The Connectivity Standards Alliance (“Alliance”) Product Security Working Group is pleased to announce the release of their IoT (Internet of Things) Device Security Specification 1.0, with the accompanying certification program, and Product Security Verified Mark.

This groundbreaking initiative aims to establish a unified IoT cybersecurity standard and certification program, providing manufacturers a one-stop solution to certify their devices, enabling them to comply with multiple international regulations and standards more easily.

“The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers,” said Tobin Richardson, Alliance President & CEO of the Connectivity Standards Alliance.

“By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally.”

With the increasing adoption of consumer IoT devices, there is a heightened emphasis on security due to a rise in incidents involving breaches and malicious device hijackings. The Product Security Working Group aims to meet this challenge by consolidating requirements from the three most popular IoT Cybersecurity baselines from the United States, Singapore, and Europe into a single specification and certification program. This unifying effort helps manufacturers more easily and efficiently address these regulatory regimes’ requirements aiming to instill confidence in consumers and regulators.

“As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices,” said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee. “The Alliance’s Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world.”

IoT Device Security Specification 1.0 Requirements

The Product Security’s IoT Device Security Specification includes dozens of specific device security provisions. IoT Device Manufacturers must demonstrate compliance with those provisions, supplying justifications and evidence to an Authorized Test Laboratory with expertise in security evaluation and experience certifying products relative to this specification.

Highlights of the specific requirements include:

• Unique identity for each IoT Device
• No hardcoded default passwords
• Secure storage of sensitive data on the Device
• Secure communications of security-relevant information
• Secure software updates throughout the support period
• Secure development process, including vulnerability management
• Public documentation regarding security, including the support period

Nearly 200 member companies — including Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs — have collaborated, pooling related technologies, expertise, and innovations enabling the IoT Device Security Specification 1.0, the accompanying certification program, and Product Security Verified Mark to meet the diverse needs of stakeholders, including consumers, device manufacturers, and regulators. Together, these companies spearheaded the process by driving requirements and specification development and ultimately helping validate the final specification.

The Product Security Certification Program and Verified Mark

Encompassing a broad spectrum of smart home devices such as light bulbs, switches, thermostats, doorbell cameras, and more, the Product Security Certification Program establishes minimum requirements for IoT devices. By consolidating several international regulations into a single set of requirements, the Certification Program streamlines the process, helping manufacturers meet certification criteria from multiple countries or regions with a single evaluation.

The Product Security Verified Mark is confirmation a product meets the specification’s security requirements, with the goal of inspiring consumer confidence. When displayed prominently on certified product packaging, store signage, and online platforms, this Verified Mark builds trust by serving as a marker for secure IoT devices. A printed URL, hyperlink, QR code, or a combination of these representations on the Product Security Verified Mark gives consumers access to more information about the device’s security features.

Looking Ahead

As technology advances and new threats emerge, the Product Security Working Group remains committed to continuously enhancing the IoT Security Device Specification and the accompanying certification program.

The post The Connectivity Standards Alliance Product Security Working Group Launches the IoT Device Security Specification 1.0 appeared first on IoT Business News.

‘U.S. Cyber Trust Mark’ Program Will Help Consumers Make Informed Purchasing Decisions and Encourage Manufacturers to Meet Higher Cybersecurity Standards

The Federal Communications Commission today voted to create a voluntary cybersecurity labeling program for wireless consumer Internet of Things (“IoT”) products.

Under the program, qualifying consumer smart products that meet robust cybersecurity standards will bear a label—including a new “U.S Cyber Trust Mark”—that will help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.

With today’s action, the Commission has adopted the rules and framework for the program to move forward. Among program highlights:

• The U.S. Cyber Trust Mark logo will initially appear on wireless consumer IoT products that meet the program’s cybersecurity standards.
• The logo will be accompanied by a QR code that consumers can scan for easy-to understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
• The voluntary program will rely on public-private collaboration, with the FCC providing oversight and approved third-party label administrators managing activities such as evaluating product applications, authorizing use of the label, and consumer education.
• Compliance testing will be handled by accredited labs.
• Examples of eligible products may include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.

The Commission is also seeking public comment on additional potential disclosure requirements, including whether software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.

There are a wide range of consumer IoT products on the market that communicate over wireless networks. These products are made up of various devices, and are based on many technologies,
each of which presents its own set of security challenges. Last August, the Commission proposed and sought comment on developing the voluntary cybersecurity labeling program for IoT. The
rules adopted today are based on that record.

According to one third party estimate, there were more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Others estimate that there will be more than 25 billion connected IoT devices in operation by 2030. The cybersecurity labeling program builds on the significant public and private sector work already underway on IoT cybersecurity and labeling, emphasizing the importance of continued partnership so that consumers can enjoy the benefits of this technology with greater confidence and trust

The post FCC Creates Voluntary Cybersecurity Labeling Program for Smart Products appeared first on IoT Business News.

Quectel Wireless Solutions, a global IoT solutions provider, today announces that, according to a recent milestone report by Finite State, an independent third-party cybersecurity firm, nearly 95% of all Quectel modules shipped to the United States since the beginning of 2022 have industry-leading security scores based on penetration testing and binary analysis by Finite State.

The report highlights a notable enhancement in Quectel’s security position, expanding the number of modules tested and with scores across the tested modules improving from an average of 33 to 18, up from an average of 62 to 24 in previous testing. This represents a substantial improvement, as both the initial and revised scores significantly surpass the industry average of 98 with the lowest (best) score of 10. Further, the number of and severity of vulnerabilities Finite State did identify in Quectel products or modules are significantly less than the industry standard and revealed a very limited attack surface. Those issues Finite State did discover have been quickly remedied by Quectel.

This advanced phase of testing leverages Finite State’s security technologies and expertise to conduct an exhaustive third-party evaluation of Quectel’s modules. The advanced testing encompasses an array of sophisticated security assessments designed to fortify Quectel’s modules against the evolving landscape of cyber threats, including binary analysis of numerous Quectel products and both penetration testing and binary analysis of several Quectel cellular modules.

“Entering this next phase of security testing with Finite State underscores our relentless pursuit of the highest security standards for our products,” stated Norbert Muhrer, President and CSO, Quectel Wireless Solutions.

“Our continued collaboration is a reflection of our commitment to exceed industry security expectations, ensuring our customers benefit from the most secure and reliable communication modules available – tested and verified by one of the most trusted US cyber security firms. We’re thrilled that the latest report from Finite State demonstrates our commitment and progress.”

The continued integration of Finite State into Quectel’s transparency and security program reaffirms Quectel’s commitment to pioneering unparalleled security practices in the IoT and telecommunications sectors. Quectel has made a measurable improvement in key areas such as the security health of the code, the sophistication of the vulnerability management process, and the transparency of its software supply chain.

The program is strategically designed with three key goals to address the pressing issues in cybersecurity today:

• Implementing the Finite State Platform into Quectel’s DevSecOps procedures, which enhances firmware binary analysis, manages vulnerabilities efficiently, and offers specific recommendations for remediation.
• Developing and sharing Software Bill of Materials (SBOM) and Vulnerability Exploitability Exchange (VEX) documents for each of Quectel’s products, which promotes a transparent environment and provides critical insights into the software components of Quectel’s devices along with any vulnerabilities they may contain.
• Conducting comprehensive manual penetration tests by Finite State’s expert Red Team, which augments automated testing methods and delivers detailed security evaluations for Quectel’s product line.

Matt Wyckhouse, CEO of Finite State, commented, “Progressing to this next phase of security testing demonstrates Quectel’s commitment to leading the industry with transparent, rigorous cybersecurity practices. Quectel’s willingness to subject their products to such rigorous scrutiny is commendable and sets a new industry standard to further safeguard the IoT ecosystem.”

The outcome of this continued engagement is anticipated to enhance the security framework of Quectel’s modules and inspire a shift towards more rigorous security standards across the telecommunications industry. Quectel is dedicated to sharing insights and best practices gleaned from this process, contributing to a safer, more secure digital future.

In addition to the activity with Finite State, Quectel is actively pursuing collaboration with multiple standards-setting organizations to enhance and commit to a more rigorous set of security requirements. This initiative aims to achieve key security certifications from both industry and governmental bodies, underlining Quectel’s dedication to advancing security standards within the sector.

The post Quectel IoT Modules Significantly More Secure Than Industry Average According to Finite State appeared first on IoT Business News.

Millions of smart toothbrushes hacked and “turned into secret army for criminals?” Sounds like Hollywood pretense or something born from the collective imagination of today’s security pros and, in this case, it was.

In late January, Swiss publication Aargauer Zeitung wrote an article describing how hackers had launched a distributed denial-of-service (DDoS) attack against approximately 3 million smart toothbrushes. The story claimed damages to be millions of euros. Numerous English-language publications, including ZDNet, Tom’s Hardware and The Sun, picked up the story and reported on the attack.

It wasn’t until a week later that Fortinet, Aargauer Zeitung’s source, clarified that the situation was a hypothetical attack discussed during an interview—blaming a translation error for the misunderstanding. While there has understandably been some fallout over the viral nature of the story, I caution companies from dismissing this scenario entirely.

It didn’t happen, but that doesn’t mean it couldn’t. And while it’s unlikely that a connected toothbrush would cause the chaos outlined in the original Swiss article, it still serves as an important reminder that IoT devices remain a sought-after hacker target.

With that in mind, following are some important considerations to ensure their security:

Enable All Security Features

Many connected devices offer encryption or other additional security features. Too often organizations and consumers fail to enable them, making it much easier for a threat actor to compromise the device.

Strengthen Authentication

Using multifactor authentication (MFA) whenever possible is also an important step as part of a layered approach to IoT security.

Evaluate Unneeded Features

Another best practice is to disable any unnecessary features, as well as ensuring that any older unused devices are disconnected from the network. The latter often have outdated security, which can create a weak point on the network that cybercriminals can easily exploit.

Ensure Devices are Up to Date

Frequently check all IoT manufacturers’ websites for firmware updates and patches. If the smart device has an accompanying app, ensure that the most up-to-date version is in use.

Change the Default Settings

It wasn’t too long ago that many IoT devices were shipped with the same default password as standard—for example, in 2019 600,000 GPS trackers arrived all with 123456 as their password. While manufacturers no longer assign the same credential to all products out of the box, it’s still important to change the password and all other default settings prior to use.

IoT Security Demands Threat Intelligence

Unfortunately, changing a device’s password isn’t enough from an enterprise security perspective. People typically reuse passwords across numerous applications and systems, with one study finding that 72% of individuals deploy the same one in their personal life and nearly half of employees simply change or add a digit or character. Given the high rate of data breaches, all it takes is one attack for these credentials to be available on the Dark Web for threat actors to utilize in subsequent breach attempts.

This is a key reason that threat intelligence is a vital component of any modern IoT security strategy. Organizations need real-time insight into the integrity of the credentials used to secure and access connected devices so that they can take immediate action in the event of a compromise—and prevent any subsequent damages from occurring.

Giving IoT Security Some Teeth

Once the Aargauer Zeitung story was debunked, many articles pointed out that threat actors generally pursue attack avenues more closely linked to monetary gain. And while connected toothbrushes don’t contain financial data, the same can’t be said for enterprise IoT devices used for predictive maintenance, smart energy management, or occupancy monitoring.

As such, the hypothetical attack scenario is a timely nudge to ensure the security of these and other enterprise connected devices. The news media will soon forget about this viral (if untrue) story, but the same can’t be said for hackers’ fixation on smart devices’ security vulnerabilities.

The post Don’t Brush Off the Toothbrush Story: Connected Device Security is A Major Concern appeared first on IoT Business News.

Asimily’s “IoT Device Security in 2024: The High Cost of Doing Nothing” report identifies today’s IoT threat landscape as enterprises across industries implement and scale connected devices

Asimily, a leading Internet of Things (IoT) risk management platform, today announced the availability of a new report: IoT Device Security in 2024: The High Cost of Doing Nothing.

The comprehensive report—available for free download here—highlights emerging IoT device security trends and challenges.

Enterprises continue to embrace IoT strategies to streamline operations, boost efficiency, and improve customer experiences. From hospitals to manufacturers to public sector agencies, IoT device fleets are critical for meeting these modernization goals. However, the acceleration in connected device deployment opens new windows for cybercriminals and exposes networks to potential breaches. This report addresses the growing challenge of securing IoT devices and explores the consequences for businesses neglecting sufficient cyber resilience. It also provides valuable guidance for implementing a comprehensive approach to mitigating IoT-related cyberattack risks.

Among the key findings and analysis included in the new report:

• Breach tactics continue evolving: Cybercriminals seeking confidential proprietary data to sell for financial gain look for and infiltrate vulnerable and often-unsecured IoT devices to establish initial access to an enterprise’s network. That tactic supports ransomware attacks as well, with criminals gaining access via IoT endpoints, encrypting data, and extorting ransoms. In other cases, nation-state-sponsored groups are motivated to shut down or disrupt the services of their targets. A common tactic is harvesting vast fleets of vulnerable IoT devices to create botnets and utilize them to conduct DDoS attacks. Attackers also know they can rely on unresolved legacy vulnerabilities, as 34 of the 39 most-used IoT exploits have been present in devices for at least three years.

• Routers are the most targeted IoT devices, accounting for 75% of all IoT infections. Hackers exploit routers as a stepping stone to access other connected devices within a network. Security cameras and IP cameras are the second most targeted devices, making up 15% of all attacks. Other commonly targeted devices include digital signage, media players, digital video recorders, printers, and smart lighting. The report also highlights the especially consequential risks associated with specialized industry equipment—including devices critical to patient care in healthcare (including blood glucose monitors and pacemakers), real-time monitoring devices in manufacturing, and water quality sensors in municipalities.

• Cyber insurers are capping payouts. Cybersecurity insurance is becoming more expensive and difficult to obtain as cyberattacks become more common. More insurers are now requiring businesses to have strong IoT security and risk management in place to qualify for coverage—and increasingly denying or capping coverage for those that do not meet certain thresholds. Among the reasons why cyber insurers deny coverage, a lack of security protocols is the most common, at 43%. Not following compliance procedures accounts for 33% of coverage denials. Even if insured, though, reputational damage remains a risk: 80% of a business’s customers will defect if they do not believe their data is secure.

• Manufacturing is now the top target: Cybercriminals are increasingly focusing their attention on the manufacturing, finance, and energy industries. Retail, education, healthcare, and government organizations remain popular targets, while media and transportation have been de-emphasized over the past couple of years.

“Vulnerable IoT devices continue to be a glaring cybersecurity weak spot for many, many enterprises,” said Kenan Frager, VP of Marketing, Asimily. “In the rush to absorb all of the business benefits these devices deliver, sufficient security—and the impact that security has on the broader network—is too often left unchecked.”

“Regardless of industry, an attack on IoT infrastructure can and will result in operational downtime, loss of IP, loss of revenue, and reputational harm. Regulatory compliance adds another layer of pressure, with steep fines and sanctions looming for breaches that affect HIPAA, PCI DSS, NIST, SOC 2, and other increasingly stringent mandates.”

“There’s a clear and urgent need for more businesses to prioritize a more thorough risk management strategy capable of handling the unique challenges of the IoT,” said Shankar Somasundaram, CEO, Asimily.

“While organizations often struggle with the sheer volume of vulnerabilities in their IoT device fleets, crafting effective risk KPIs and deploying tools to gain visibility into device behavior empowers them to prioritize and apply targeted fixes. This approach, coupled with a deeper understanding of attacker behavior, enables teams to distinguish between immediate threats, manageable risks, and non-existent dangers. The right strategy equips organizations to focus efforts where they matter most, maximizing their resources while ensuring the security of their IoT ecosystem at scale.”

The post New Report on IoT Security Underscores the Current Risk of Unsecured Devices and Equipment appeared first on IoT Business News.

The security industry in 2024 is an exciting landscape that Hikvision is actively navigating. As it embraces technological innovation, and adapt to evolving societal needs, it is witnessing the convergence of advanced technologies like Artificial Intelligence (AI), the Internet of Things (IoT), and big data. These innovations are paving the way for smarter, more proactive, and predictive security solutions that are not only robust, but also meet the easy-to-use demands of users.

In this article, Hikvision wants to share the top seven trends that it anticipates will have a significant impact on the security industry this year.

1. AI is accelerating the augmentation of perception in machines

AI is accelerating the transformation of the security industry by enhancing machines’ perceptual capabilities. This is possible thanks to integration with visible light, audio, X-ray, infrared light, radar, and other technologies.

One example of this is Artificial Intelligence Image Signal Processing (AI-ISP) technology, revolutionizes video imaging and provides high-quality visuals through intelligent noise reduction. This enables clearer images with wide dynamic range and sharp detail even in low-light environments, reducing reliance on additional lighting and leading to more efficient situational responses.

2. AI-driven applications are set to revolutionize diverse industries

In the past year, advancements in large-scale AI models have improved the ability to interpret complex situations using diverse data. Hikvision believes this progress creates possibilities for more tailored AI solutions across various sectors including manufacturing, energy, healthcare, and education.

Based on open platforms and advanced algorithms, more streamlined architectures facilitate seamless AI adoption in a range of different verticals. This fosters collaboration and creates an innovative ecosystem for technological advancement.

3. Cloud and edge computing convergence is accelerating

The convergence of cloud and edge computing is driving the emergence of faster and more efficient services. This leads to real-time, intelligent solutions, like smarter perimeter control and more convenient cloud-based security system management, empowering us with immediate analytics and better decision-making at the edge. Cloud-based platforms also minimize hardware investments and offer scalable options for businesses of all sizes and budgets, reducing upfront and ongoing costs.

4. Digital twin technology has the potential to revolutionize business management

Digital twins are virtual models that simulate real-world scenarios in real time. By integrating with AIoT, cloud computing, and other technologies, they provide us with dynamic insights on performance metrics like security, traffic, and energy usage. This enables an immersive experience with synchronized visuals, improving process efficiency, enabling proactive maintenance, and leading to cost savings and better business management.

5. Display technology, particularly LED, is advancing rapidly

The rapid adoption of COB (Chip-on-Board) technology is driving demand for small-pitch LEDs. Innovative LED solutions are also emerging that balance lower energy consumption with high resolution, promoting carbon neutrality, and supporting broader applications. Integrated video walls in command centers, for example, help us make smart decisions with intuitive views. Interactive displays and digital signage are acting as catalysts for digital transformation in education, business, and the hospitality sectors.

6. Digital identity authentication security is increasingly crucial in safeguarding cybersecurity

Digital identity authentication involves verifying and authorizing identities, which is a pivotal cybersecurity measure. Threat actors use techniques like phishing, malware, and social engineering to steal personal information and identities. To safeguard digital identities, users and organizations should employ strong passwords, use multi-factor authentication, avoid public networks, update software in a timely manner, and guard against social engineering attacks.

7. Innovative technologies drive environmental sustainability and climate change resilience

Industry stakeholders are increasingly adopting green practices to reduce carbon emissions and resource usage. This includes efficient product transportation, sustainable packaging, and standardized component utilization. Hikvision also expects to see innovative technologies being used to increase climate change resilience. By integrating environmental sensors into security systems, for instance, it can better respond to natural disasters like floods, wildfires, landslides, and avalanches.

The post Top 7 trends for the security industry in 2024 appeared first on IoT Business News.

Since the founding of our company, SAM has welcomed efforts by government agencies and regulators worldwide to raise consumer awareness about cybersecurity in the IoT space. These efforts benefit both consumers and the network operators connecting them to the digital world. Consumers benefit by being better informed about an IoT product’s security attributes at the “point of sale” and operators benefit as this increased awareness amongst consumers will make it easier to develop and sell new network-based security services.

The latest development comes from the United States, where the White House has introduced the “Cyber Trust Mark” program. This program aims to certify IoT devices bearing the label, ensuring they meet essential security attributes safeguarding consumers’ networks and device data. While voluntary, this initiative, led by the Federal Communications Commission, is set to begin implementation in 2024. This is part of an initiative that includes a collaboration between the White House and the National Institute of Standards and Technology (NIST) to establish cybersecurity standards tailored to routers.

These moves will have a positive impact on the IoT ecosystem on a variety of levels. Yet, while product labels will increase consumer awareness and education, they cannot address the ongoing evolution and fragmentation of IoT devices. Thousands seemingly hit the market each year, making “constant” security unattainable. Even a seemingly secure device could falter over time without proper software updates, which in reality, the average consumer does not do.

This fact is part of a trend that has led to a situation where most home and small business devices and networks lack adequate protection. This vulnerability arises due to various reasons, including the widespread use of consumer electronics devices that have become connected IoT devices through home routers. While some vulnerabilities may only be an inconvenience for some users, other can open the door to malicious activities. One of the most pressing challenges in the realm of IoT is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely. This issue highlights a critical gap in home security, where the timely resolution of IoT vulnerabilities should be a requirement, not a “luxury.”

However, for consumer electronics in general, it takes time to create a fix, to test it in the field and then to distribute it. And for IoT devices, it’s a different matter altogether, as numerous devices have minimal security and no ongoing security patch program. Or the devices are no longer on the market at all. This condition creates a significant window of opportunity for hackers who are well aware of these vulnerabilities and often have ample time to exploit them before the vendors issue a remedy, leaving end users vulnerable to attacks. Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app on the smartphone. Others, however, need to be updated manually – a lengthy and quite complicated process for even those who are tech savvy.

Katherine Gronberg, Head of Government Services at NightDragon, who works frequently with NIST and the White House on matters relating to IoT security, has commented: “With the explosion of IoT devices available from a wide variety source, consumers have until now not had any help in deciding what to buy or even to be mindful of security. The Cyber Trust Mark will allow consumers to identify products that have been designed and manufactured according to secure development guidelines and that offer some basic security features, most of which will likely not require any actions by the device user. While this program doesn’t apply to IoT devices that are already in use today, it will create a more informed customer and may make other parties in the ecosystem such as retailers or ISPs more conscious of the problem and might motivate them to take action.”

One action that the industry has seen recently is a renewed focus on routers, as seen in a recent security advisory issued by the US NSA, in which one of its recommendations was for consumers to exchange ISP-issued routers for ones they would purchase themselves. And there is another router-focused technique that more and more ISPs are using to help their customers with IoT network security, namely the “hot patching” measure, which uses a router-based software agent to provide protection for the router itself and every device connected to it.

Hot patching is designed as a “one stop” protection program in which an ISP would download an agent to a router to provide constant real-time monitoring and alerts. Hot patching is based on what is known as “deep packet inspection,” or DPI, which is a well-known and long-standing technique wherein the payload of packets traversing a data network is inspected and analyzed. The result empowers consumers with comprehensive router and device security, eliminating vulnerability monitoring and patching complexities.

While security labeling undoubtedly enhances consumer awareness and overall IoT security, the quest for constant security calls for a gateway-based solution. Such a solution can act as the ultimate backstop to industry and government initiatives, securing IoT devices and the connecting network.

Therefore, we believe the “Cyber Trust Mark” program will certainly be a great benefit for the consumer or “end user” and the increased awareness about IoT security it will raise gives ISPs an excellent opportunity to play a more proactive role that will be welcomed by their customers and which will increase IoT network security in meaningful ways.

The post Nurturing IoT’s Safety Net: Can the ‘Cyber Trust Mark’ Weather the Fragmented Storm? appeared first on IoT Business News.

The Internet of Things (IoT) represents a transformative shift in the way we interact with technology. As physical devices around us become increasingly connected, they offer new levels of efficiency, automation, and convenience. However, this rapid advancement and ubiquity of IoT devices also raise significant regulatory challenges. This article explores the evolving regulatory landscape for IoT, addressing the need for standards, privacy concerns, security risks, international coordination, and the path forward.

Understanding IoT’s Expansion and the Need for Regulation

The IoT ecosystem encompasses a broad range of devices, from smart home appliances and wearables to industrial sensors and smart city technologies. According to Gartner, the number of connected devices will reach over 25 billion by 2025. This expansion is not just quantitative but also qualitative, as IoT technology becomes more complex and integral to various aspects of life and business.

Regulation is crucial in this context to ensure these devices are safe, secure, and respectful of user privacy. However, the unique characteristics of IoT – including its diversity, the volume of data it generates, and its cross-industry applications – pose significant regulatory challenges.

Data Privacy and Protection in IoT

Data privacy is a paramount concern in IoT. These devices often collect sensitive personal information, which can include location data, health metrics, and even personal habits. Ensuring the privacy and security of this data is crucial.

The European Union’s General Data Protection Regulation (GDPR) sets a precedent for data privacy, including provisions that affect IoT. It mandates strict data handling procedures and grants individuals rights over their data. Similarly, the California Consumer Privacy Act (CCPA) in the U.S. provides consumers with rights over their personal information collected by businesses.

However, these regulations often face challenges in enforcement and applicability, particularly with devices that cross international borders. The diverse nature of IoT devices also means that a one-size-fits-all approach to data privacy may not be feasible.

Security Concerns and Standards

IoT security is another critical area of regulatory focus. The interconnectedness of IoT devices creates a broader attack surface for cyber threats. The Mirai botnet attack in 2016, which utilized unsecured IoT devices to launch large-scale distributed denial-of-service (DDoS) attacks, highlighted the potential consequences of inadequate IoT security.

Regulatory efforts in IoT security include the development of standards and guidelines. For instance, the National Institute of Standards and Technology (NIST) in the U.S. has published a series of documents offering guidance on IoT cybersecurity. The UK government has also introduced a code of practice for consumer IoT security and is working on legislation to enforce basic security requirements for IoT devices.

International Coordination and Compliance Challenges

The global nature of IoT poses significant challenges for regulatory compliance. IoT devices often cross international borders, and data collected by these devices can be stored and processed in different countries. This scenario necessitates a coordinated international regulatory approach.

Efforts in this direction include the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) working on international standards for IoT. These global standards aim to provide a common framework that can be adopted by different countries, fostering interoperability and easing compliance challenges.

Consumer Protection and Transparency

With IoT devices becoming a staple in consumer electronics, there’s a growing need for regulations that protect consumers. This includes ensuring that IoT devices are safe, reliable, and do not engage in unfair or deceptive practices.

Transparency is also crucial. Consumers need to be informed about what data their devices are collecting and how it’s being used. The U.S. Federal Trade Commission (FTC) has been active in enforcing transparency and has brought cases against companies that fail to adequately disclose their data practices.

The Road Ahead: Adaptive and Inclusive Regulation

As IoT continues to evolve, so too must its regulatory framework. This requires a balance between fostering innovation and protecting public interests. Adaptive regulation that can evolve with technology is key, as is the inclusion of various stakeholders in the regulatory process. This includes not just governments and industry, but also consumer groups, academia, and civil society.

Engaging in ongoing dialogue and partnership can help address the dynamic challenges IoT presents. It is also important to foster public awareness and education about IoT, empowering consumers to make informed decisions and advocate for their interests.

Conclusion

The regulatory landscape for IoT is complex and multifaceted, reflecting the diverse and rapidly evolving nature of the technology itself. Effective regulation requires a nuanced approach that addresses privacy, security, international coordination, and consumer protection. As IoT devices become more ingrained in our daily lives, the importance of robust, flexible, and forward-looking regulation cannot be overstated. The future of IoT is not just about technological innovation but also about creating a regulatory environment that supports sustainable and responsible growth.

The post The Regulatory Landscape for IoT: Navigating the Complexities of a Connected World appeared first on IoT Business News.

In the ever-expanding universe of the Internet of Things (IoT), security is not just a feature but a foundational necessity. With billions of devices connected and communicating, the potential for data breaches, unauthorized access, and other cyber threats grows exponentially. In this context, IoT security protocols are essential to ensure that the communication between devices, and from devices to servers, remains confidential and tamper-proof. Here, we explore the current landscape of IoT security protocols, the challenges they face, and the future direction of securing IoT networks.

The Current State of IoT Security Protocols

IoT devices, ranging from consumer products like smart thermostats to industrial sensors monitoring critical infrastructure, are often built with convenience and cost-effectiveness in mind. However, this focus can sometimes come at the expense of robust security measures. The protocols governing the security of these devices are as varied as their applications.

1. Transport Layer Security (TLS) and Secure Sockets Layer (SSL): TLS and its predecessor, SSL, are cryptographic protocols designed to provide secure communication over a computer network. In the IoT space, TLS/SSL is commonly used to secure the connection between a device and a cloud server, ensuring that data remains private and integral.

2. Datagram Transport Layer Security (DTLS): For IoT devices that rely on UDP, which is common in real-time applications, DTLS offers a way to secure these communications. It is similar to TLS but adapted for datagram protocols.

3. Extensible Messaging and Presence Protocol (XMPP): XMPP is an open standard for message-oriented middleware based on XML. It offers a set of protocols for message-oriented communication with mechanisms for security.

4. Constrained Application Protocol (CoAP): CoAP is a specialized web transfer protocol for use with constrained nodes and networks in IoT. It can be used with DTLS to provide a secure communication channel.

5. Z-Wave and Zigbee: These are communication protocols for low-energy radio waves often used in home automation, with built-in security layers to encrypt messages between devices.

6. Message Queuing Telemetry Transport (MQTT): MQTT is a popular IoT publish-subscribe network protocol that can be secured with TLS.

Challenges Facing IoT Security Protocols

The challenges in IoT security are manifold, stemming from both the variety of devices and the complexity of the network architectures. Here are the key challenges:

1. Resource Constraints: Many IoT devices have limited computational resources and cannot support traditional web-grade encryption methods.

2. Diversity of Devices: The IoT ecosystem is vast, with a wide range of devices that have different capabilities and security needs.

3. Scalability: Security protocols must be able to scale effectively as billions of new devices come online.

4. Lifecycle Management: IoT devices often have long lifecycles, and security protocols must be updatable to respond to new threats over time.

5. Interoperability: With so many different protocols and manufacturers, ensuring that security measures are interoperable across devices and systems is a challenge.

Advanced Security Protocols for IoT

As the IoT industry evolves, so do the strategies to secure it. Here are some advanced protocols and techniques being developed and implemented:

1. Lightweight Cryptography: NIST is working on standards for lightweight cryptography intended for constrained devices, which will be more suitable for the IoT environment.

2. Public Key Infrastructure (PKI): PKI provides a scalable method for secure device authentication and encryption key distribution.

3. Elliptic Curve Cryptography (ECC): ECC provides the same level of encryption as RSA but uses smaller keys, which are more suitable for IoT devices.

4. Quantum-resistant algorithms: With the potential threat of quantum computing, there’s a growing focus on developing security algorithms that would be resistant to quantum attacks.

5. Secure Software Updates: Ensuring that devices can be securely updated is crucial for responding to vulnerabilities as they are discovered.

Implementing IoT Security Protocols

The implementation of robust security measures is as critical as the development of the protocols themselves. Here are key considerations for implementation:

1. Default Security: Devices should come with security features enabled by default, requiring little to no configuration from the user.

2. Regular Updates: Manufacturers must provide regular firmware updates to address security vulnerabilities and ensure devices stay secure over their lifespan.

3. User Education: Users should be informed about the importance of security and how to manage their devices securely.

4. Multi-layered Security: Security should be implemented in layers, including secure boot, transport layer security, secure storage, and intrusion detection systems.

The Future of IoT Security

Looking forward, the IoT industry must continue to prioritize security to protect against evolving cyber threats. Here are potential future developments:

1. AI and Machine Learning: These technologies can be used to detect anomalies in network behavior, potentially identifying and neutralizing threats in real-time.

2. Blockchain for IoT Security: Blockchain technology could enable secure, tamper-proof systems for IoT device authentication and firmware updates.

3. Integration of Security in IoT Standards: As new IoT standards are developed, integrating security as a core component will be crucial.

4. Government Regulation and Compliance: We may see more government regulation aimed at improving IoT security, similar to the GDPR for data protection.

5. Universal Security Standards: Efforts may be put toward creating universal security standards that can be applied across devices and industries.

Conclusion

The complexity of IoT security is significant, and the stakes are high. As the IoT continues to grow, effective security protocols must be developed and implemented to protect privacy and ensure the safe and reliable operation of connected devices. The future of IoT depends not just on innovation in connectivity and functionality but equally on the strength and adaptability of its security protocols. The journey toward a secure IoT ecosystem is ongoing, and it requires the concerted effort of manufacturers, software developers, security experts, and regulatory bodies.

The post Fortifying the Internet of Things: Navigating the Landscape of IoT Security Protocols appeared first on IoT Business News.

Findings indicate that leveraging PKI solutions effectively is key to solving IoT security challenges

Keyfactor, the identity-first security solution for modern enterprises, and Vanson Bourne today released findings from an independent survey and analysis that examines the state of IoT security for both manufacturers and end users.

The report, “Digital Trust in a Connected World: Navigating the State of IoT Security,” reveals concerns and challenges modern businesses face when establishing digital trust in today’s connected world, and shows nearly all organizations (97%) are struggling to secure their IoT and connected products to some degree. The research survey also found that 98% of organizations experienced certificate outages in the last 12 months, costing an average of over $2.25 million.

“Organizations worldwide are under mounting pressure to ensure their IoT and connected devices are protected while navigating an increasingly complex digital landscape that requires complete trust,” said Ellen Boehm, Senior Vice President, IoT Strategies and Operations at Keyfactor.

“The results of this survey demonstrate the importance of identity-first security for those who manufacture IoT devices and those who deploy and operate them in their environment to establish digital trust at scale. Most organizations implement PKI solutions in their IoT security strategy, which is a huge step in the right direction. However, it’s clear that with 97% of organizations facing IoT security challenges, security teams are struggling to leverage their tools efficiently.”

“Ensuring that IoT device security is managed throughout its lifecycle will go a long way in both eliminating costly certificate outages and enhancing the long-term viability of IoT within the enterprise.”

The costly outages organizations have faced in the past year are not the only expense of inefficient IoT security. The report found that 89% of respondents’ organizations that operate and use IoT and connected products have been hit by cyber attacks at an average cost of $250K. Furthermore, in the past three years, 69% of organizations have seen an increase in cyber attacks on their IoT devices. The March attack on Amazon’s Ring that exfiltrated sensitive customer data such as recorded footage and credit card numbers is an example of the increase in IoT attacks.

“Many IoT security strategies fail to prevent and protect against IoT-targeted cyber attacks because organizations lack the proper education and support needed to fully understand the task at hand,” said Boehm. “Over half of respondents agree that their organization doesn’t have the proper awareness and expertise to prepare for IoT device cyber attacks, spotlighting the need for more guidance to fully secure their devices. Organizations can’t protect against what they cannot understand.”

Other key themes and findings from the report include:

• Proliferating growth of IoT devices and connected products in organizations: In the past three years, respondents reported a 20% average increase in the number of IoT and connected products used by organizations.

• IT professionals are not fully confident in the security of their IoT and connected devices: Most organizations (88%) agree that improvements are needed in the security of IoT and connected products in use within their organization, with over a third (37%) of respondents reporting that significant improvement is needed and 60% reporting that some improvement is needed. When it comes to specific strategies, 4 in 10 organizations report that they strongly agree they would benefit from using a PKI to issue digital identities on the IoT and IIoT devices in their environment.

• IoT security budgets are increasing but are being used to cover staggering costs from certificate outages: While budgets for IoT device security are increasing year over year, with an anticipated increase of 45% in the next five years, half (52%) of that budget is at risk of being diverted to cover the cost of successful cyber breaches on IoT and connected products.

• Organizations and manufacturers are split on who is responsible for IoT security: Of the respondents surveyed, 48% believed that the manufacturer of IoT or connected devices should be at least mostly responsible for cyber breaches on their products.

The post New Global Survey Reveals 97% of Organizations Face Challenges Securing IoT and Connected Devices appeared first on IoT Business News.

October, recognized globally as Cybersecurity Awareness Month, is a timely reminder of the ever-present threats in the digital realm.

It underscores the importance of fortifying our digital defenses, especially in the corporate environment where the stakes are high. As businesses increasingly integrate Internet of Things (IoT) devices into their networks, this month’s spotlight is on the significance of a detailed cybersecurity strategy for these devices.

The Growing Threat Landscape

The allure of IoT devices lies in their ability to enhance operational efficiency, offer real-time data, and improve overall business processes. However, this interconnectedness also presents a double-edged sword. If left unsecured, each device can be a potential entry point for cybercriminals.

Hackers are becoming more sophisticated, leveraging advanced techniques to exploit vulnerabilities in IoT devices. From Distributed Denial of Service (DDoS) attacks using botnets of compromised IoT devices to data breaches that siphon off sensitive information, the threats are multifaceted and evolving. A single breach can result in significant financial losses, reputational damage, and operational disruptions.

The Perils of Unapproved IoT Devices

One of the growing concerns for businesses is the proliferation of unapproved IoT devices within their networks. In their quest for convenience or enhanced functionality, employees might plug in devices that still need rigorous security vetting. These devices, often with weak default passwords or outdated firmware, can become easy targets for hackers. It’s not just about the immediate threat of a breach. These devices can be co-opted into larger botnets, used in more extensive attacks, or even as silent listeners, collecting data over time and sending it to malicious actors.

This is why businesses need stringent policies in place. Employees should be educated about the risks of using unapproved devices and the potential consequences for the entire organization. A clear policy, combined with regular audits and checks, can significantly reduce the risk these rogue devices pose.

The Need for a Comprehensive IoT Security Strategy

Given the expanding threat landscape, it’s clear that more than a piecemeal approach to IoT security will be required. Businesses need a comprehensive strategy that encompasses:

• Device Authentication and Authorization: Every device connecting to the network should be authenticated. This ensures that only approved devices can connect and interact with the network.
• Regular Updates: IoT devices should be regularly updated with the latest firmware and security patches. This can address known vulnerabilities and protect against known attack vectors.
• Network Segmentation: IoT devices should be on a separate network segment. This ensures that even if a device is compromised, the attacker can’t quickly move across the corporate network laterally.
• Real-time Monitoring: With advanced threat detection systems, any unusual activity can be detected in real-time, allowing for swift remedial action.
• Employee Training: Employees should be trained to recognize potential threats, understand the importance of using approved devices, and know the latest best practices in IoT security.

Industry Leaders Weigh In on IoT Security

As businesses grapple with IoT security challenges, industry leaders’ insights provide valuable perspectives on the path forward.

Ashu Bhoot of Orion Networks remarks, “The adoption of IoT has accelerated the digital transformation journey for many businesses. However, this rapid integration has also exposed many to vulnerabilities they weren’t prepared for. At Orion Networks, we believe that a proactive approach and continuous education are the keys to staying ahead of potential threats.”

Aaron Kane of CTI Technology offers a forward-looking perspective: “The future of business is undeniably intertwined with IoT. But as we embrace this future, we must also be cognizant of the security implications. At CTI Technology, we focus not only on providing solutions but also on empowering our clients with the knowledge and tools they need to secure their digital ecosystems.”

Jorge Rojas of Tektonic Managed Services emphasizes the collaborative approach, noting, “IoT security is not a challenge that businesses should face alone. It requires collaboration between service providers, device manufacturers, and businesses. At Tektonic Managed Services, we’re committed to fostering this collaborative spirit, ensuring our clients access the best security solutions and practices in the industry.”

These insights from industry leaders underscore the collective responsibility and collaborative approach required to address the challenges of IoT security. As businesses continue integrating IoT devices into their operations, partnering with knowledgeable and proactive IT service providers will be crucial in navigating the complex landscape of IoT security.

Conclusion

As we observe Cybersecurity Awareness Month, the focus on IoT security has never been more critical. Integrating IoT devices brings immense benefits but also introduces vulnerabilities that cybercriminals can exploit. By understanding the threats, implementing robust policies, and adopting a comprehensive security strategy, businesses can harness the power of IoT while ensuring that their networks remain secure.

The post October: Cybersecurity Awareness Month and the Imperative of IoT Security appeared first on IoT Business News.

IoT Analytics, a leading provider of market insights and strategic business intelligence for the Internet of Things (IoT), has published its latest research on the global cellular IoT module and chipset market for Q2/2023.

The report reveals that 66% of IoT modules shipped in Q2 2023 had no dedicated hardware security and 29% had no security features at all, exposing them to potential risks and vulnerabilities.

The research analyzes the security features of 772 unique modules from 36 vendors and 150+ chipsets from 13 vendors that IoT Analytics tracks. It shows that only 30% of the modules available on the market, had dedicated hardware security features. Additionally, the article highlights the differences between the global and North American markets, where the latter has a higher share of non-dedicated hardware security features, such as TrustZone or secure boot.

KEY QUOTES:

Commenting on the importance of IoT security, Principal Analyst Satyajit Sinha noted:

“As cybercrime operates much like a business, criminals invariably opt for the path of least resistance. Implementing multiple layers of security increases the time and cost required for hackers to breach a system, thus making it more likely for them to abandon the effort and seek out less well-protected targets.”

Mr. Sinha added, “Cellular IoT modules are crucial for connectivity in IoT devices across industries. They provide a vital connection to the internet and are managed remotely. Ensuring their security is vital for safeguarding the broader IoT ecosystem.”

KEY INSIGHTS:

• The cellular IoT module market was stagnant in Q2’23 according to IoT Analytics latest data.
• Although IoT modules with dedicated security features are increasingly adopted, 66% of IoT modules shipped in Q2’23 had no dedicated hardware security and 29% had no security features at all.
• Recent demonstrations of vulnerabilities in non-dedicated hardware security features should drive the market further towards hardware-based security. Post-quantum cryptography is also an important consideration in IoT module security.

Updated cellular IoT module market

29% of cellular IoT modules shipped in Q2 2023 had no dedicated security features and only 34% had hardware-based security. Overall, the shipment and revenue of the $6.7 billion market (2022) remained generally flat in Q2’23 quarter-over-quarter, with 0% shipment and 0% revenue growth. Reasons for this stagnation include a weakened demand environment, which we discussed in our Q1’23 analysis of the cellular IoT module market.

IoT module security at the center of attention

With markets stagnating, we are putting a spotlight on cellular IoT module security by looking at the security features of 772 unique modules from 36 vendors and 150+ chipsets from 13 vendors that we track. IoT module security is of particular interest right now in light of the US Congress’ 7 August 2023 letter to the US Federal Communications Commission (FCC) regarding potential security risks of using Chinese cellular IoT modules.

Our analysis of the updated tracker and forecast shows the following breakdown of IoT module security features out of the aforementioned modules/chipsets available on the market in Q2’23:

• 30% had dedicated hardware security features, often embedded in chipsets or standalone components implemented through hardware security modules
• 42% had non-dedicated hardware security features, or features used to either create secure environments for processes to run or ensure only authorized firmware is loaded on the device
• 28% had no security features

However, the share of purchased/shipped modules with these security classifications in Q2’23 differs, with a significant difference between the global and North American markets as well:

While the global market shows a relatively balanced share of these three categories, the North American market skews heavily toward non-dedicated hardware security features. The low share of cellular IoT modules without security features in the North American market indicates that module security is a concern for its consumers, though there appears to be a reliance on non-dedicated hardware security features, such as TrustZone or secure boot.

This indication is consistent with recent concerns that the US Congress expressed to the FCC regarding the security of Chinese-made cellular IoT modules within US infrastructure (either directly or as part of the manufacturing supply chain), such as FirstNet Authority networks and devices used by first responders across the country (Quectel and Fibocom have published press releases responding to the US Congress’s concerns in early September 2023).

Why dedicated hardware security is the way forward amid supply chain concerns

Software and network security solutions have historically overshadowed dedicated hardware security features in IoT since they are more visible and easier to address, while dedicated hardware security features can be more complex and costly to implement. An alternative to software and network security solutions are non-dedicated hardware security features, such as ARM’s TrustZone, which creates a secure environment for processes to run, and secure boot, which ensures systems boot without intrusions.

Unfortunately, researchers recently demonstrated side-channel attacks against TrustZone during the Black Hat Asia 2023 conference. For their part, ARM has responded to this demonstration by stating that the attack is not unique to ARM’s Cortex-M architecture or TrustZone; rather, it’s a failure in application code—such attacks “may apply to any code with secret-dependent control flow or memory access patterns.” However, such attacks, no matter the core system they possess, demonstrate that adding dedicated hardware security solutions to these non-dedicated hardware security solutions can enhance the overall security of a module.

Shahram Mossayebi, Ph.D., founder and CEO of Crypto Quantique, explained the following to IoT Analytics when asked about cellular IoT module security:
“[W]e rely on security features such as TrustZone, but to achieve trust, we need to go beyond them. A root of trust is a set of cryptographic features (which soon must be quantum secure) for encryption, digital signature, and device identity. The hardware root of trust is the foundation for building trust with any IoT [device] and it is a crucial part of hardware security.”

With a hardware-based root of trust, manufacturers and consumers can ensure the authenticity of the modules—helping to address cloning and counterfeiting—and protection of the device’s keys. Once manufacturers can guarantee the authenticity and security of these keys, they can add additional security components like TrustZone and secure boot.

Where hardware security should be implemented

Implementing security measures at the device level during manufacturing is a foundational step, aiding in establishing device authenticity and partially curbing the infiltration of counterfeit components in the supply chain. However, this strategy only offers a partial solution since vulnerabilities still exist, particularly in the potential theft and cloning of device identities within supplier factories. Thus, an even more nuanced approach is required to bolster the defenses against such nefarious activities that seek to undermine the system from its very core.

To combat these risks more effectively, embedding hardware security at the MCU level within typical modules is highly recommended. This strategic positioning not only presents a formidable barrier against cloning and counterfeiting issues but also fosters the establishment of secure authentication protocols and the creation of unique device identities. Secure MCUs can provide a seamless integration of essential security features, such as robust authentication processes, potent encryption capabilities, and secure boot functionalities. These functionalities come together to create a fortified environment, essential for the optimal functioning of connected IoT applications, thereby ensuring a safer, more reliable network where devices can communicate and operate with an enhanced level of security and trust.

IoT module security outlook: Post-quantum security is becoming crucial for IoT

Currently, the general life span of most IoT devices is 8–12 years, with automotive 5G module applications lasting 10–15 years. With these long life spans, when building cellular IoT modules, it is essential that manufacturers look beyond current threats; specifically, they should start planning for the commercialization of quantum computing and the potential for state actors and cybercriminals to crack complex, commonly used encryption methods.

In October 2019, Google announced quantum supremacy in the journal Nature with its 54-qubit Sycamore processor, which Google claims was able to perform a complicated task in 200 seconds that would take the world’s most powerful supercomputer 10,000 years to perform. Many countries and companies are also advancing with quantum computing, such as the Chinese Academy of Sciences and QuantumCTek, a quantum information technology developer. Other Google competitors, such as IBM, Microsoft, Amazon, and Intel, along with several new startups, have all invested heavily in developing quantum computing hardware in recent years.

While quantum chips have not reached widespread commercialization yet, manufacturers can start considering quantum security solutions today. Governments are already looking at standards and quantum-proofing solutions for their agencies and companies, and the following are just some examples:

• In January 2022, the French National Agency for IT Systems Security (ANSSI) published its views and recommendations for PQC transition, offering a 3-phase process expected to last at least until 2030.
• In July 2022, the US Department of Commerce’s National Institute of Standards and Technology (NIST) announced its selection of four quantum-resistant cryptography algorithms, constituting “the beginning of the finale of the agency’s post-quantum cryptography (PQC) standardization project,” which NIST expects to complete and publish in 2024.
• In August 2023, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and NIST published a PQC migration readiness sheet to help the government and private sector start planning their quantum readiness.

Further, some companies are already developing post-quantum solutions. For example, Thales Group offers 5G security solutions with end-to-end encryption and authentication to safeguard organizational data as it moves across front-haul, mid-haul, and back-haul operations. These solutions rely on Thales’ 5G Luna Hardware Security Modules (HSMs). Further, in February 2023, Thales Group announced that it successfully piloted what it called a post-quantum resilient, end-to-end encrypted call using its Cryptosmart mobile app and its 5G SIM.

What it means for cellular IoT module manufacturers

5 key questions that cellular IoT module manufacturers should ask themselves based on the insights in this article:

1. Product strategy and security implementation: How can we realign our product strategy to prioritize the implementation of dedicated hardware security features without significantly escalating costs?
2. Response to political and legislative changes: How are we positioning ourselves to address the potential political and legislative changes affecting the market, particularly concerning the US Congress’s concerns regarding Chinese cellular IoT modules?
3. Security standards and compliance: Are we in line with the recent security standards and guidelines issued by agencies like ANSSI, NIST, and NSA, and are we preparing for the expected security transitions in the coming years?
4. Consumer education and advocacy: How can we educate consumers on the importance of dedicated hardware security features and advocate for a broader shift towards these in the market?
5. Post-quantum security solutions: Are we collaborating with communications companies and other stakeholders to develop and pilot post-quantum security solutions that can safeguard organizational data across various operations effectively?

What it means for users of cellular IoT modules

5 key questions that device/equipment makers and end users that adopt cellular IoT module should ask themselves based on the insights in this article:

1. Security implementation: Given the demonstrated vulnerabilities in non-dedicated hardware security features, what strategies should we adopt to integrate dedicated hardware security features without escalating costs significantly?
2. Compliance and legislation: In light of the concerns raised by the US Congress regarding the use of Chinese cellular IoT modules, how can we ensure compliance with evolving regulations and maintain the trust of our North American consumers?
3. Post-quantum security: Given the advancements in quantum computing, what steps should we take to incorporate post-quantum security solutions in our cellular IoT modules, keeping in mind the projected long life span of these devices?
4. Research and development: How can we foster innovation in our R&D department to develop unique hardware security features that offer robust protection against present and future threats?
5. Customer education: How can we educate our customers on the security features we use, developing trust into the security of the devices they use?

The post Cellular IoT module market Q2 2023: 66% of IoT modules shipped without dedicated hardware security appeared first on IoT Business News.

“Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk” details the challenges that hospital systems now face, and the increasingly urgent need for modernized risk mitigation.

Asimily, an Internet of Things (IoT) and Internet of Medical Things (IoMT) risk management platform, today announced the availability of a new report: Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk.

The full report highlights the unique cybersecurity challenges that healthcare delivery organizations (HDOs) face and the true costs of their IoT and IoMT security risks. HDOs have a low tolerance for service interruptions to network-connected devices and equipment because of their crucial role in patient outcomes and quality of care. Resource-constrained HDO security and IT teams continue to face operational difficulties in sufficiently securing critical systems from increasingly-sophisticated attacks, as their vast and heterogeneous IoMT device fleets complicate management and, left unchecked, offer a broad attack surface. The report concludes that adopting a holistic risk-based approach is the most cost-efficient and long-term-effective path for HDOs to secure their critical systems and IoMT devices..

Among the key findings and analysis included in the new report:

• Emerging cybersecurity trends and challenges: The report reveals the top cyberattack strategies impacting HDO medical devices right now: ransomware attacks that spread to devices and disrupt services, third-party-introduced malware that impacts device performance, and devices communicating with unknown IP addresses to enable remote breaches. Cyberattacks on healthcare providers have become remarkably common: the average HDO experienced 43 attacks in the last 12 months. Unfortunately, many of those attacks are successful, with 44% of HDOs suffering a data breach caused by a third party within the last year alone.

• The high cost of doing nothing: For HDOs, today’s high-failure status quo can be catastrophic. Cyberattacks cost HDOs an average of $10,100,000 per incident. Worse, cyber incidents are directly responsible for a 20% increase in patient mortality. 64% of HDOs also reported suffering from operational delays, and 59% had longer patient stays due to cybersecurity incidents. Those financial and operational burdens are pushing many HDOs to the brink: the average hospital operating margin sits at 1.4% in 2023. Currently, more than 600 rural U.S. hospitals risk closure, in an environment where a single cyberattack can put a smaller HDO out of business.

• Poor device health leads to poor outcomes: HDO security and IT teams face a high-risk environment where the average medical device has 6.2 vulnerabilities. Adding to this challenge, more than 40% of medical devices are near end-of-life and poorly supported (or unsupported) by manufacturers.

• Cybersecurity resources and staffing are limited: Even when device vulnerabilities are recognized, HDO security teams are able to fix only 5-20% of known vulnerabilities each month.

• Cyber insurance is no longer enough: As ransomware attacks and breaches have skyrocketed in recent years, cyber liability insurers are introducing coverage limits and capped payouts, making it a less and less effective recourse for HDOs. At the same time, cyber insurance also fails to address the costly reputational damage an HDO suffers following a breach.

“This report details the very current and very significant challenges that HDOs face in defending themselves from cybersecurity risk, and the profound need for holistic and optimized risk reduction strategies as they implement and scale a cybersecurity risk management program for their connected devices,” said Stephen Grimes, Managing Partner & Principal Consultant at Strategic Healthcare Technology Associates, LLC. “Asimily’s risk prioritization capabilities and clear device vulnerability scoring enable HDO security teams to overcome limited resources and accurately focus on remediating the greatest risks to their organizations, achieving a ten-fold increase in cybersecurity productivity. We invite HDO leaders and their cybersecurity risk managers to read and absorb the lessons of this report, and to take the steps necessary to mitigate IoMT device risks with the strategic efficiency and effectiveness these risks demand.”

“As a growing healthcare organization acquiring clinics and offering new services like ambulatory clinics, you have to stay in front of the risk,” said Kevin Torres, the VP of IT and CISO at MemorialCare, an Asimily customer and leading nonprofit health system in Orange County and Los Angeles County that includes four hospitals along with other specialized clinics. “You need to make sure that you’re effectively onboarding these environments and matching their security posture to yours. Using Asimily, we gained full visibility into connected IoT and IoMT devices and their associated vulnerabilities. Our security program achieved 98% NIST compliance while the average of 60 similar HDOs is 71%.”

The post IoT Security Report Sheds Light on Hospitals’ Device Risks appeared first on IoT Business News.

The Internet of Things is everywhere, from weather sensors and industrial control systems to smart watches, refrigerators, and implanted medical devices. The number of IoT devices in use worldwide is expected to exceed 15 billion this year (three times the number of human users on the Internet), and will almost double that amount by 2030.

IoT devices hold so much potential for positive change – but their ability to connect objects, share information, and perform actions is precisely what makes them intensely vulnerable. The proliferation of devices creates a lot of risk, as attack surface of connected devices is expanded to practically every level of society.

Given that IoT devices abound in applications for critical infrastructure, healthcare, and consumer use, it’s important to get IoT security right. Some of the most notable examples illustrating the vulnerabilities of IoT devices include compromised medical devices like cardiac devices and insulin pumps, and flawed wireless connections in cars that allowed a hacker to cut the brakes, shut off the engine, or take control of the steering. There are also chilling personal accounts, such as an incident where a compromised baby monitor let a hacker watch a baby and audibly threaten their parents with a kidnapping. Unfortunately, a recent survey by Pulse and Keyfactor found that while 62% of product and manufacturing leaders are concerned about their IoT device security, only 42% felt they had a clear strategy for securing device identities.

As often happens with new technology, the explosive growth of the IoT has outpaced security. But as IoT devices become even more commonplace, the risks increase significantly, even to the point of putting people’s lives at stake. IoT security must become a priority – and it’s every organization’s responsibility to take the necessary steps to ensure any IoT application or device in use is secure.

Prioritizing IoT Security at Every Step

Device manufacturers often have no clear security standard to work with, resulting in a lot of ambiguity and inconsistency in the market. That ambiguity can flow downstream, resulting in inconsistencies in authentication practices, ongoing security updates, and communications between connected devices. While there are changes afoot, such as the Matter smart home standard, efforts to establish minimum security standards for IoT devices are not yet widespread enough.

To overcome the growing risks associated with IoT devices, organizations need to take the same type of approach that is applied to software development—introducing security early in the development process, and prioritizing it every step of the way thereafter. With this mindset, teams can create trusted device identities, ensure data confidentiality, and maintain the integrity of the data and firmware running on each device. Adhering to the following best practices will help strengthen IoT device security.

Create unique credentials for each device. Digital certificates are used to verify the identity of the sender of an electronic message by creating a highly secure, unique authentication method for each device. Providing each device with a unique digital certificate is significantly more effective than merely using default passwords or even using shared keys for symmetric encryption. This is because symmetric encryption does not differentiate between devices, making it impossible to share information with a specific connected device or to know which specific device data originated from. Using asymmetric encryption with unique digital certificates enables manufacturers to share information with a specific device and to know which specific device data originated from—enabling highly secure authentication of each device and ensuring the integrity of the data.

Take extra precautions for private key storage. Creating unique credentials for each IoT device requires the use of asymmetric cryptography, which generates a public and private key pair. While public keys can be shared, private keys need to be stored securely. The best way is with hardware-based security such as Trusted Mobile Platform (TPM) or Secure Storage. A TPM chip, for example, protects keys and digital certificates via a hardware-enabled secure crypto processor, providing strong protection against being compromised.

Verify firmware and software updates. The ability of hackers to install malicious software on connected devices is a significant threat. Using a public/private key pair and requiring that development teams sign their code reduces that threat. Each device would require a public key that matches the development team’ private key, which would verify that the update did come from the team and that it was not modified in transit.

Provide ongoing lifecycle management. Any static system is inherently insecure, and the digital certificates and key pairs in use will weaken over time. Without proper management, there is a huge chance that certificates can either expire or serve as an infiltration tool for cybercriminals, unbeknownst to the team. This is because a certificate continues to remain valid, even when certificates have been cycled out of use before their 398-day lifespan. With the increasing quantity of IoT devices, tracking inventory across the field and detecting device changes are the most substantial security challenges for organizations. To enact proper lifecycle management, teams should map everything of all devices and associated digital keys and certificates within their organization. This helps establish an exact inventory of what’s in use and allows for easier monitoring of all certificates and keys, particularly when updates are needed or when teams need to revoke a certificate for a device that is no longer in use.

As the IoT ecosystem has grown and matured, severe security issues have cropped up that could cost device manufacturers millions of dollars and an unquantifiable loss of trust. In a worst-case scenario, a security flaw could put lives at risk. The sheer number of IoT devices in the world, and the fact that they are now performing mission critical functions in a variety of fields, means it’s time to get serious about IoT security. By prioritizing IoT security through encryption, unique credentials, and ongoing lifecycle management, organizations can rest assured that the innovative new devices they introduce to the market – as well as the devices that are used for their own operations – will not introduce any disruptive risks.

The post Addressing the trust gap between IoT design and development appeared first on IoT Business News.

Today, U.S. Deputy National Security Advisor Anne Neuberger, Chairwoman of the Federal Communications Commission (FCC) Jessica Rosenworcel, and Laurie Locascio, Director of the National Institute of Standards and Technology (NIST) unveiled the U.S. national IoT security label at the White House.

Infineon Technologies AG supports this action to address the growing need for IoT security. The new label supports the IoT security requirements under NISTIR 8425, which resulted from an Executive Order to improve the nation’s cybersecurity. This label will recognize products that meet these requirements by permitting them to display a U.S. government label and be listed in a registry indicating that these products meet U.S. cybersecurity standards.

Thomas Rosteck, President of Connected Secure Systems, Infineon Technologies, said:

“Security is crucial for the Internet of Things. Without sufficient cybersecurity, there cannot be any IoT.”

“As a leading provider of semiconductors for security and IoT devices, Infineon welcomes the step the U.S. government has made and fully supports programs to boost cybersecurity for the Internet of Things. The U.S. label is a significant milestone towards strong global cybersecurity standards. We believe the implementation of this program will empower consumers and further boost the adoption of IoT products in the U.S. and beyond.”

Infineon semiconductors provide a secured foundation for many IoT devices. To demonstrate how easily Infineon products can be used to build secured IoT devices, Infineon’s IoT development kit (CY8CKIT-062S2-43012) will seek to obtain the U.S. national label. Certification of this development kit will help our customers to create IoT products that are compliant with the U.S. national label.

Infineon was involved in the development of the IoT label program through its participation as a member of the Connectivity Standards Alliance (CSA). The U.S. cybersecurity guidelines are closely aligned with several CSA standards, including the Matter standard. Matter provides device manufacturers with a secured communication standard for a wide range of smart home applications and thus improves connectivity between smart devices from different manufacturers. CSA’s Product Security effort (chaired by Infineon) will certify that IoT devices meet global security requirements, including those used by the U.S. national label. Together, these standards move the IoT to a higher level of interoperability and security.

The post A Milestone for securing the Internet of Things: Infineon welcomes introduction of a voluntary U.S. IoT security label appeared first on IoT Business News.

When it comes to internet-connected devices one of the biggest concerns is the chance of hacker attacks that can lead to a loss of critical data. Today, in the era of the Internet of Things technology, when attackers are continuously looking for more sophisticated approaches to get access to users’ data, it’s obvious that IoT security should be taken as one of the core priorities by development companies.

The number of IoT-connected devices is actively growing all over the world. And while today their number is around 15 billion, it is expected that by 2030, this figure will be over 29 billion. They all are different but the main approaches to ensuring their security stay the same. And while some issues can be caused by the user’s behavior, a lot of vulnerabilities should be addressed already at the stage of system design by manufacturers and software developers.

Key IoT risks

To begin with, it is important to understand what issues and risks you can face if you work with Internet of Things systems. If you work with a reliable IoT development company, you will be warned about them as professional software engineers should be aware of them and know how to deal with them. It is demonstrated by the results of their work, and IoT development by Cogniteq can be named among the examples that prove these words.

• Low authentication requirements. If your password is weak, the risks to get your account or device hacked are rather high. It may sound surprising but a lot of IoT devices are not protected by passwords at all which makes it absolutely simple for hackers to reach them.

• Legacy software. Some IoT-powered systems work with software that initially wasn’t developed to be compatible with the cloud technologies or that can’t support modern encryption standards. That’s why it is rather risky to use such apps in IoT solutions.

• Lack of timely firmware updates. The necessity to regularly update your firmware and fix all the bugs as soon as they are detected is a must. The longer you postpone these processes, the higher your chances are to face security issues.

• Shared access to the network. Many developers prefer to connect IoT devices to the same network that other users’ devices are connected to. For example, it can be LAN or WiFi. But in such a case, the whole network can face quite serious vulnerabilities because just one device can be used for hacking the entire system. That’s why it is highly recommended to use a separate network for every IoT app.

• Vulnerabilities caused by physical access to devices. Some IoT devices can be placed in remote areas and be operated fully at a distance. However, it is not always possible. Very often people can physically contact devices, which may pose additional threats. Just a simple example: if a specialist who has access to such devices forgets to close the door to the room where they are placed, an unauthorized person may easily come in.

How to increase IoT security?

Though it is crucial to know the key threats, it is not enough to increase the level of protection of your IoT-powered systems. It is much more important to understand what are the ways to minimize the risks of external attacks.

• Physical security. Though this principle is a very simple one, unfortunately, quite often companies that operate IoT-powered systems forget about it. You should carefully track the number and roles of people who get access to IoT devices. If you deal with cellular IoT devices, critical data is usually kept on SIM cards that can be easily stolen. That’s why devices should be well-protected.

• IMEI lock. IMEI can be explained as the unique identification number of a mobile device. Thanks to an IMEI lock, you can ensure that a SIM card can be used only with an indicated IMEI, which means only with a chosen device. As a result, even if the card is removed, nobody will be able to use it on other devices.

• Introduction of private networks. When data is sent from one device to another, this simple action is already a rather risky one for the security of the transferred data. And when you use any public network like WiFi for it, your solution becomes easy prey for hackers. One of the things that are important to do is message encryption. But even this step may not be enough. That’s why we highly recommend you use private networks that will prevent your data from getting to the public internet.

• Detection of abnormal behavior. When there are attempts to breach IoT-powered devices or there is any suspicious activity on your network, you should be notified about that. To reach this goal, engineers should introduce specific tools for monitoring activities on the network, detecting the level of threat, and sending notifications to system admins who will have the possibility to timely react to any risks.

Final word

Data is one of the most valuable assets for any business that’s why hackers always try to get access to it. When you implement IoT solutions in your business processes you need to think not only about their functionality but also about their security. Without proper protection of your system and, consequently, your sensitive data, you won’t be able to leverage the benefits of even the most powerful and innovative solution.

The post IoT Security: How to Protect Your Solutions appeared first on IoT Business News.

Intrinsic ID Zign Gives Every Connected Device a Unique Identity and Strong Security Basis to Protect Against Malicious Intrusion, Ensure Trusted Communication and Comply with Latest Legislation.

Intrinsic ID¹, today announced a new software-only solution that enables every connected device to have a unique identity and hardware-based security anchor, improving the reliability and trustworthiness of these devices, their networks and communications.

The IoT security lately has been the subject of international legislation, underscoring the importance of the challenge for worldwide cybersecurity.

Zign provides a cost-effective security solution aimed at a broad range of sectors, including business, manufacturing, banking, critical infrastructure, medical and automotive. Easy to deploy on any type of new or existing IoT device, Zign can encrypt any IoT data, both in transit and on the device. Zign works in compliance with the most stringent security standards of both the US and EU Governments. The Intrinsic ID Zign solution combines proven, patented PUF technology with National Institute of Standards and Technology (NIST)-certified cryptographic algorithms to ensure a high level of security with unclonable, invisible keys, and encryption protections for even the smallest devices.

Dr. Pim Tuyls, CEO and co-founder of Intrinsic ID., said:
“Governments around the world are waking up and realizing additional security standards for consumer devices are needed to address the growing and important role the billions of connected devices we rely on everyday play. The EU Cyber Resilience Act, and the IoT Cybersecurity Improvement Act in the United States are driving improved security practices as well as an increased sense of urgency.”

“With the immense diversity of IoT devices supplied by various vendors, a device-agnostic security solution is key. Zign enables a more trustworthy and reliable IoT by providing every device with a security anchor based on the unique hardware properties of the device. This level of security helps build resilience and trust in our connected world.”

Cryptographic keys are essential for devices to encrypt data and secure communications. Traditionally, these keys are programmed into devices at secure manufacturing facilities and require costly, dedicated hardware for secure storage. Zign changes this by offering a highly secure solution implemented totally in software. Zign leverages the proven and patented SRAM PUF technology from Intrinsic ID to derive device-unique keys from tiny variations in the silicon of every chip, eliminating the need for programming keys or dedicated security hardware. With Zign, the keys are never stored and never leave the device, so they are invisible to attackers, unobtainable, and cannot be copied or altered, providing unmatched data security for an already huge and still growing market.

Key features and benefits of Intrinsic ID Zign include:

• Improved security and compliance with upcoming legislation and standards, even for existing devices: Zign enables device makers to add basic security properties meeting NIST certification standards to any device, regardless of the type of hardware, even on devices already deployed.

• Cost-effective to deploy: Zign can patch lacking security remotely, avoiding expensive recalls of unsecure devices and eliminating the need for trusted facilities to provision keys or for dedicated security hardware.

• Strong and proven security: Zign provides the highest level of security based on patented PUF technology that has been stringently tested and certified by, among others, the US Department of Defense and EU governments, and has been field-proven in more than a half-billion devices.

• Future-proof solution: Zign provides all required security functions to protect IoT devices during their entire lifecycle by enabling users to securely onboard and authenticate devices to services, set up secure communication, protect data at rest and in transit, and even de/re-commission keys at end of life.

Standards, Pricing and Availability

Zign is a NIST/FIPS-compliant software solution that enables IoT device makers to create a hardware-based root of trust. It has been validated for NIST CAVP and is ready for FIPS 140-3. Randomness is according to NIST SP 800-90A/B. Zign is available immediately and can be implemented at any stage of a device’s lifecycle, even after a device is already created and/or deployed in the field. Pricing is based on features and volume.

The post Intrinsic ID Launches Software to Protect Billions of Smart, Connected Devices Addressing Worldwide Cybersecurity Challenges appeared first on IoT Business News.

• Market trends: growing need for protecting connected devices & moving from software-only to hardware-based security
• Intrinsic ID SRAM PUF technology provides a strong, scalable and cost-effective foundation of trust
• Intrinsic ID solutions skyrocket in adoption, driving exponential growth of secure hardware technology

Intrinsic ID, the world’s leading provider of Physical Unclonable Function (PUF) technology for security and authentication applications in embedded systems and the Internet of Things (IoT), today announced that it is now protecting 500,000,000 devices worldwide with cutting-edge security technology.

This milestone achievement has been fueled by the vital need for security that our connected world is experiencing. With the rapidly growing number of devices that make up the IoT, it is no longer possible to connect these devices without having proper security in place. On top of the increasing need for protecting IoT devices comes an industry-wide shift from software-only to hardware-based security solutions, especially when it comes to protecting cryptographic keys.

The combination of these two trends has resulted in an exponential adoption rate of Intrinsic ID SRAM PUF technology. SRAM PUF facilitates the creation of a root of trust in hardware without the need to store keys in an easy and flexible manner at low cost. These benefits of Intrinsic ID technology have given the company a strong position in the security markets for government and defense, industrial IoT, and data centers, while aiding expansion into new, high-growth vertical markets including automotive, wearables, healthcare, AI, and smart cities and homes.

Recent key achievements of Intrinsic ID include:

• Exponential adoption of Intrinsic ID PUF technology. The number of new devices deployed with Intrinsic ID technology in 2022 was almost double compared to the number of devices in 2021.
• Customer retention. A rapidly growing number of license deals is coming from recurring customers, which shows strong customer retention.
• Strong 2022 financial performance. In 2022 revenue grew to a new record high, more than doubling 2021 revenue and making Intrinsic ID highly profitable in 2022.
• Team Growth. During 2022 the Intrinsic ID team grew by about 20%. Team Growth continues in 2023 with vacancies across different departments inside the company.

Creating a better world that can be trusted

Dr. Pim Tuyls, CEO and co-founder of Intrinsic ID, said:

“Ensuring the reliability and trustworthiness of our electronics systems has become a critical concern worldwide, and is at the forefront of our remarkable success.”

“Our cutting-edge security IP is now integrated into more than half a billion devices, found everywhere from your wrist to data centers, and even in space. We closed out 2022 on a high note and are eager to continue this momentum in 2023 as we collaborate with our customers and partners to build a more secure and trustworthy world. With high growth potential in verticals such as automotive, data centers, and AI, we are confident in our continued success and we are actively expanding our team to support this growth.”

Intrinsic ID security solutions offer the best combination of security, flexibility, and cost and are used by leading global technology companies to authenticate devices, protect data, secure communications, and establish a secure root of trust.

The post Intrinsic ID Protects 500,000,000 Devices Globally appeared first on IoT Business News.

Würth Elektronik has signed a partnership agreement with Crypto Quantique.

Collaboration with the specialist in quantum-based cyber security in the Internet of Things (IoT) enhances security for Würth Elektronik’s wireless modules.

Würth Elektronik boasts a broad portfolio of modules for wireless communication and sensors for IoT applications. The modules support connectivity with Bluetooth, WiFi, Wireless M-Bus, Wirepas Mesh and proprietary radio protocols. Würth Elektronik offers components and development support for faster and more cost-effective development of market-ready IoT solutions—from simple cable replacement to radio chips with integrated GNSS modules.

Combining Crypto Quantique’s QuarkLink security software platform with Würth Elektronik’s wireless modules enables automatic and secure connection of thousands of sensor nodes to local or cloud-based servers. The platform allows device provisioning, onboarding, security monitoring, renewal and revocation of certificates and keys, performed with a few keystrokes on a GUI. Users have all the functions at their disposal required to manage IoT devices in their lifecycle.

“Würth Elektronik is often the first choice for radio modules, especially with industrial IoT applications. The spectrum of products offered, combined with wide-ranging support and application expertise, is outstanding,” Dr. Shahram Mossayebi, CEO of Crypto Quantique, explains the cooperation.

“Expanding the offering with QuarkLink also raises the appeal of these products. This makes implementing and managing secure IoT networks faster and easier. At a time when the global threats to such networks are greater than ever, this is an important advantage.”

“We are always interested in providing our customers with the best IoT technology, reducing their development costs and workload, without compromising performance, reliability or security. QuarkLink is an important new building block here,” says Oliver Opitz, Vice President, Wireless Connectivity and Sensors at Würth Elektronik eiSos GmbH & Co. KG.

The post Würth Elektronik partners with Crypto Quantique for IoT Security appeared first on IoT Business News.

Company to leverage 30+ years of security lifecycle management expertise to bring trust and interoperability to consumer IoT devices.

Kudelski IoT, a division of the Kudelski Group, the world leader in digital security and IoT solutions, today announced that it will provide a wide array of security services and technologies to device manufacturers adopting Matter, the leading standard for smart home devices from the Connectivity Standards Alliance (CSA).

Kudelski IoT has also been approved by the CSA as a Product Attestation Authority (PAA) and Certificate Authority (CA) and will deliver signed certificates to manufacturers whose devices have been Matter certified, allowing them to create trusted devices that provide a frictionless and secure smart home experience.

The Kudelski IoT Matter CA Service enables companies to quickly and easily get scalable access to Device Attestation Certificates (DACs). The service is a managed, scalable “PKI as a Service” platform with Hardware Security Modules (HSMs) on Kudelski premises to secure private keys. Each manufacturer using the platform can manage the security lifecycle of certificates and devices in their own dedicated, cloud-based application. Kudelski IoT can also provide solutions for the secure provisioning of certificates into devices, both in the factory and in the field.

Kudelski IoT’s Certificate Authority is not only cost effective, but device and silicon manufacturers will also have access to a more complete portfolio of services to help them effectively design, build and test security as well as manage it throughout its lifetime. These services include threat & risk assessments, security architecture, device security assessments, firmware monitoring and secure firmware update services. Kudelski IoT also provides a Secure IP portfolio for silicon manufacturers interested in embedding lifecycle security into their chipsets.

“The Alliance is honored to be working with experienced security partners like Kudelski IoT to provide manufacturers with a Matter device attestation resource,” said Chris LePré, Head of Technology at the Connectivity Standards Alliance. “Device attestation is an integral part of ensuring new devices can be properly and securely accepted into a Matter network. Kudelski IoT is providing a very important resource that ultimately benefits consumers, who simply need to look for the Matter logo to receive a secure experience.”

Kudelski Group companies have worked with device manufacturers to enable and protect their devices and associated services for more than 30 years. Kudelski is a pioneer in pay media and has been protecting digital cable, satellite, terrestrial set-top boxes, and streaming services since their inception, providing a wide range of security technologies and services with a strong focus on device security and certification. The company has provided certificates, keys, and credentials to more than over 500 million devices.

“Matter is clearly becoming an important force in creating a more secure connected home where everything just works, data and devices are protected, and consumers can enjoy devices and services without having to worry about privacy breaches,” said Hardy Schmidbauer, SVP of Kudelski IoT.

“We look forward to helping all the members of the Matter ecosystem create trusted, safe, and profitable connected devices and services, and to supporting the Matter ecosystem’s growth with not only Product Attestation, but also a range of other services and systems that help secure long-term success.”

The post Kudelski IoT Launches Matter Certificate Authority and Broad Security Portfolio for Manufacturers Company appeared first on IoT Business News.

Disappointing Results and the Enactment of the UK Product Security and Telecommunications Infrastructure Bill Means Firms Could Face Monetary Penalties for Non-Compliance.

The IoT Security Foundation has published its latest influential research report which monitors the security management behaviour of consumer IoT product companies.

The study reviewed the practice of 332 companies identified as selling IoT products for consumer and commercial uses such as appliances, routers, audio, smart home, lighting, mobile, tablets and laptops. This is the fifth published report in the series, plotting industry progress since 2018 with prior versions cited as evidence in global standards and regulatory processes. The desk-based research was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.

Key Findings

Vulnerability management is critical for connected product security and is widely accepted as a basic hygiene practice for vendors. It features in nearly 30 cybersecurity guidance initiatives [1], including IoTSF’s highly popular IoT Security Assurance Framework [2]. Easy reporting of security issues is therefore regarded as essential for security lifecycle maintenance.

Once again, the main finding is that vulnerability disclosure practice remains at a disappointingly low level. In 2018 we found that just 9.7% of firms in the study had a disclosure policy and in this latest report that number is just 27.1%. This is still far below the near-100% the researchers would like to see.

Whilst it is not always easy to determine the origin of products, the analysis also indicates the best-performing region to be Asia, with European suppliers trailing significantly behind (34.7% vs. 14.5% respectively).

Evolving Practice

The report was originally conceived to raise awareness of vulnerability management and the likelihood of legislation, and it has also served as an ongoing commentary on the evolution of industry practices. As part of the study the researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions. Two policy maintenance trends are also identified; a noticeable rise in the number of companies that are failing to keep their policies up to date and an increase in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

Regulation has arrived

As anticipated, the UK’s long-awaited Product Security and Telecoms Infrastructure (PSTI) Bill achieved Royal Assent on December 6th, 2022, meaning it is now law [3]. Within the legislation, there are responsibilities for manufacturers, importers, and distributors to provide a vulnerability disclosure policy [4]. This means that the 72.9% of companies identified in the report who do not have a policy, will be in breach of UK law.

John Moor, Managing Director of IoTSF said:

“Naturally it is disappointing to see so many consumer IoT companies still not taking basic steps to maintain their product security. IoTSF members are strong advocates for building secure IoT systems and we work together to help others by sharing knowledge and publishing how-to guides, for those in need – many resources are published for free. There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.”

David Rogers, CEO of Copper Horse Ltd., said: “The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

HackerOne Inc., supported the creation of the 2022 report and Laurie Mercer, Senior Manager of Security Engineering said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle. It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice. The fact that the UK has seen higher adoption speaks to the impact government legislation and policy can have on cybersecurity. Mandating VDPs is going to be the most effective way of ensuring consumer safety.”

Moor concluded with an optimistic outlook: “We should also praise those who made it their business to be on the 2022 green list and look forward to the next report, when we trust the legislation, with a possible penalty of up to £20,000 per day, will provide the necessary motivation to get off the red list of companies contained in the report.”

The report can be downloaded here. More reports from the IoTSF can be downloaded for free and without registration here.

The post IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status appeared first on IoT Business News.

In the coming year, it is predicted that there will be more than 43 billion devices connected to the Internet. With the speed at which the Internet of Things (IoT) industry is growing, 2023 is sure to be a year of exciting developments in the enterprise IoT space.

Yet the flip side of growth is that cybersecurity threats not only remain persistent but likewise grow. These include weak digital links, like unsecure connections and legacy devices, which can be taken control of to spread malware or gain access to confidential data.

As we head into 2023, IoT cybersecurity will play a greater role than ever before, with enterprises making important decisions on how best to shore up security in the digitally connected present and future.

Those decisions are the trends that drive the industry towards meeting the heightened demands of an increasingly connected world and the smart solutions that power it.

Here are two key IoT security trends we see unfolding in 2023.

The rise of private networks in the form of ENOs

While private networks have always existed, they’ll start to come to maturity in 2023. Enabling secure and seamless roaming between private and public networks is vital since switching between the two is not intrinsically safe. In addition, new technologies are giving rise to solutions in this space. In particular, Enterprise Network Operators (ENOs) play an important role here.

Traditionally, enterprises have worked with either MNOs or MVNOs to power their mobile networks. However, neither of these have been ideal solutions to meet enterprise needs properly, given the drawbacks of siloed networks with complex roaming agreements — all of which lack centralised control and increase IoT security threats. As a result, enterprises need tailored network services now more than ever and in 2023, this need will be met by ENOs.

ENOs combine the best features of both MNOs and MVNOs to put owners of the network into the hands of the enterprise and provide completely tailored solutions, including more secure IoT connectivity. The coming year will see more of this technology taking root within business as enterprises seek to regain control over their data security and fortify their digital assets.

In fact, 92% of enterprises say they plan to use private networks by 2024, so expect 2023 to be the head start towards that future.

The rise of eSIM in B2B IoT

eSIMs are industry-standard digital SIMs that allow enterprises to activate a cellular plan without the need for a physical SIM. Just this year, Apple was one of the first consumer device makers to go mainstream with eSIMs, unveiling its iPhone 14 with the technology.

As opposed to physical SIM cards, eSIMs are soldered directly into the device, preventing them from being tampered with or removed to be used fraudulently. As a result, their use in the security of internet-connected devices is significant.

This is useful since it removes the requirement for an expensive genuine SIM tray installation and makes it harder to tamper with the device. In addition to form factor issues, new SIM-based solutions, such as IoT Safe or more complicated domestic counterparts, are broadening the spectrum of security protections available down to the SIM.

Following Apple’s lead, we can expect to see more companies turn to this technology, not only because of its security benefits but also due to the supply chain cost savings of not needing to add a SIM tray to each device.

Furthermore, unlike physical SIMs, eSIMs allow new profiles and agreements to be updated OTA, future-proofing each device’s connectivity and removing the need for a physical swap-out of the SIM. As a result, expect to see more enterprises move towards eSIM this coming year.

Bottom line: Security and IoT in 2023

In the coming year, we’ll increasingly see security considerations factored into the earliest stages of IoT product development, both of devices and of software in a process known as ‘Security by Design.’ With security taking the front seat, 2023 is poised to be a banner year for the IoT sector, delivering its most compelling — and most fortified — solutions yet.

The post Key IoT security trends for 2023 appeared first on IoT Business News.

Healthcare providers are always pushing innovation to stay on the cutting edge of their industry. Quickly embracing technology that could provide improved healthcare to their patients. They might not always be willing to invest in IT and cyber security, which is a gamble with people’s lives just as much as using archaic medical techniques.

Securing all networked devices in the healthcare industry is crucial, especially IoT devices. IoT devices are some of the most overlooked networked devices due to their ease of connection and mobility. Security teams might easily lose sight of where these devices are and when they are in use. Healthcare IoT security can be improved greatly through AI-driven monitoring software and some best practices.

Healthcare IoT Security Best Practices

Attack Surface Visibility

For any cyber security approach to be successful and comprehensive the entire attack surface needs to be completely visible.

This implies that network engineers need to be aware of all the devices that are connected to the network of the healthcare institution. The attack surface, more often than not, extends beyond the physical network in the institution. Many institutions connect to external services, sharing and collecting information from the cloud or over VPNs. This is especially true when dealing with information about patients billing information or medical history.

Security professionals need to understand this and implement solutions that can monitor and continually discover the institution’s attack surface. If a parent or partner system does not adhere to the same level of cyber security standards, they become the weakest link and could compromise the entire chain of trust.

Segregated Internal Networking

Healthcare institutions have a multitude of disparate end nodes connected to their network. These include devices like stationary patient monitoring systems, file servers, security systems, workstations, and a great amount of mobile IoT devices.

Under normal circumstances, any type of network breach could be potentially devastating to an organization. Moreso when it comes to the healthcare industry, the lives of people hang in the balance, not to mention a treasure trove of personally identifiable and medical information.

Therefore, healthcare intuitions need to have segregated networks. The IT term for this is subnetting. Essentially various systems need to be grouped and isolated from other systems and devices on a hospital’s network. This allows for a basic countermeasure in the event of a network breach by threat actors. What it achieves is that it limits the threat actor’s ability to move laterally throughout the network.

This aggregation of devices can greatly limit the impact of a data breach as well as provide network monitoring systems with closed sectors for accurate and efficient monitoring.

Zero-trust Approach

Although this might seem like the latest buzzword in the cyber security industry, the zero-trust architecture can greatly increase the cyber security posture of any organization, not only healthcare institutions.

Zero-trust is an implementation of multiple technologies driven by user rights and authentication mechanisms. How is this different from the traditional method of authentication and trust paradigm? Legacy network security followed an approach where users were given access to trusted resources based purely on the fact that they form part of a specific user group or collection us users.

Users often ended up receiving more access than they needed to perform their duties. This meant that in the scenario where their user account was compromised the threat actor would gain access to multiple systems at once.

By implementing a zero-trust architecture the effective access that users must network resources is not only greatly reduced since they have to be given explicit access to what they need, but their access is also constantly being reviewed and adjusted.

In Conclusion

The importance of IoT Cyber security in the medical industry cannot be overstated. Not only is the institution’s business data and reputation at risk but also the lives of patients who are relying on necessary medical equipment. Threat actors can potentially cause irreparable damage to innocent people’s lives or even cause their death.

Health institutions need to make cyber security a clear priority by implementing practices as described above. Some hospitals, for example, even implement AI-driven attack surface scanning software that can alert them in real time about potential cyber risks.

The post Security IoT in Healthcare: Cybersecurity Best Practices appeared first on IoT Business News.

Internet of Things (IoT) technology offers a growing number of businesses a wide range of benefits, including better communication, speedy operation, and automation for improved efficiency and productivity. However, with these benefits also comes a silent and stealthy threat: radio frequency (RF) attacks.

Wireless devices and the risk of RF attacks

There are up to 22 billion mobile, wireless, and IoT devices in the world, and about 15 billion of these devices operate within the RF spectrum. Without effective RF cybersecurity protocols, these devices can represent a serious blind spot that allows cybercriminals to roam freely in corporate airspaces, where they can steal intellectual property and sensitive company data.

The issue is compounded by the fact that most current cybersecurity protocols cannot detect devices that operate within the RF spectrum. As such, it is vital for businesses to take this threat seriously and understand how they can stop these attacks.

The hidden danger of RF

Over the years, cybersecurity professionals have gotten pretty good at protecting Ethernet systems, i.e. with hard-wired components connected through cables. Attacks and data breaches still happen, but provided that effective cybersecurity protocols are in place, cybersecurity teams can at least detect when a breach has occurred and take appropriate countermeasures to limit the damage.

However, standard cybersecurity protocols have been turned on their head by the rise of Bluetooth, BLE, and IoT devices that communicate through radio waves on the RF spectrum, connections that are usually unencrypted and operate on unsecured radio channels.

What’s important to understand is that the vulnerabilities in RF devices reside not so much in their operating systems or applications, but in how signals are sent from one RF device to another. Because these devices use the same unencrypted data key each time they transmit information, they can be easily attacked by malicious third parties. This can lead to data tampering, eavesdropping, or even piggybacking, all of which could compromise sensitive company secrets. The security team may not even learn of the breach until obvious red flags occur, such as locked user accounts, sudden file changes, or an abnormally slow network performance, at which point the damage is already done.

The security challenge is even more intractable because of the widespread nature of RF devices today. They exist everywhere as smartphones, medical wearables, laptops, keyboards, and any other type of wireless tech you can think of, a good deal of which are built by manufacturers more concerned with cost-cutting than proven security measures.

Worse yet, company devices or personal gadgets can be easily compromised outside the facility, such as cafés or restaurants that employees frequent. The unsuspecting employee will then carry the infected device back to the facility where it will serve as a launching pad for a wider infiltration.

Creating greater RF security

Businesses can better safeguard their intellectual property and sensitive data with a robust security system that closes as many blind spots as possible. Companies should take the following steps toward securing their RF air space:

1. Establish control of your radio airspace

Conduct an assessment of all devices operating in your radio airspace that use Wi-Fi, Bluetooth, BLE, and cellular signals. Determine whether these signals are encrypted and, if not, bring their firmware up to date. It may also be necessary to implement strict policies that forbid employees from taking company devices outside the facility while also disallowing personal devices that aren’t fully secured.

2. Evaluate RF security technologies

Placing safeguards against the use of unsecured RF devices in your facility will go a long way toward improving your security. But what’s even more important is evaluating and deploying effective RF security technologies that can detect, analyze, and alert your security team to the presence of an unsecured RF device.

Whatever your choice of vendor, the key thing is to ensure that unsecured devices can be detected in real-time, 24/7. It’s no good if the system can only detect devices during one-off security scans; it needs to work at all times and provide immediate alerts when a foreign device is detected.

3. Integrate RF security into your infrastructure

Deploying any new piece of technology requires an assessment of how it will fit within your larger technological landscape. The new system must work in conjunction with the rest of your cybersecurity systems, with no room for hiccups, security gaps, or incompatibility issues. Depending on the new system, this can require a detailed plan for a testing phase, a limited launch phase, and a facility-wide launch once all the kinks have been worked out.

Even once fully launched, the new system will need to undergo regular monitoring and reviews to see if it’s working as it should and whether there is any room for improvement. Companies should also prioritize future-proofing to ensure the system can continue working for many years with only occasional updates to meet new threats and attack vectors.

Final thoughts

Most businesses and their cybersecurity teams have a high appreciation for how dangerous security breaches can be, especially when it comes to their intellectual property and other closely guarded company secrets. That said, companies need to develop a greater appreciation for the potential threats of RF attacks that target unsecured wireless devices. As we move towards greater use and integration of IoT devices in our daily business operations, it becomes more important that companies recognize this unseen threat.

The post How Radio Frequency Security Can Ensure IoT Safety appeared first on IoT Business News.

Zero Trust Security Leader Brings Lightweight, Easy-to-Use IoT Security Capabilities to the Enterprise and Mid-Market.

Portnox, a proven leader in cloud-native, zero trust access and endpoint security solutions, today announced the general availability of the first cloud-native IoT security solution to help mid-market and enterprise businesses address rising Internet of Things (IoT) security threats.

Now available via the Portnox Cloud, Portnox’s new IoT fingerprinting and profiling capabilities empower organizations to easily and accurately identify, authenticate, authorize, and segment IoT devices across their network to ensure an effective zero trust security posture.

“No organization is immune to the inherent and increasing number of security risks IoT devices pose as they are more susceptible to vulnerabilities and, therefore, prime targets for cyberattacks. Companies of all sizes must properly secure these devices to prevent them from serving as a gateway onto the corporate network by cybercriminals. But as networks become more complex and distributed, and as the number of IoT devices continues to grow, it’s becoming more and more difficult to identify and control access for these devices across a given network, let alone secure them,” said Denny LeCompte, CEO, Portnox.

“As we bring our vision of simplifying access control and endpoint security for mid-market IT teams to fruition, adding a solution for IoT fingerprinting to our cloud-native platform was the natural next step. Portnox now gives customers full visibility of IoT devices in use across their respective networks.”

Juniper Research predicts that the total number of IoT connections will surge to 83 billion by 2024, while Ponemon Institute found that most (94 percent) organizations think that a security incident related to unsecured IoT devices or applications could be “catastrophic”. Large enterprises are not alone when it comes to rising IoT security headaches – organizations of all sizes are actively trying to strengthen their security postures to account for the surge of threats tied to the rising operational dependence on IoT. With so many IoT devices – printers, cameras, thermostats, sensors, monitors, etc. – now in use across all types of organizations, the ability to automatically onboard and enforce IoT device authentication, control and security policies across the network is mission critical.

Already helping more than 1,000 organizations navigate ever-changing cybersecurity threats, Portnox solutions are purpose-built to be exceptionally easy-to-use, scale, and manage. With the addition of IoT fingerprinting and profiling to the Portnox Cloud, Portnox customers can now enjoy enhanced confidence in the security posture of their network with respect to IoT – without the cost and resource demands associated with traditional on-premise IoT security solutions that can often be complex to configure, deploy, and maintain.

With the latest solution expansion, the Portnox Cloud now provides organizations with:

• Complete device visibility and access policy enforcement across the network for all major device groups – IoT, bring your own device (BYOD) and managed devices
• Enhanced IoT fingerprinting and profiling accuracy powered by artificial intelligence and machine learning
• Strengthened organizational zero trust security postures, accounting for all devices and access layers – on-site and remote

This technology will unlock a tremendous number of additional capabilities, such as automatic policy mapping based on fingerprints and leveraging fingerprinting data to thwart potential MAC Address spoofing risks. Portnox customers can also use fingerprinting information to provide EoL/EoS dates, as well as list potential security vulnerabilities on the endpoint to augment network access and remediation policies.

Portnox continues to rapidly expand its zero trust security offerings across the Portnox Cloud. The company is currently exploring new ways to add agentless risk assessment policy enforcement, as well as data capture options to increase IoT fingerprinting access and automate micro-segmentation and quarantining for IoT devices in future iterations of the solution.

“Providing intelligent insight and visibility into IoT devices connecting to a business’s network with absolutely zero on-prem footprint required is absolutely unprecedented,” said Portnox Vice President of Product Management Jeremy Morrill. “From somewhat basic IP phones, security cameras, printers, TVs and streaming appliances, to complex medical devices and manufacturing equipment, the need for comprehensive IoT security has never been more critical – especially as the proliferation of IP-connected devices continues to accelerate and shows no sign of slowing.”

Effective immediately, IoT fingerprinting and profiling will now be automatically included in Portnox’s NAC-as-a-Service subscription for organizations with 500+ devices.

The post Portnox Debuts First Cloud-Native IoT Fingerprinting and Profiling Solution appeared first on IoT Business News.