Standards for Security in IoT

By Special Guest
Lev Lesokhin , Executive Vice President of Strategy for CAST
September 09, 2015

Despite the current hype, it remains almost a certainty that the Internet of Things (IoT) is here to stay. Interconnected appliances, objects and networks provide businesses, consumers, investors and development teams with endless opportunities: connected cars, smart watches, and other automated devices are flourishing. Analysts predict that by 2019, it will add $1.7 trillion in value to the global economy.

Proponents of IoT see it as being filled with incredible opportunities; ironically, so do cybercriminals. In July, hackers took control of a Jeep Cherokee – specifically, its software - and remotely manipulated its transmission, radio and air conditioning.  It led to a recall of 1.4 million vehicles, and raised a multitude of concerns. This summer, the FDA told healthcare organizations to stop using a drug infusion pump because software vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers.” We’re talking about two incidents where life hangs in the balance if the software gets into the wrong hands. Worried yet?

The consequences aren’t always as dramatic but they can still be detrimental. Last year, a refrigerator was discovered among a ‘botnet’ of more than 100,000 connected devices, sending more than 750,000 spam emails. Annoyances like this may not result in death, but they can certainly negatively impact a business’ reputation.  More importantly, it may be only the tip of the iceberg…a harbinger of other things, other hacks to come in IoT.

The blame for these glitches gets placed on the software. It’s invisible, complex and almost impossible to entirely protect from disruptions and breaches. In IoT, those complexities are even larger. But, they can be avoided. For any organization developing a product to be used in IoT, understanding the importance of a secure architectural foundation for all software and insisting that developers comply with industry standards must be the first line of defense.

Even the smallest device in IoT may contain hundreds of thousands to millions of lines of code. For example, today’s typical pacemaker contains approximately 100,000 lines of code. Putting it into perspective, the latest Mac OS X has more than 80 million lines of code.

With such large quantities of code, coupled with pressure from the boardroom to deliver products to market, developers have to move quickly. More open source and third-party components are being used; large parts of the development team are often outsourced to get application functionality to where it needs to be. Hence, overseeing and reviewing vulnerabilities in the final product stage is essential, yet too often overlooked in the rush to market.  That’s the challenge in a nutshell: sacrificing quality and dependability for speed must no longer be tolerated as the status quo.

The ‘make do’ attitude coupled with the quick add-ons to existing software configurations can make a tremendous impact on technical debt – potentially exceeding the cost of doing it properly.

On average, it costs $7,600 to fix one security bug found in production, so it is often ignored. However, one breach or shutdown can cost millions to fix AFTER the fact. The cost of a data breach is $7.2 million and the average cost of an application failure is $500K - $1million per hour. This doesn’t include potential secondary and tertiary costs like loss of customers, potential legal ramifications or share price decline.

Diligence begins with testing - more specifically, quantifiable analysis and measurement of an application’s source code. Proper code review and repeat analysis are the keys to creating a secure foundation.  Manufacturers need to communicate this priority to development teams and call for stricter software quality measures. One bad miscommunication between an application, a sensor and a hardware device can cause systemic failure. Any manufacturer that doesn’t have a set of analytics to track their software risk – be it reliability, security or performance – can be argued to be guilty of negligence in its responsibility to customers and even its fiduciary duty to shareholders.

In addition to measurement and analytics, education should to be a priority. One way to improve development standards is by communicating with our peers about the direct link between software quality and security. Developers should be up to speed on the latest set of standards adopted by the Object Management Group. The global initiative proposed by the Consortium for IT Software Quality (CISQ) will help companies quantify and meet specific goals for software quality. The CISQ/OMG measurement standards include security, reliability, performance, and maintainability. This will allow businesses to ‘certify’ the quality of its codebase and IoT networks.

So, in the Internet of Things, the software assurance burden on the software that powers the interaction between a myriad of devices is higher than ever. If the software isn’t continuously monitored and the code evaluated, its ultimate failure is almost certainly guaranteed. Scrutinizing the code for potential vulnerabilities and entry points is a necessity - whether the application is business-based, consumer-focused, enterprise, mobile, or embedded in a remote device like a car. Being proactive versus reactive may actually save lives or, at the very least, keep your inbox free of letters from Nigerian princes.

Author Bio
Lev Lesokhin is Executive Vice President of Strategy for CAST. He is responsible for market development, strategy, thought leadership and product marketing worldwide. He has a passion for making customers successful, building the ecosystem, and advancing the state of the art in business technology. Lev previously held positions at SAP, McKinsey & Company, and at the MITRE Corporation. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute, and an MBA from the MIT Sloan School of Management.

Edited by Ken Briodagh

Related Articles

IoT Time Podcast S.2 Ep. 57 Unisys

By: Ken Briodagh    12/13/2017

In this episode of IoT Time, Ken Briodagh sits down with Bill Searcy, VP, Global Justice, Law Enforcement, and Border Security, Unisys (…

Read More

Canadian Municipalities Get Funding for 72 Infrastructure Improvements

By: Ken Briodagh    12/13/2017

The Canadian Infrastructure and Communities ministry and the Federation of Canadian Municipalities have announced funding for 72 Smart City initiative…

Read More

Hardware-Based IoT Security: Consider Your Options

By: Special Guest    12/13/2017

Risk vs. Reward - a tradeoff that factors into every business decision.

Read More

IoT and Cleantech Join Forces on Clean Energy

By: Special Guest    12/13/2017

The Internet of Things plays an important role in the adoption of clean technology and transforming operations and processes adjusted to the new envir…

Read More

Synopsys Buys Black Duck Software

By: Ken Briodagh    12/13/2017

Synopsys has completed its long-expected acquisition of Black Duck Software, a privately held automated solutions developer for securing and managing …

Read More