices continues to accelerate and shows no sign of slowing.”

Effective immediately, IoT fingerprinting and profiling will now be automatically included in Portnox’s NAC-as-a-Service subscription for organizations with 500+ devices.

The post Portnox Debuts First Cloud-Native IoT Fingerprinting and Profiling Solution appeared first on IoT Business News.

What the EU Cyber Resilience Act means for IoT security

The EU Cyber Resilience Act is the first EU-wide legislation to impose cybersecurity rules on manufacturers. It will cover both hardware and software and applies to both manufacturers and developers, making them responsible for the security of connected devices. The European Commission states that the regulation will tackle two issues: “the low level of cybersecurity of many of these products and more importantly the fact that many manufacturers do not provide updates to address vulnerabilities.”

What will the EU Cyber Resilience Act require?

The devil will be in the details as the requirements are developed and released. We anticipate that they will use non-prescriptive approaches similar to what we see in other regulations, like “encrypt sensitive data,” “devices must have the ability to be updated,” “ensure integrity of software and firmware,” etc. However, to justify a penalty, they need to have some measurable approaches. There will likely be a requirement for regular updates, as that is one of the pain points that the European Commission raised. Sending automatic updates to a large scale of devices will be difficult without a solution that helps manufacturers maintain viability and automate tasks. Additionally, the EU Commission has stated that there will need to be more information available for consumers to make informed purchasing decisions and to set up their devices securely.

How will the EU Cyber Resilience Act affect IoT manufacturers?

IoT device manufacturers could face massive fines and penalties for non-compliance with the drafted EU Cyber Resilience Act. This is one of the first legislations to require a financial penalty for non-compliance. The EU is clear that with this proposed legislation the financial burden of devices will rest with manufacturers and developers.

Furthermore, products that do not meet ”essential” cybersecurity requirements will not be allowed to go to market. Thus, manufacturers need to start incorporating security in the design of their products now, so that devices going to market in the next few years will be up to the required security standards. Market surveillance authorities in each EU member state will be responsible to fine non-compliant companies, up to a limit set within the act, and prohibit non-compliant devices from going to market. However, having one set standard for cybersecurity across the EU will also make it more streamlined and clearer for manufacturers on how to maintain compliance.

How will the EU Cyber Resilience Act affect consumers?

The EU Cyber Resilience Act will give consumers a better purchasing power and trust in their devices by requiring manufacturers to provide information on device security before purchasing. The rules will require more knowledge on how to choose products that are secure and how to set up devices in a secure way. Similar to how consumers look at nutrition labels on food products to better understand what they are made of, providing security information on devices upfront will allow consumers to make more informed purchase decisions.

As manufacturers will be required to be more transparent on the cybersecurity in their devices, consumers will have increased trust in the connected devices that do go to market. Furthermore, the EU Commission anticipates it could even increase demand for “products with digital elements” if consumers trust the product security more.

IoT should be secure by design

Regulators shouldn’t have to come in with heavy fines and consequences to drive security — but sadly, all too often security is an afterthought in device development. In a perfect world, companies would realize the importance of protecting their assets, customers, reputation, and employees and do security the right way because it’s the right thing to do. Until we get there, we will have to continue tolerating regulators coming in with a stick. Additionally, the ability for national surveillance authorities to be able to prohibit or restrict the sale of non-conforming products will also be a stick that will drive better security.

When will the Cyber Resilience Act be enforced?

At this point, the EU Cyber Resilience Act is with the European Parliament and Council to examine and adopt. Once enacted, Member States will have up to two years to adopt the requirements. Thus, manufacturers should be prepared to comply with the act any time in the next few years.

However, the trend of increasing regulation on connected devices will continue. The EU Cyber Resilience Act is just the first step; we anticipate that this regulation will become a guideline for other regulators to develop similar standards. In the future, there will be more regulation on the IoT and its design, not less. Thus, it’s important for manufacturers to implement cybersecurity by design now, so they are prepared for the future of IoT regulation.

In addition to more IoT regulation, we are seeing industries come together to solve for device security. For instance, the Matter protocol about to launch for smart home device interoperability, security and reliability may serve as an industry-driven roadmap for better IoT device security. Though the full details of the proposed EU legislation are yet to come out, it is likely that manufacturers complying with Matter security, using device attestation certificates and product attestation intermediates, would meet the requirements of the EU lawmakers. Furthermore, they will have the opportunity to signal security to consumers, given that Matter-compliant devices will carry the Matter seal of approval.

Achieve cyber resilience with DigiCert

At DigiCert, we believe the EU Cyber Resilience Act can increase digital trust in our connected world. We have long championed the necessity of security by design and have the expertise and solutions needed to help manufacturers achieve it. For example, DigiCert for Connected Devices, with the award-winning solution of IoT Device Manager and Mocana, can help manufacturers manage the entire lifecycle of their device including sending secure updates.

The post EU announces first ever move to legislate cybersecurity for IoT appeared first on IoT Business News.

State of XIoT Security Report: 1H 2022 from Claroty’s Team82 reveals rise in IoT vulnerabilities, vendor self-disclosures, and fully or partially remediated firmware vulnerabilities.

Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to new research released today by Claroty, the cyber-physical systems protection company.

The State of XIoT Security Report: 1H 2022 also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus software vulnerabilities.

Compiled by Team82, Claroty’s award-winning research team, the report is a deep examination and analysis of vulnerabilities impacting the Extended Internet of Things (XIoT), a vast network of cyber-physical systems including operational technology and industrial control systems (OT/ICS), Internet of Medical Things (IoMT), building management systems, and enterprise IoT. The data set comprises vulnerabilities discovered by Team82 and from trusted open sources including the National Vulnerability Database (NVD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), CERT@VDE, MITRE, and industrial automation vendors Schneider Electric and Siemens.

“After decades of connecting things to the internet, cyber-physical systems are having a direct impact on our experiences in the real world, including the food we eat, the water we drink, the elevators we ride, and the medical care we receive,” said Amir Preminger, vice president of research at Claroty.

“We conducted this research to give decision makers within these critical sectors a complete snapshot of the XIoT vulnerability landscape, empowering them to properly assess, prioritize, and address risks to the mission-critical systems underpinning public safety, patient health, smart grids and utilities, and more.”

Key Findings

• IoT Devices: 15% of vulnerabilities were found in IoT devices, a significant increase from 9% in Team82’s last report covering the second half (2H) of 2021. Additionally, for the first time, the combination of IoT and IoMT vulnerabilities (18.2%) exceeded IT vulnerabilities (16.5%). This indicates enhanced understanding on the part of vendors and researchers to secure these connected devices as they can be a gateway to deeper network penetration.

• Vendor Self-Disclosures: For the first time, vendor self-disclosures (29%) have surpassed independent research outfits (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). The 214 published CVEs almost doubles the total in Team82’s 2H 2021 report of 127. This indicates that more OT, IoT, and IoMT vendors are establishing vulnerability disclosure programs and dedicating more resources to examining the security and safety of their products than ever before.

• Firmware: Published firmware vulnerabilities were nearly on par with software vulnerabilities (46% and 48% respectively), a huge jump from the 2H 2021 report when there was almost a 2:1 disparity between software (62%) and firmware (37%). The report also revealed a significant increase in fully or partially remediated firmware vulnerabilities (40% in 1H 2022, up from 21% in 2H 2021), which is notable given the relative challenges in patching firmware due to longer update cycles and infrequent maintenance windows. This indicates researchers’ growing interest in safeguarding devices at lower levels of the Purdue Model, which are more directly connected to the process itself and thus a more attractive target for attackers.

• Volume and Criticality: On average, XIoT vulnerabilities are being published and addressed at a rate of 125 per month, reaching a total of 747 in 1H 2022. The vast majority have CVSS scores of either critical (19%) or high severity (46%).

• Impacts: Nearly three-quarters (71%) have a high impact on system and device availability, the impact metric most applicable to XIoT devices. The leading potential impact is unauthorized remote code or command execution (prevalent in 54% of vulnerabilities), followed by denial-of-service conditions (crash, exit, or restart) at 43%.

• Mitigations: The top mitigation step is network segmentation (recommended in 45% of vulnerability disclosures), followed by secure remote access (38%) and ransomware, phishing, and spam protection (15%).

• Team82 Contributions: Team82 continues to lead the way in OT vulnerability research, having disclosed 44 vulnerabilities in 1H 2022 and a total of 335 vulnerabilities to date.

The post IoT Vulnerability Disclosures Grew 57% from 2H 2021 to 1H 2022 appeared first on IoT Business News.

Data privacy regulation a top three challenge for IoT adopters.

Fears over security have become less of a concern for organisations adopting IoT solutions than it was five years ago, according to a recent study by Wi-SUN Alliance^*.

The Journey to IoT Maturity, a follow-up to Wi-SUN’s ‘state of the nation’ IoT study in 2017, is based on interviews with IT decision makers from UK and US IoT adopters within key industries, including energy and utilities, state and local government, construction, technology, and telecommunications. The clear signal is that IoT is now a bigger IT priority than ever for organisations across all sectors.

Those respondents ranking security as one of their top three challenges when rolling out IoT fell from 58% in 2017 to 24% in 2022, while the proportion of respondents viewing it as a technical challenge also dropped from 65% in 2017 to 42% this year, indicating fewer concerns but still highlighting it as an issue. Companies might be less worried about security, but it is still on their risk list.

Concerns growing over data privacy

While security is becoming less challenging than it used to be, there are growing fears over data privacy issues. Data privacy regulation is the second highest (political, economic or social) challenge for IoT adopters, with 36% placing it in their top three, just behind the need to reprioritise spending due to Covid-19 (37%) and ahead of budget cuts resulting from less revenue during the pandemic (35%).

Fears over big data have also risen over the last five years, with 19% of respondents (up from 11% in 2017) placing it in their top three IoT rollout challenges, and one in four citing regulatory concerns. The introduction of the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and other privacy regulations since Wi-SUN’s 2017 report may be a factor in this growth.

Phil Beecher, President and CEO, Wi-SUN Alliance, comments: “Data privacy concerns have gone up, understandably, with more legislation putting the spotlight on data protection. Since our last study, stricter privacy laws have increased pressure on organisations to protect sensitive data. This includes the GDPR in Europe and various state-level laws in the US.”

“Among our survey respondents, we saw that concerns were higher in the UK, where over half (53%) of organisations include secure data collection in their IoT strategies compared to just a third (34%) in the US. IoT initiatives, such as smart metering, streetlighting and those using environmental, air quality and acoustic sensors, are increasingly generating huge volumes of data, and while this information may be made entirely ‘secure by design’, the risks remain.”

Industry reports suggest a growing number of attacks on IoT devices over the last two years leading to the theft of confidential data and the launch of DDoS attacks. Mirai is one of the most recognised IoT threats dating back to 2016 when it was used to compromise connected devices like routers to launch attacks on websites and networks. It is still used by malware developers to attack vulnerable systems, from manufacturing systems to critical infrastructure.

Wi-SUN’s Phil Beecher adds: “While obstacles remain, organisations will need to continue to overcome both technical and non-technical challenges with the support of the industry, including IoT solutions and device companies. With more than 90% of our respondents recognising that they must invest in IoT over the next 12 months to remain competitive, failure to navigate these important issues is not an option.”

The post Wi-SUN Alliance report: IoT security fears fall by over 30% in the last five years appeared first on IoT Business News.

Crypto Quantique, a specialist in quantum-driven cybersecurity for the internet of things (IoT), announces a post-quantum computing (PQC) version of its QuarkLink chip-to-cloud IoT security platform.

The upgraded platform is believed to be the first to use post-quantum algorithms recently announced for standardization by the National Institute of Standards and Technology (NIST), particularly the chosen key encapsulation mechanism (KEM), CRYSTALS-Kyber..

As part of its recent announcement on post-quantum standards, NIST focused on the applicability of the schemes to embedded devices, including benchmarks of all schemes on the ARM-Cortex M4, demonstrating that post-quantum security on the IoT is a realistic goal. Elsewhere, NIST standardized multiple signature schemes, including both lattice- and hash-based signatures, and suggested algorithms of future interest that may be standardized later. Crypto Quantique’s KEM-TLS protocol is designed to be flexible and can easily be adapted to these changing standards.

QuarkLink is a comprehensive platform for connecting IoT devices with an embedded root-of-trust to server-based applications. Its functions include device provisioning, automated secure onboarding to applications, and lifetime security management. Via a simple interface, users can achieve firmware encryption, signing and secure updates over-the-air, certificate and key renewal, and device revocation. A few keystrokes initiate an automated process for onboarding thousands of devices in minutes to a server platform, or to multiple platforms simultaneously. AWS, Microsoft, and Mosquito are among the cloud services currently supported.

Crypto Quantique worked on the post-quantum version of QuarkLink’s enrolment, relying on a custom, built-in-house variant of the novel KEM-TLS protocol developed with researchers at the Department of Computer science at ETH Zurich. The research was led by led by Professor Kenny Paterson. The resulting variant of the KEM-TLS protocol is particularly suited to the IoT setting, as its reliance on KEMs as opposed to post-quantum digital signatures lowers bandwidth costs and increases efficiency, without compromising security.

Crypto Quantique CEO, Shahram Mossayebi, said:

“Many IoT installations have a projected operating life of ten years or more. During that time, we will see the emergence of quantum computers that will make cyberattacks on IoT devices several orders of magnitude more powerful than they are today.”

“We have already developed a quantum-driven root-of-trust technology for semiconductors that will provide the foundation for secure IoT networks. By ensuring that QuarkLink runs the most advanced post-quantum algorithms, we will provide our customers with unbreakable end-to-end security. Our first demonstration of a post-quantum version of QuarkLink shows how easy we can make it for customers to achieve IoT device security at scale, whatever hackers throw at them, now or in the future.”

Kenny Paterson, Professor of Computer Science at ETH, commented: “It’s been very exciting working with the Crypto Quantique team to research and develop PQC protocols, and to see our research ideas entering deployment in such a short space of time. Kudos to Crypto Quantique for being the first to market with solutions offering security for the long term.”

The post Crypto Quantique announces first post-quantum computing IoT security platform compliant with new NIST standards appeared first on IoT Business News.

Collaboration Provides Added Level of Security to Highly Scalable Critical Infrastructure and Essential Business Applications.

Senet, Inc., a leading provider of cloud-based software and services platforms that enable global connectivity and on-demand network build-outs for the Internet of Things (IoT) and Eclypses, a Boston-based leader in end-point data protection and developer of MTE® technology, today announced a collaboration to provide advanced FIPS 140-3 validated security solutions to the IoT ecosystem.

Eclypses’ patented MTE technology is designed to meet the needs of highly scalable, low-power, widely dispersed IoT end points, delivering an added level of security for critical infrastructure and essential business applications that require it. Utilizing the Eclypses Cryptographic Library (ECL), MTE uniquely delivers enhanced end-to-end security capabilities such as verification of each endpoint connection and uniquely protected data packets with no change to the user experience and minimal impact on system resources.

Through this collaboration, Senet customers can purchase Eclypses’ enhanced digital security as an integrated element of Senet’s network services. Eclypses also offers IoT device manufacturers the ability to enable their devices with MTE security at the point of manufacture or through a firmware update.

“Senet has a committed history of augmenting the already strong LoRaWAN security capabilities through integrations with world-leading security solution providers,” said Bruce Chatterley, CEO of Senet. “With device and data security increasingly becoming a leading topic of discussion with utility, municipal, and large enterprise customers, we are pleased to be partnering with Eclypses to offer the latest innovations in security designed for highly scalable IoT solutions and environments.”

Unlike other solutions that stop at monitoring, Eclypses takes a proactive approach to secure IoT data to the highest level in anticipation of all types of threats. Eclypses’ layered security approach includes ECL (Eclypses Cryptographic Library), a FIPS 140-3 cryptographic library that provides consistent security for all offerings across all platforms; MTE (MicroToken Exchange), a Patented technology that uses ECL to randomize and replace data with random streams of values; and MKE (Managed Key Encryption), which uses ECL to randomly replace and encrypt data with single use encryption keys generated by MTE.

“With billions of IoT devices already connected and billions more due to be deployed in the next few years, having a well-defined security strategy is a must for device manufacturers, network operators, and end users alike,” said David Gomes, COO of Eclypses.

“Senet is an established leader in the LoRaWAN ecosystem and we’re excited to be collaborating to deliver enhanced security options to one of the fastest growing segments of the IoT market.”

The post Senet and Eclypses Partner to Utilize MTE Technology and Provide Security to Data-in-Transit to the IoT Market appeared first on IoT Business News.

Secure telematics data management to enhance intelligence operations and unlock monetization opportunities in V2X.

Optimizing services for secure data management in connected vehicle telematics is vital to further hone intelligence operations and unlock new IoT security monetization in V2X applications, according to a new report by global technology intelligence firm ABI Research.

“Telematics applications stand at the very core of car OEMs’ intelligence strategy, producing an ever-increasing amount of data and supporting key operations including, among others, fleet management, vehicle connectivity optimization, firmware-over-the-air (FOTA) updates, and predictive maintenance. While car OEMs partially adopt new security measures out of necessity due to compliance and regulatory requirements, the fact of the matter is that they do need to adapt V2X applications to meet the demands of the greater IoT ecosystems. OEMs are steadily starting to recognize the value of having a security-first approach in connected vehicles,” explains Dimitrios Pavlakis, Senior IoT Security Analyst at ABI Research.

Secure telematics data management can be tackled by adopting a more unified approach. Rather than simply “pushing” security to the cloud, secure telematics need to originate in the vehicle itself. Vehicle systems are evolving into a highly complex and interconnected network spanning multiple control/processing units, generating an ever-increasing amount of data, and funneling it into one component geared for external communications: the Telematics Control Unit (TCU).

Every single data point captured by vehicle systems and gateways, communicated through cellular networks, and analyzed in the cloud by car OEMs and Telematics Service Providers (TSPs) originates from TCU communication modules. A simple eSIM incorporated into telematics devices is enough to secure external communications for many telematics suppliers and car OEMs.

Pavlakis says:

“It is astonishing that automotive data security management rests on this unique technology when the monetization opportunity is significantly higher. The concept of “simply embedding the TCU with an eSIM” is merely a connectivity-enabler, not a scalable security approach.”

Many automotive market players rely very heavily on cloud security to ensure their customers and end-user data is properly gathered, stored, and managed. However, there are multiple value chains prior to the cloud, starting with identity issuance at the manufacturing stage for telematics devices, secure firmware installation and code issuance for software components, certificate management and proper ownership migration, provisioning, and onboarding, establishing trust with third-party services, streamlining in-vehicle network operations, privacy, and secure data management, among many others.

Pavlakis concludes, “There is no future scenario in the era of the software-defined vehicle that excludes the further investment of hardware, software, and network security options. Obtaining reliable telematics data and protecting vehicle communications directly contributes to data monetization and aligns with the future of V2X and intelligent vehicle processes.”

Companies leading in the space are offering telematics-specific eUICCs and embedded firmware solutions (Thales), embedded hardware security for V2X (Infineon), connectivity platforms and Vehicle SoCs (Ericsson), high-tier security connected vehicle network and data security (Blackberry), and software-defined vehicle and security architecture consulting services (Tata Elxi and Upstream).

The post Over 100 million Connected Car Shipments Projected by 2027 Underscores the Need for Secure Telematics and Vehicle Cybersecurity appeared first on IoT Business News.