"Security Inside: Setting Your IoT Devices Apart from the Competition" by David Dewhirst


March 15, 2017

From the ThreeTwelveCreative Blog by David Dewhirst:

"Earlier this week I spent some time talking with Terry Dunlap, founder and CEO of Tactical Network Solutions in Columbia, Maryland about what he views as a potential tsunami building on the IoT / M2M horizon: The susceptibility of the vast majority of IoT devices currently on the market to attacks aimed at their vulnerable embedded firmware.

Firmware-infographic.jpgWith an estimated 87% of IoT device OEMs yet to implement any kind of security on their embedded firmware, tsunami is probably an apt description of the potential devastation that could occur following an attack on connected devices in our increasingly connected world. What that devastation might look like is as varied and broad as the IoT ecosystem itself. Consider, for example, a vulnerability discovered in some implantable heart devices that could have allowed hackers to remotely control a target's defibrillator or pacemaker; or the My Friend Cayla doll that's recently been banned in Germany (the opposite of Hasselhoff!) because it's susceptible to hacking as well as being capable of surreptitiously streaming audio to remote servers; or the December 2015 attack that took down the Ukrainian power grid for hours through a sophisticated attack that, among much else, "overwrote firmware on critical devices at 16 of the substations" of the grid.

In the case of the implanted heart devices no one has been injured or killed, and although issues still remain with the implants themselves the U.S. FDA considers that the highest-risk vulnerabilities in the attendant transmitter units have now been patched by the manufacturer. We're fortunate in that regard, but the fact of the matter is it's only a matter of time until the next, potentially fatal security failure is exploited: The growing ubiquity of connected devices in IoT and M2M applications is a huge opportunity for those who would inflict physical or financial harm.

What's particularly galling, according to Terry Dunlap, is that cybersecurity risk exposure through unsecured embedded firmware is a problem that's already been solved.

"Embedded firmware is vulnerable to the very same hacks, like buffer overflow attacks, that we identified and fixed years ago in desktop applications," says Dunlap. "We can fix this in embedded firmware right now; we have the tools to analyze and correct these things. But in their haste to go to market, most connected device manufacturers simply don't want to take the extra time."

Successful hacks and exploits are costly in both the societal and financial sense. According to an analysis by Cybersecurity Ventures, cybercrime will cost the world more than $6 Trillion by the year 2021 -- a rise in cost that aligns, not coincidentally, with the upwardly-curving growth in connected IoT and M2M devices. And companies who are sacrificing long-term security for the short-term gains of getting to market marginally faster are just kicking the can down the road.

Chart of IoT Analytics and BI adoption by typeI've written a few times already about the opportunities that underserved niches in the IoT ecosystem present, and about the possibilities inherent in Industrial Internet of Things (IIoT) analytics, for example. But if the opportunities for cybercrime are growing because most devices have not been properly secured, a huge opportunity also exists on the flip-side of  the cybersecurity coin: If the embedded firmware on the device you're taking to market is properly secured, you have a built-in differentiator that sets you apart from the majority of similar devices being fielded by your competitors.

Think about the competitive advantages that affords. Think about the value proposition your device offers when it's secure out of the box, and won't need to be recalled or patched. Think about how your selling into sensitive industries like the financial and medical sectors might be made easier if you can say upfront that you're not going to have to do an OTA update on someone's heart implant.

Think about the opportunities to own your segment when you're the only OEM to offer "Security Inside," and you're sitting in that sweet place of having no one who competes with you on that front, because nearly 90% of OEMs are not currently securing their embedded firmware. 

And lastly, if you want to use the value proposition of properly secure embedded firmware in your devices as a differentiator, do it now -- securing your firmware is neither terribly difficult not terribly expensive, and it won't be long before security becomes simple table stakes instead of a unique value proposition. 

The time to move is now -- let's get moving."