The Internet of Things (IoT) has been a hot topic for years. More recently, IoT security has moved front and center, and that’s not something that will change any time soon.
For as much promise as the IoT holds – and has already delivered for that matter – it’s only as good as the security behind it. And historically, that security has left a lot to be desired. Fortunately, manufacturers and regulators have started to pay much closer attention to IoT device security over the past few years, and we’re making lots of headway in this area.
Going into 2023, we can expect to see even more progress in IoT device security. While the path continues to have its challenges, the introduction of new standards has helped strengthen best practices and many of these changes will come to fruition in the year ahead.
With that in mind, what are the biggest IoT trends for 2023 and what progress can we expect in terms of IoT device security? To learn more, we sat down with Ellen Boehm, SVP of IoT Strategies and Operations at Keyfactor. Here’s what she had to say.
Keyfactor: What is the biggest IoT device security challenge you foresee impacting organizations as we head into 2023?
Ellen Boehm: There are certainly a lot of challenges regarding IoT device security, but the biggest one I foresee in 2023 centers around evolving standards and guidelines for product cybersecurity.
Specifically, as the product cybersecurity standards and guidelines continue to mature, OEMs must keep a close eye on the changes to understand the impact on their business and processes. This is especially important – and challenging – because evolutions to these standards and guidelines can impact everything from product development to overall device operations, and OEMs will need to act quickly to keep up.
Keyfactor: What do you think we need to do to make IoT devices more secure?
Ellen Boehm: The best thing we can do to boost IoT device security is to continue to follow best practices around unique device identities and certificate-based authentication. Ensuring this becomes the standard in 2023 will be essential to strengthening security in other areas going forward.
Keyfactor: The Matter standard is striking new ground by setting the standard for security policies and processes using PKI to validate device certification and provenance. To what extent do you think organizations will embrace Matter’s standards? And what else can organizations do to ensure users are connecting authentic, certified, and up-to-date devices to their homes and networks?
Ellen Boehm: I absolutely think organizations will embrace the standards that Matter has put forth. This is notable since as of now, the Matter standard only covers certain devices (like light bulbs and switches, smart locks, and garage door controllers) but not others (like vacuums and security cameras). Even so, I recently spoke with GE, and they confirmed that the OEMs with which they work are following the recommendations from Matter around enabling interoperability with smart home devices produced by multiple manufacturers.
Quite simply, smart home OEMs now recognize that multiple brands will be used in the home and they need to collaborate to build the “Smart Home of the Future” and ensure these devices can be used together securely. Matter provides the industry standard to enable that, and OEMs are definitely starting to embrace those guidelines.
Keyfactor: Are there any specific verticals you see making particular strides in securing IoT devices?
Ellen Boehm: I’ve personally worked with companies in the automotive (V2X, EV charging), medical technology, utilities/metering, transportation, telecommunication, and Industry 4.0 verticals on IoT projects. Notably, all of these companies and their verticals are adopting IoT technologies to advance their product and service capabilities, and thinking through security from the very beginning comes part and parcel with that.
Keyfactor: In January 2020, California passed the Internet of Things Security Law, a first-of-its-kind law focused on improving IoT security that requires manufacturers to actively promote security in IoT devices. How do you see this legislation impacting manufacturers’ approach to IoT security?
Ellen Boehm: Manufacturers are typically sensitive to the strictest regulations and then design to those standards if possible. With that in mind, we’ve already seen manufacturers following recommendations around passwords, authentication, and connections to VPNs based on California law. And that’s a good thing, as those are all good practices that should be adopted independently of any laws passed.
Keyfactor: Historically, the laws passed in California have been a harbinger of things to come, with other states following their lead and passing similar legislation (e.g. labor and environmental regulations). Have you seen other states start to follow suit in this case? If not, do you think they should be doing more to promote IoT device security?
Ellen Boehm: I haven’t seen other states take a focused approach to IoT device security as California has. That said, I think state requirements are too narrow, and there should instead be a country-wide approach to regulating IoT device security.
Remember, these devices are designed, produced, and used globally, so their reach is much further than just a single state. As a result, we need regulations with a broader reach to achieve the right level of governance around IoT device security.
Keyfactor: Looking internationally, what will be the most impactful requirements of the first cyber resilience law planned by the EU?
Ellen Boehm: Three requirements coming from the EU stand out to me in particular:
- Device identity must sit at the foundation of device security, and that identity should be established using unique, asymmetric digital certifications.
- Software and firmware DevSecOps must be enabled by proper signing and verification methods.
- Devices must have vulnerability tracking and traceability, including mitigation plans, for products to maintain CE approval.
Together, these requirements help create a strong foundation that will not only help strengthen IoT device security from where it stands today but also set the stage for ongoing improvements as the field continues to evolve.
Keyfactor: How will the EU law affect IoT device manufacturers?
Ellen Boehm: First, it means that IoT device manufacturers must assess cybersecurity risks and apply mitigation plans to all products they make. Next, after deploying products, they’ll need to report any incidents and known vulnerabilities of their products to ENISA. Finally, it means OEMs must take corrective actions and implement security updates as needed immediately and free of charge, typically via secure over-the-air firmware updates.
As a result, it will be essential for OEMs to ensure they have the proper processes and capabilities in place to meet these requirements, especially for devices that will live in the field for a long time. This will be a shift for many manufacturers, and it’s definitely a big step in the right direction.
Ready to take your IoT device security to the next level?
As your team looks ahead to 2023, strengthening IoT device security practices must be top of mind. Fortunately, Keyfactor EJBCA and Keyfactor Command for IoT make that possible by providing OEMs with an end-to-end IoT identity platform to manage and automate identities for devices from manufacturing to end-of-life.
