Talking IoT recently interviewed Tiago Monte, Developer Marketing Manager for Nordic Semiconductor about IoT device security and its importance.
1. Why is security in IoT important?
While IT hardware and software security has dramatically improved, unfortunately, the same cannot be said of IoT devices. That makes the network an enticing target for cybercriminals. Experts say 2021 was the year of ransomware, but things changed in 2022 as the cybercriminals realized the estimated 17 billion IoT devices represent relatively easy pickings. By 2025, there will be almost 42 billion of those devices, according to analyst firm IDC. While this growth is good for consumers and the sector in general, it has a downside: the volume of connected devices means an even bigger target for the bad guys.
The more connected devices there are, the larger the so-called ‘attack surface’, or number of potential vulnerable targets an attacker can seek to exploit. Secondly, the large volumes of data generated by and transferred between connected IoT devices is itself a rich target for interception. IoT devices with minimal defences represent entry points for attacks on critical infrastructure such as smart grids and other utilities.
2. What are consequences for not having security in IoT devices?
While security represents a cost that must be considered part of overall IoT product development, the cost of an exploitable vulnerability can be many times higher. For example, the negative impact of successful attacks on IoT devices can take many forms, from loss or theft of valuable data or intellectual property (IP) to costs to fix exposures in products or services, damaged reputation, loss of customers, and payment of fines and penalties.
Furthermore, security breaches of individual IoT products threaten not only the prosperity of the companies making vulnerable products, but they also impact entire product categories by giving them a reputation for being insecure. Such a reputation affects consumer confidence in IoT devices at large and slows adoption.
Worse yet, there’s the danger to personal safety. Security researchers have long raised hacking fears involving connected medical devices such as pacemakers and insulin pumps. And there have been instances of mass vehicle recalls after connectivity software security flaws that might compromise safety have been discovered. Video baby monitors and home security cameras have also been subject to compromise due to security failings.
3. What are the main challenges when ensuring IoT devices are secure?
One of the reasons that the IoT has taken off is that it is relatively simple and inexpensive to connect anything to the network. That makes it enticing for companies to do it but dramatically increases the attack surface. But security costs, and the temptation is to keep the bill down by implementing minimal or even zero protection. Whereas people can see the value in the database stored on a large Cloud server, they find it harder to justify a high level of security for a mundane device such as a smart temperature monitor. But if left unprotected, such a device is an open doorway into a business’ wider network.
There are technical issues too; IoT devices have much more limited resources in terms of computing power, memory and energy compared to larger electronic products, which often leads to simplified or lightweight security implementations. That makes even devices with a degree of protection vulnerable to sustained attack.
Manufacturers also struggle to implement good protection because until recently there has been lack of enforceable regulations that guarantee a minimum level of security across all IoT products and no standardized approach to design, implementation, and certification. But that is now changing. For example, a weakness that’s now being addressed is a mechanism to make it easier to download regular software updates to provide security patches.
4. How can IoT secure products be designed?
The key to designing secure IoT products is to ensure protection is considered and addressed in the early stages of product design, in the same way a designer might consider functional and non-functional requirements such as battery life or user interface, for example. The wireless protocols used in the IoT have evolved from having security as optional, to having security built into the specifications by default. And it’s not just at the data exchange level but at the device level too, with features such as secure boot and secure firmware updates.
However, with enough time, money and motivation, any IoT system can be breached. That makes security a balance between cost and risk. Moreover, implementing security for an IoT application requires a specific engineering skillset, additional chip resources, and a secure production environment.
That said, the chip vendor can help by ensuring the silicon and software include a degree of inherent protection. Nordic Semiconductor, for example, has identified a set of basic security objectives that are built into its products by default. These features include ensuring only authorized software can be executed and updated on a device, separating trusted and untrusted services on devices, and secure storage to ensure confidentiality and integrity of data and assets.
One challenge that has caused problems in the past is security confusion due to a lack of enforceable regulations that guarantee a minimum level of security across all IoT products and no standardized approach to design, implementation and certification. However, regulations and standards are now being adopted to set a baseline for IoT security. In many markets this baseline will be a mandatory requirement.
5. How does Nordic support customers with understanding security needs in IoT?
As an active member of the Connectivity Standards Alliance—an organization that develops, evolves and promotes universal open standards that enable secure connectivity—Nordic is contributing towards the development of a new global product security certification program which aims to harmonize global product security requirements. The Alliance’s product security certification program should enable product manufacturers to demonstrate compliance in different markets with a single certification, for example, by covering the U.S. Cyber Trust Mark requirements.
The initial focus of the CSA Product Security Certification program focuses on Consumer IoT products in the Smart Home, and addresses the requirements from ETSI EN 303645, NIST IR 8425 and the Singapore Cybersecurity Labelling scheme.
In addition, Nordic Semiconductor is committed to providing hardware, software and services to empower all developers to build secure connected products. In partnership with the Connectivity Standards Alliance Product Security certification program, Nordic has committed to providing hardware and software to enable the development of products which can be certified as meeting product security requirements.
The foundation of security for any connected product is its Root of Trust. To demonstrate the robustness of Nordic’s solutions and reduce customer certification requirements we undertake PSA Certification of Silicon and Root of Trust. PSA Certifications have been achieved for the nRF52840 and nRF5340 advanced multiprotocol SoCs, and the nRF9160 cellular IoT SiP. PSA (Platform Security Architecture) is an organization that offers a framework for securing connected devices.
Nordic’s recently announced nRF54H20 next-generation SoC is designed from the ground-up to meet the requirements of PSA Certified Level 3, the highest level of PSA Silicon and Root of Trust certification. The SoC features built-in physical security features for robustness against side-channel and tamper attack.
Tiago Monte is a Developer Marketing Manager at Nordic Semiconductor. With over 8 years of experience in the semiconductor industry, he has held roles in customer applications support, product management, and most recently in product marketing. Tiago’s focus areas include Nordic’s nRF Connect SDK, nRF Connect tools ecosystem, as well as cyber security. He strives to create content that excites and supports developers building and going to market with secure and cutting-edge IoT devices based on Nordic’s products portfolio.