After the recent SolarWinds1 hack that impacted the United States federal infrastructure and organizations globally, perhaps now is the time to look at what to expect in embedded-system security this year. Haydn Povey, Founder and CEO, Secure Thingz/General Manager Embedded Security Solutions, at IAR Systems, a foremost expert in security, offers seven insights and predictions about how security will be at the forefront of technology at every level, starting with each individual chip, in 2021.
1. Security will go mainstream.
Among chip vendors, right now we see security in high-end, next generation, expensive devices that vendors are pushing to companies who need security. Security must be inherent in low-end chips as well—whether it’s an $0.80 or $8.00 microcontroller, they all need to have some level of security.
While some vendors are making this happen, most are not. Granted, this isn’t black and white. It varies based on what you are protecting, who you’re protecting it against, and the value of what’s being protected. Regardless, every device must have a certain hygiene level that’s higher than it is today. Security must become mainstream, which is where most of the chips used reside, at the one, two, and three dollar range.
2. We will see the first $100 million dollar hack.
If we look at the biggest attacks of 2020, one of the biggest was at Norsk Hydro, an aluminum processing plant. It’s estimated that the cost of the impact and rebuilding of their systems, including virtually every system, right down to the digital clock on the wall, was over $55 million. The company did the right thing, it was attacked with ransomware and chose not to pay. They had to return to manufacturing big rolls of aluminum using paper manuals as every system was locked down.
In 2021, we will likely see that cost double due to systemic attacks. In addition, as systems are becoming so entwined, a rogue attack on a commercial target could bring down entire smart city infrastructure and transportation systems. This will no doubt have enormous implications in cost, productivity, and more.
3. The C-Suite will be liable for security.
Whether you’re a Chief Information Security Officer (CISO), CEO, COO, or a board member, the responsibility and liability for product security resides with you. No longer will liability be held with the corporation; instead, it’s transitioning from the company to personal liability. If a company has a breach, the CEO’s job will be on the line.
We’ve come to this point because cost-sensitivity, while important, often leads to cutting corners to get products out competitively priced. Often security is one of the casualties.
By transitioning ownership to the C-Suite and placing responsibility there, the industry will change. Gartner predicted that 75% of CEOs will be personally liable for cyber physical incidents by 2024.2 They also predict that the financial impact of cyberattacks will reach $50 billion by 2023. The C-Suite will no longer be able to plead ignorance or hide behind insurance policies.
Today companies take out insurance against being hacked, but what happens when your products enable your customers to be hacked? Your liabilities skyrocket. And if you didn’t take the steps needed to prevent it, no insurance companies will cover the losses. The C-Suite will be held accountable. It will be interesting to see what happens following the nation-state sponsored SolarWinds attack and whether this finally moves the focus onto the executive team taking responsibility along with punitive consequences.
4. IoT hacks will go mainstream.
So far, most hacks have been in niche products, but there’s a very clear expectation that these will go mainstream. For example, Ring doorbells had real problems recently with the fact that they’re enabling enforcement agencies to backdoor into cameras. Thus, the police had access to people’s videos from the doorbell cameras. If you know what you’re signing up for, then that’s one thing, but in actuality, very few people are aware of the impact on privacy and how they’re monitored. If you can have a backdoor for the police, there’s a potential that other third parties can get in as well. The privacy consequences are scary and huge.
IoT can be misused. For example, if someone is in a coercive relationship, IoT goes from something that lets you turn on your heat, to a way of monitoring your partner and enforcing limits. It becomes something dangerous. You can know when they leave the house, which rooms they go in, or whether or not they’ve done the housework. It turns something positive into a dystopian nightmare.
There’s huge ability to misuse IoT in same way that the Internet can be misused. Every advanced tech has two edges. If an IoT hacker can gain control over a connected doorbell, they can use it to plan robberies, start fires, and do virtually anything a criminal mind could imagine.
5. Tech will need to define a better secure supply chain, globally.
Companies source chips, subassemblies, and other devices from different manufacturers that ultimately are integrated into an end product, such as a vehicle. During this process, at every step along the supply chain, security must be mandated. You must know what’s in your product because you have to take responsibility for it.
Frameworks are evolving from organizations like the IoT Security Foundation, which require identity to be built into a product and included in a manifest of how they’re created. Companies will have to demonstrate how a product is managed throughout its entire lifecycle to ensure it’s not cloned, not counterfeit, etc., and that it’s secure. The tech world will have to learn from the food industry and the ways they can trace food, from farm to table, so that if something goes wrong, every product that could be impacted can be identified.
6. All development will become security-centric.
Security-centric means setting policy at the C-suite level to create a secure supply chain where companies can manage the content in each product as well as the development, upgrade programs, and protect its IP. These policies must ensure security at every step, from design to delivery, and prevent hacks or backdoors.
In reality, mistakes happen—software is complex. When they do, the policy must ensure that updates are provided securely and in a timely way. Therefore, only the right updates with the right versioning from the right vendor can be applied with proper encryption technology. Security needs to become part of development flow, not separated. Protecting code means protecting customers.
7. Device-to-cloud capability will become standard.
Every consumer device generated will inherently be cloud native. We must have a mechanism so that every connected device—light bulb, oven, freezer, car, whatever—is easily connected to the cloud. This means each must have an built-in, cloud-native identity that’s transparent to the consumer. Then, a consumer can choose who to work with; e.g., they may use Verizon, then move and change to T-Mobile. This means devices must be smarter, with the ability to be re-sited, to be decoupled by one person and re-coupled by another,
For example, if you own a refrigerator, you may donate it or sell it when it’s replaced. This requires a smart device with multiple levels of identity—the inherent identity for the original owner, which can be killed and replaced by a new one from a new owner, and it’s all transparent to the consumer. That means we have to think through the device-to-cloud identity, provisioning, and build, so that we can enable it.
Overall, there’s a quite a bit to accomplish in terms of security in 2021. The good news is that we have the capabilities and minds to do it. As they year goes on, it will be interesting to see how these predictions and insights take shape.