Menu

IoT FEATURE NEWS

Standards for Security in IoT

By Special Guest
Lev Lesokhin , Executive Vice President of Strategy for CAST
September 09, 2015

Despite the current hype, it remains almost a certainty that the Internet of Things (IoT) is here to stay. Interconnected appliances, objects and networks provide businesses, consumers, investors and development teams with endless opportunities: connected cars, smart watches, and other automated devices are flourishing. Analysts predict that by 2019, it will add $1.7 trillion in value to the global economy.

Proponents of IoT see it as being filled with incredible opportunities; ironically, so do cybercriminals. In July, hackers took control of a Jeep Cherokee – specifically, its software - and remotely manipulated its transmission, radio and air conditioning.  It led to a recall of 1.4 million vehicles, and raised a multitude of concerns. This summer, the FDA told healthcare organizations to stop using a drug infusion pump because software vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers.” We’re talking about two incidents where life hangs in the balance if the software gets into the wrong hands. Worried yet?

The consequences aren’t always as dramatic but they can still be detrimental. Last year, a refrigerator was discovered among a ‘botnet’ of more than 100,000 connected devices, sending more than 750,000 spam emails. Annoyances like this may not result in death, but they can certainly negatively impact a business’ reputation.  More importantly, it may be only the tip of the iceberg…a harbinger of other things, other hacks to come in IoT.

The blame for these glitches gets placed on the software. It’s invisible, complex and almost impossible to entirely protect from disruptions and breaches. In IoT, those complexities are even larger. But, they can be avoided. For any organization developing a product to be used in IoT, understanding the importance of a secure architectural foundation for all software and insisting that developers comply with industry standards must be the first line of defense.

Even the smallest device in IoT may contain hundreds of thousands to millions of lines of code. For example, today’s typical pacemaker contains approximately 100,000 lines of code. Putting it into perspective, the latest Mac OS X has more than 80 million lines of code.

With such large quantities of code, coupled with pressure from the boardroom to deliver products to market, developers have to move quickly. More open source and third-party components are being used; large parts of the development team are often outsourced to get application functionality to where it needs to be. Hence, overseeing and reviewing vulnerabilities in the final product stage is essential, yet too often overlooked in the rush to market.  That’s the challenge in a nutshell: sacrificing quality and dependability for speed must no longer be tolerated as the status quo.

The ‘make do’ attitude coupled with the quick add-ons to existing software configurations can make a tremendous impact on technical debt – potentially exceeding the cost of doing it properly.

On average, it costs $7,600 to fix one security bug found in production, so it is often ignored. However, one breach or shutdown can cost millions to fix AFTER the fact. The cost of a data breach is $7.2 million and the average cost of an application failure is $500K - $1million per hour. This doesn’t include potential secondary and tertiary costs like loss of customers, potential legal ramifications or share price decline.

Diligence begins with testing - more specifically, quantifiable analysis and measurement of an application’s source code. Proper code review and repeat analysis are the keys to creating a secure foundation.  Manufacturers need to communicate this priority to development teams and call for stricter software quality measures. One bad miscommunication between an application, a sensor and a hardware device can cause systemic failure. Any manufacturer that doesn’t have a set of analytics to track their software risk – be it reliability, security or performance – can be argued to be guilty of negligence in its responsibility to customers and even its fiduciary duty to shareholders.

In addition to measurement and analytics, education should to be a priority. One way to improve development standards is by communicating with our peers about the direct link between software quality and security. Developers should be up to speed on the latest set of standards adopted by the Object Management Group. The global initiative proposed by the Consortium for IT Software Quality (CISQ) will help companies quantify and meet specific goals for software quality. The CISQ/OMG measurement standards include security, reliability, performance, and maintainability. This will allow businesses to ‘certify’ the quality of its codebase and IoT networks.

So, in the Internet of Things, the software assurance burden on the software that powers the interaction between a myriad of devices is higher than ever. If the software isn’t continuously monitored and the code evaluated, its ultimate failure is almost certainly guaranteed. Scrutinizing the code for potential vulnerabilities and entry points is a necessity - whether the application is business-based, consumer-focused, enterprise, mobile, or embedded in a remote device like a car. Being proactive versus reactive may actually save lives or, at the very least, keep your inbox free of letters from Nigerian princes.

Author Bio
Lev Lesokhin is Executive Vice President of Strategy for CAST. He is responsible for market development, strategy, thought leadership and product marketing worldwide. He has a passion for making customers successful, building the ecosystem, and advancing the state of the art in business technology. Lev previously held positions at SAP, McKinsey & Company, and at the MITRE Corporation. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute, and an MBA from the MIT Sloan School of Management.




Edited by Ken Briodagh


SHARE THIS ARTICLE
Related Articles

IoT Time Podcast S.2 Ep.33 Trusted Computing Group

By: Ken Briodagh    6/22/2017

On this episode of the IoT Time Podcast, Ken Briodagh sits down with Steve Hanna, chair of TCG's embedded systems and IoT work groups, and principal a…

Read More

IoT Time Preview: The Cloud

By: Ken Briodagh    6/22/2017

In this weekly series, we'll be previewing chapters of "IoT Time: Evolving Trends in the Internet of Things" for you to read in the hopes that you'll …

Read More

IoT Evolution Speakers: Lee Gruenfeld Speaks Out

By: Ken Briodagh    6/22/2017

Lee Gruenfeld is Managing Partner of the Cholawsky & Gruenfeld SaaS/IoT consulting firm, and is a Principal with the TechPar Group in New York, a bout…

Read More

IoT Evolution Speakers: Jeff Liebl Speaks Out

By: Ken Briodagh    6/22/2017

Jeff Liebl is President of Anaren IoT Group, which designs, manufactures and sells custom high-frequency solutions and standard components for the wir…

Read More

IoT Evolution Speakers: Israel Alguindigue Speaks Out

By: Ken Briodagh    6/22/2017

Israel Alguindigue is SVP, Industrial Practice, Uptake, a developer of products that solve industry pain points and enable new data-driven business mo…

Read More