Report: 2022 will be a turning point for IoT security

IoT security remains one of the major security challenges for 2022 and years ahead. Still, organizations and buyers seem to move towards a conviction that security is foundational and not optional for connected devices and IoT projects.

Cybersecurity concerns and increasing cyber risks have slowed down digital transformation and the adoption of several technologies enabling it for many years now. Whether it concerns moving to the cloud or the adoption of cyber-physical systems in smart manufacturing and Industry 4.0: security remains a worry for many, and with reason.

IoT cybersecurity 2022 concept

When it boils down to the Internet of Things (IoT), cybersecurity concerns often are even more significant; in the context of Industrial IoT (typically the area of Industry 4.0), Consumer IoT, and everything IoT in-between.

Cybersecurity as a top business priority – impact on IoT

Not long ago, we wrote that industrial cybersecurity is years behind, and IoT security has a standards issue. Yet, things seem to have changed as the number of IoT devices and cyber-physical systems continues to grow and the digital footprint and total enterprise attack surface expands as a result.

Security will no longer be a secondary concern – rather, it’ll be proactively placed at the center of any IoT strategy, whether you’re buying devices or making them (PSA Certified)

At the very least, the will and awareness seem to be there, looking at the PSA Certified 2022 Security Report. According to the report there is a ‘positive turning point’ for security with organizations placing it at the center of IoT strategy and organizational culture.’

The study by PSA Certified, a global cybersecurity ecosystem of organizations that want to build security best practices into devices at scale proactively, makes some bold predictions. The organization predicts that this year “will mark a turning point in securing the Internet of Things, as the industry collectively commits to addressing the historical lag between the rate of digital transformation and the speed of securing the ecosystem.” And it calls for increased collaboration to do so, speed up adoption of IoT, and scale IoT cybersecurity.

The fact that cybersecurity has become a top business priority (and many boards of directors seem to view security and risk management as a business risk) isn’t the only reason for this change.

IoT and the expanding attack surface as rising cyber risks demand change

While almost 9 in 10 deem security in their top three business priorities and 42 percent of those rank building a ‘security-first culture’ as their top organizational priority, there are more underlying reasons why the IoT cybersecurity changes seem to happen.

This report is an important reminder that security must be integrated into every device, process, company and culture if we are to take advantage of its potential as an enabler of digital transformation – and that continued industry collaboration around security best practice is critical to driving this forward (David Maidment, senior director, Secure Devices Ecosystem at Arm, PSA Certified co-founder)

One is the continuously growing cyber risk that forces the industry to continue up the ante. In an industrial IoT context, it suffices to see what happened during the pandemic and what happens now in a new geopolitical reality.

A second factor is increased consumer expectations per the PSA Certified 2022 Security Report. According to the survey, 83% of respondents look for specific security credentials when buying connected products.

Expectations, of course, are also high among professional buyers who need to watch over the cybersecurity of IoT projects in the business and complex industrial environments, with the latter often being critical.

Consumer IoT is now the leading IoT segment, though, and here as well, the pandemic played a vital role in the shift to ‘remote everything’ that is still felt in areas like hybrid working and the future of work. The PSA Certified 2022 Security Report found that “over a third of companies believe distributed working has increased the likelihood of an IoT hack.”

90% of respondents have increased the importance placed on security in the past 12 months, almost 9 in 10 deem security in their top three business priorities and 42% of those rank building a ‘security-first culture’ as their top organizational priority.

Moreover, as the enterprise attack surface grows and with Enterprise and Industrial IoT, we’re typically in ecosystems, there is an increased risk of supply chain attacks. Per the report “one in five respondents work for companies that had been victims of hacks due to vulnerabilities in third-party products or services.”

And these are, indeed, the perfect entry door for any malicious hacker looking to attack several organizations simultaneously, causing more harm, whether it’s by taking out infrastructure or large-scale ransomware attacks.

Why cybersecurity matters in IoT and the value/cost challenge

For years, we’ve been saying that holistic and risk-oriented cybersecurity is a must in any digital transformation strategy.

Only 31% of technology decision makers feel “very satisfied” with their level of security expertise in-house and ‘a lack of security specialists’ ranked in the top three barriers to IoT security.

And it’s no different with an IoT strategy. Why? First, the attack surface is getting bigger and bigger with IoT, making buyers ever more concerned. Furthermore, we’ve seen many media stories on poorly secured devices and vulnerabilities in IoT devices, with buyers wanting better. Thirdly, as cyber attacks continue to increase, companies have little choice but to optimize security. And then, there are issues such as regulations, compliance, and the fact that cybersecurity has become more important overall.

But of course, there is also a commercial aspect. A security culture is seen as crucial to protect companies from cyber risks, but it is also recognized as a driver of commercial value.

Nearly all (96% to be precise) tech decision-makers say that building security into their products positively impacts the bottom line. In addition, about seven in 10 respondents say they can charge a premium for that built-in security.

Debunking the myth that consumers are purely driven by product features and price, a majority (83%) of respondents state they look for specific security credentials when buying connected products.

More than half of the 1,038 study participants believe that implementing cyber security in their IoT products makes people more confident in those products. Four in 10 of the respondents also say it helps them – at least for now – differentiate their products, allowing them to sell and ship higher volumes.

Could they do more? Yes. But there is also the reality of costs and competition. Per PSA Certified, “nearly a third of those asked identified cost as inhibiting them from implementing stronger security, while perceived expense and a lack of ROI were the biggest barriers to conducting external lab testing.” And this is despite the fact that most accept that IoT security commands a premium and that only 31% of technology decision-makers feel “very satisfied” with their level of security expertise in-house. Yet, external labs and experts are more expensive, also because of the cybersecurity expert shortage. Let’s also not forget that IT and OT security are somewhat different from IoT security.

“The cost of IoT insecurity remains higher than it’s ever been. As we reach a positive turning point for IoT security, best practice guidelines, a common language around security and the use of trusted components will help streamline costs and further level the security playing field in 2022.” (David Maidment)

Unlocking the potential of IoT with cybersecurity guidance, education, and certification

According to the PSA Certified 2022 Security Report, the desire for guidance is also higher than ever. For example, 96% of respondents stated they would be interested in an industry-led set of guidelines on IoT best practices.

Participants ranked security frameworks (more on the PSA Certified framework below) and step-by-step guides as the most helpful tools for deploying secure products to market, “underlining the criticality of education and support in shaping a more secure IoT.”

There also seems to be a clear need for a common language around security, with three-quarters of respondents looking for specific security credentials when buying on behalf of their company, but 68% admitting that they don’t know for which to look.

With over half of respondents admitting that security implementation certification relies upon internal validation, per PSA Certified (that plays a role here, of course), third-party certification will provide a clear security marker across the value chain. Almost a third of respondents also claim that customers and end-users demand it, 34% find it benefits reputation, and 39% think it improves product security.

PSA Certified has a security framework, an initiative spearheaded by ARM. In a blog post, ARM’s Director of Secure Devices Ecosystem, David Maidment, talks about the report and covers some elements of the framework.

On top of the PSA Certified certification program (so, external certification), it includes, among others, free threat modeling examples and independent testing of chips, software, and devices.

You can download the full report here and check out more findings here.

“This report should serve as an eye-opener to IoT device makers who not only need product security today but need to use defence in depth to help support long product lifespans.” (Erik Wood, Director of Microcontroller Security, Infineon)