The days when our phones and computers were our only connected devices are gone. Now, everything from our watches to our refrigerators has an internet connection, and smart devices are an integral part of modern life. This has opened a whole new realm of possibilities and risks for cyberattacks, with consequences ranging from inconvenience to devastation. With predictions that the number of Internet of Things (IoT) devices will reach 50 billion by the end of 2030, it is vital to ensure the ongoing integrity and safety of these devices.
With these devices comes stored data, and a lot of it. IDC predicts the world’s data will grow to 175 zettabytes in 2025. For context, if you were to store 175 zettabytes on DVDs, your stack of DVDs would be long enough to circle the Earth 222 times. This again is causing a real need for security solutions that can keep data from individuals and enterprises safe from harm.
A great deal to lose
Of course, the more devices we have connected to the internet, the higher the risk of attack. There are more entry points for hackers to take advantage of, allowing them to infiltrate, damage, and disrupt. Someone looking to infiltrate one of your connected devices may not necessarily be interested in the data stored by your smart fridge, for example. Still, it may offer them a gateway to the rest of the network. This is what happened at a casino in 2018, as reported by Business Insider. Attackers used a connected thermometer inside a fish tank to get a foothold in the network. They then found the high-roller database on another system and pulled it across the network, out the thermostat, and up to the cloud. No matter how secure the rest of your network is, one vulnerable device can give attackers the opportunity they are seeking. When you consider that the average American has access to more than ten connected devices, the risk is evident.
Not only are there more entry points, but more data for hackers to target. While phones and computers have always posed a risk, the recent explosion in connected devices offers so much more to those who have access to the network. Devices like smartwatches obtain highly personal data about our health, while household items like smart televisions and kitchen appliances know our preferences and habits. Moreover, any device with a camera or microphone has a direct, visual, or audible gateway into our lives and may pose a very serious risk to privacy.
For businesses, cyberattacks can lead to devastating financial losses and irreversible damage. The 2020 attack on SolarWinds saw attackers access the infrastructure of SolarWinds, which produces a platform called Orion. They then used Orion to distribute trojan updates to software users, gaining access to the systems of security organizations, universities and colleges, telecom operators, and US government departments. Not only does this kind of attack cause financial damage, with recent reports claiming cybercrime is now a trillion-dollar cost to the global economy, but it has the potential to seriously harm a company’s reputation and impact the future of the business.
Incorporated attack prevention
There are ways to mitigate the risk of these kinds of attacks. Prevention methods built into devices are the best bet to protect the system throughout its entire lifecycle. With the implementation of proper definitions, architectures, and scenarios, the risk of attack to any number of connected devices can be greatly reduced. The Cyber Resilient Technologies (CyRes) work group at Trusted Computing Group (TCG) has released a new draft specification titled Cyber Resilient Module and Building Block Requirements, which provides a new layer of protection against cyberattacks.
By implementing the specification, vendors can develop a solid foundation for cyber resilience, mitigating the risk of potential attacks and protecting not only their consumers’ assets but their reputation and relationship of trust with those consumers. With the volume of IoT products currently on the market, and this number expected to rise, it is important to build these security measures into devices. Security cannot be an afterthought.
Recovering a compromised device
The CyRes specification also provides the detection of malware and enables the recovery of a device once it has been compromised. This double layer of security means that if a device has already been infiltrated, users can quickly recover it without the need for time-consuming, manual efforts. For the average user without a deep understanding of cyber security, this makes cyber resilience accessible and provides a new level of assurance.
In business, when time is money, quick and simple recovery of connected devices is vital to minimize downtime and allow the continuation of activity. When you consider the number of connected devices due to enter the market in the next few years, individuals and businesses do not have time for frequent manual intervention.
Future devices are guaranteed to be configured using imperfect software that is already available. On top of the number of devices that will be either physically inaccessible or will not have an interface appropriate for performing a manual repair, this means that as time goes on, manual restoration will only become less feasible.
The future of IoT
The future of IoT is dependent on having cyber resilience. This is why the CyRes work group has designed the concept of a Cyber Resilient Module for the protection and recovery of connected devices. The module could be implemented as part of a system on a chip that is the main hardware in a device or inside a microcontroller unit which is a subcomponent installed within a larger, more complex system. The Cyber Resilient Module approach can recover successive software layers and individual components that can be found within a device, with the servicing of code and configuration potentially needed for multiple layers sequentially. The specification is applicable to a multitude of simple IoT devices and more complex systems like those with storage or peripheral device controllers.
With a minimal set of capabilities or mechanisms, the specification is easy to implement. This means that devices can be built securely, even when there are significant limiting factors such as cost, form factor, power needs, or availability of an out-of-band management channel. The automated recovery means that the need for manual intervention is mitigated, saving the end-user time and money, as well as making the specification accessible for those without the expertise to do so. The structure of the document also allows for further development and additions of architectures and platform-specific requirements in the future.
Ensuring Cyber Resilience for IoT
This specification marks a significant step forward in the security of billions of devices and the subsequent protection of data stored by individuals, organizations, and government bodies worldwide. As the number of connected devices continues to soar and more data is collected than ever before, end-users deserve the assurance that their devices are as secure as possible when it comes to cyber-attack. By building cyber resilience architecture into connected devices, this assurance is provided from the outset, preventing attacks and protecting the ever-increasing amounts of data that we choose to store.
- Protecting a Connected World with Cyber Resilience - March 2, 2022
