Standards for Security in IoT


Despite the current hype, it remains almost a certainty that the Internet of Things (IoT) is here to stay. Interconnected appliances, objects and networks provide businesses, consumers, investors and development teams with endless opportunities: connected cars, smart watches, and other automated devices are flourishing. Analysts predict that by 2019, it will add $1.7 trillion in value to the global economy.

Proponents of IoT see it as being filled with incredible opportunities; ironically, so do cybercriminals. In July, hackers took control of a Jeep Cherokee – specifically, its software - and remotely manipulated its transmission, radio and air conditioning.  It led to a recall of 1.4 million vehicles, and raised a multitude of concerns. This summer, the FDA told healthcare organizations to stop using a drug infusion pump because software vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers.” We’re talking about two incidents where life hangs in the balance if the software gets into the wrong hands. Worried yet?

The consequences aren’t always as dramatic but they can still be detrimental. Last year, a refrigerator was discovered among a ‘botnet’ of more than 100,000 connected devices, sending more than 750,000 spam emails. Annoyances like this may not result in death, but they can certainly negatively impact a business’ reputation.  More importantly, it may be only the tip of the iceberg…a harbinger of other things, other hacks to come in IoT.

The blame for these glitches gets placed on the software. It’s invisible, complex and almost impossible to entirely protect from disruptions and breaches. In IoT, those complexities are even larger. But, they can be avoided. For any organization developing a product to be used in IoT, understanding the importance of a secure architectural foundation for all software and insisting that developers comply with industry standards must be the first line of defense.

Even the smallest device in IoT may contain hundreds of thousands to millions of lines of code. For example, today’s typical pacemaker contains approximately 100,000 lines of code. Putting it into perspective, the latest Mac OS X has more than 80 million lines of code.

With such large quantities of code, coupled with pressure from the boardroom to deliver products to market, developers have to move quickly. More open source and third-party components are being used; large parts of the development team are often outsourced to get application functionality to where it needs to be. Hence, overseeing and reviewing vulnerabilities in the final product stage is essential, yet too often overlooked in the rush to market.  That’s the challenge in a nutshell: sacrificing quality and dependability for speed must no longer be tolerated as the status quo.

The ‘make do’ attitude coupled with the quick add-ons to existing software configurations can make a tremendous impact on technical debt – potentially exceeding the cost of doing it properly.

On average, it costs $7,600 to fix one security bug found in production, so it is often ignored. However, one breach or shutdown can cost millions to fix AFTER the fact. The cost of a data breach is $7.2 million and the average cost of an application failure is $500K - $1million per hour. This doesn’t include potential secondary and tertiary costs like loss of customers, potential legal ramifications or share price decline.

Diligence begins with testing - more specifically, quantifiable analysis and measurement of an application’s source code. Proper code review and repeat analysis are the keys to creating a secure foundation.  Manufacturers need to communicate this priority to development teams and call for stricter software quality measures. One bad miscommunication between an application, a sensor and a hardware device can cause systemic failure. Any manufacturer that doesn’t have a set of analytics to track their software risk – be it reliability, security or performance – can be argued to be guilty of negligence in its responsibility to customers and even its fiduciary duty to shareholders.

In addition to measurement and analytics, education should to be a priority. One way to improve development standards is by communicating with our peers about the direct link between software quality and security. Developers should be up to speed on the latest set of standards adopted by the Object Management Group. The global initiative proposed by the Consortium for IT Software Quality (CISQ) will help companies quantify and meet specific goals for software quality. The CISQ/OMG measurement standards include security, reliability, performance, and maintainability. This will allow businesses to ‘certify’ the quality of its codebase and IoT networks.

So, in the Internet of Things, the software assurance burden on the software that powers the interaction between a myriad of devices is higher than ever. If the software isn’t continuously monitored and the code evaluated, its ultimate failure is almost certainly guaranteed. Scrutinizing the code for potential vulnerabilities and entry points is a necessity - whether the application is business-based, consumer-focused, enterprise, mobile, or embedded in a remote device like a car. Being proactive versus reactive may actually save lives or, at the very least, keep your inbox free of letters from Nigerian princes.

Author Bio
Lev Lesokhin is Executive Vice President of Strategy for CAST. He is responsible for market development, strategy, thought leadership and product marketing worldwide. He has a passion for making customers successful, building the ecosystem, and advancing the state of the art in business technology. Lev previously held positions at SAP, McKinsey & Company, and at the MITRE Corporation. Lev holds a B.S. in Electrical Engineering from Rensselaer Polytechnic Institute, and an MBA from the MIT Sloan School of Management.

Edited by Ken Briodagh
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Related Articles

ICYMI: Your Weekly IoT News Review

By: Alex Passett    4/12/2024

We've compiled a handful of important Internet of Things (IoT) news stories that will benefit readers interested in consumer-facing developments, indu…

Read More

Saving More Lives: NOVELDA Expands Safety Applications of its UWB In-Cabin Sensors with Multi-Target Occupancy Detection

By: Alex Passett    4/8/2024

Earlier this morning, NOVELDA (a Car Connectivity Consortium member and an innovator in ultra-wideband, or UWB, solutions) announced new multi-target …

Read More

FOSSA Systems and Microsoft Research Explore the Exciting Reach of Satellite IoT

By: Alex Passett    4/4/2024

FOSSA Systems and Microsoft Research are collaborating to advance the discovery potential for next-gen, low-power, low-rate industrial satellite IoT c…

Read More

What You Need to Know: Microchip Technology's ECC608 TrustMANAGER with Kudelski IoT keySTREAM

By: Alex Passett    4/2/2024

Earlier this morning, Microchip Technology confirmed that it has added the ECC608 TrustMANAGER (with Kudelski IoT keySTREAM SaaS) to its platform of a…

Read More

A Powerful Triple Bottom Line: With Energy Automation Innovations, Providers, Building Owners, and Consumers Win

By: Matthew Vulpis    4/2/2024

Though emissions from electricity generation only grew by a modest 1.1% in 2023 compared to the 6.2% recently in 2021, which was driven by the rapid e…

Read More