Arm Newsroom Blog

High Price to Pay for Prioritizing Time to Market over Security

Companies must make securing IoT solutions a fundamental part of the design process or face security debt
By Arm Editorial Team
Smart Device

Picture the scene: Faced with dwindling reserves and a pre-Christmas delivery date, your finance team proposes redirecting budget towards functionality and away from the ongoing management and security aspects of your latest product.

It might seem like a no-brainer: The device hits holiday shelves on time and on budget and a mid-January over-the-air (OTA) firmware update takes care of any security concerns.

Sound familiar? You’d certainly not be alone if it did. Many companies have historically weighed investment in securing Internet of things (IoT) solutions against the cost of extending their time-to-market or introducing design complexity, and opted to prioritize the latter.

It’s a common mistake where companies ignore the inevitable and store up ‘security debt’. Focus is placed upon the development and deployment of devices at scale, yet hardly any attention is paid to the ongoing support and eventual retirement of devices.

This is very much a case of short-term gain, long-term pain. Without regular updates, devices and services will decay—becoming increasingly distanced from current standards and very quickly falling out of step with industry-level security vulnerability discoveries and fixes.

End users can become victims when devices become ‘orphaned’ or abandoned because other parties cease trading or retire support. As a result, they lose trust in your brand, losing you further custom and shrinking that product development budget even further. The cycle continues.

Security is not optional

By having clear access to device management and contractual support for end-of-life, enterprises and supporting IoT companies have a better way to transfer ownership, modify configurations and ensure that systems don’t become abandoned, creating a security risk.

Having access to a device’s security exposure in a regular, consistent manner also offers peace-of-mind for consumers, while offering a reasonably clear pathway to device retirement.

Yet consumer trust remains far too low. In the Arm 2020 Predictions Report, we noted that when it comes to securing IoT solutions, less than a quarter of respondents feel that tech companies are doing enough.

Providing a clearly-managed solution to consumers is one way to demonstrate commitment to security. Consumers are willing to pay for it, too: two thirds of respondents said they’d pay more for a truly secure device.

So why are devices still reaching the market that don’t meet stringent security requirements? In order to shed some light on this critical topic, Arm has commissioned IoT security expert and founder of Copper Horse Ltd David Rogers MBE.

In the resulting white paper, Securing IoT Solutions by Design,David offers an impartial guide to securing IoT solutions by design—having chaired the Fraud and Security Group at the GSMA, the Executive Board of the Internet of Things Security Foundation. He was awarded the MBE for services to Cyber Security in the Queen’s Birthday Honours 2019 and he’s well placed to highlight trends from a range of industries and offer best practice to those embarking on their own secure digital transformations.

Security debt is just one concept in a white paper that’s ripe with contradictions:

We want to secure devices, but we’re unsure of how to go about it

System Architects, Operational Executives, Product Managers, and Developers understand that a device management platform has a role to play in securing IoT solutions and the ecosystem they exist in. But few understand ‘why’ it’s so important and ‘how’ to adopt this approach in a secure, streamlined and scalable fashion.

Simple hacks can be the hardest to protect against

Device hacks are becoming increasingly frequent, but you’d be surprised by the simplicity of some attacks. Conversely, the protection of diverse device types is no easy task, especially when an enterprise’s duty of care lasts not just to the point of sale, but for the device’s entire life cycle.

Disparate device types governed by a single standard

The white paper predicts the adoption of homogenous standards to be endorsed by various industries and their IoT solutions. Whilst the ETSI Technical Specification TS 103.645, Cyber Security for Consumer Internet of Things was designed for consumer products, it combines an array of principles that can protect any IoT deployment.

We want more, but only if it’s risk-free

Governments and consumers the world over recognize that companies are not going far enough in securing IoT solutions and Governments are feverishly preparing regulation and certification schemes to mitigate risk as device estates numbers grow exponentially. Copper Horse predicts it is extremely likely that we will see the first device being rejected by either legislators or consumers themselves on the ground of lax security before 2025.

Many IoT products are failing even on the basics

Recent examples include more than 1 million DAB radios leaving unnecessary and old protocols like telnet open to attack and 600,000+ GPS trackers operating with the same default password of 123456.

Not knowing that devices are being hacked, or even that attempts are being made against them, is negligent and the functionality to manage these devices must be implemented correctly, otherwise, it risks becoming just another security loophole.

Perhaps the most important, yet difficult task for a business to accomplish in securing IoT solutions is device provisioning and IoT system enrolment. It’s best to perform this remotely and in a simple, but secure fashion. It could be that provisioning is via self-enrolment by the customer or during a commissioning process by another company or maintenance engineer.

So many companies, so few points of contact

Research conducted by Copper Horse (on behalf of IoT Security Foundation in 2018) discovered that despite the boom in companies deploying IoT devices, less than 10 percent of IoT companies have a straightforward way for security researchers to interact with, securely manage or update devices, leaving both users and manufacturers exposed in the event of a major breach.

The white paper details how even subconscious decisions can undermine the long-term security of a system during development, or by undermining a secure post-deployment life cycle by providing little to no aftermarket support.

Read Copper Horse’s Securing IoT Solutions by Design white paper to learn how enterprises can develop a device life cycle that’s secure by design whilst introducing scalability, security, and longevity for your device ecosystem.

Article Text
Copy Text

Any re-use permitted for informational and non-commercial or personal use only.

Editorial Contact

Brian Fuller and Jack Melling
Subscribe to Blogs and Podcasts
Get the latest blogs & podcasts direct from Arm

Latest on Twitter