By Alan Grau, Icon Labs
On a daily basis, I have the opportunity to interact with a wide range of companies and people involved in embedded device development and cybersecurity for embedded devices. I was recently struck by the difference in attitudes regarding cybersecurity at three diverse companies. Each company representative had a very different approach in evaluating how and why to implement cybersecurity in their devices, and I found the differences in their approaches more than a little surprising, and in fact rather concerning.
I understand the flawed logic of drawing broad conclusions from just 3 data points, but I believe there are still lessons to be learned from these perspectives on security, and that they are representative of widely held opinions.
Approach 1: Blind compliance to standards
In discussions with an engineering manager who was working on a project for the United States military, I was struck by the single-focused objective of ensuring compliance with customer supplied security standards. Yes, compliance to standards is important and provides a baseline for building secure embedded devices. Many companies could very well improve the security posture of their devices by adhering to industry security standards.
That said, I am not an advocate of blind compliance with external or industry security standards. It is critical to evaluate the risks and attack surfaces of each device and provide security solutions that address the individual needs of that device. My criticism of this approach is not the desire to achieve compliance with security standards, but the unwillingness to consider other security threats or attack vectors.
Approach 2: ROI for including security
A manager for an industrial automation company recently asked me “what is my ROI for adding security to my device?” I understand the need for any business to focus on ROI and make sound business decisions, but I found it surprising that security for critical control system devices was using ROI as the key determining factor on any possible investment in cybersecurity for his products.
Clearly, a cost-benefit analysis must be made on any cybersecurity investment, but some decisions (at least in my opinion), shouldn’t come down to just ROI. I equate this to my life insurance policy. I did some “business analysis” to determine how much life insurance I felt I needed, but I didn’t buy life insurance for the ROI. I hope to never use the insurance policy, and if I do there is no ROI for me, but I still purchased the policy because it is the right thing to do.
The calculation needs to include the cost of failure. What happens if there is a successful attack on a system using this company’s technology and the company’s solution is then later to be found at fault? With the possibility of a cyber-attack costing millions of dollars in damages, can a company afford to not have insurance provided by including security technology in their products? The ROI may be in their customers’ confidence in the security of their offerings.
Approach 3: We need this to be secure
My final example is from a manager who is tasked with building the next generation of his company’s flagship product. The previous generation product had limited communication capabilities, utilizing cellular data communication to “phone home” and provide diagnostics and operational information to back-end servers. The next generation products will include Wi-Fi, Bluetooth, USB and Ethernet connectivity options.
“With all the connectivity being built into this product, we need to make sure this is secure”, was the message from this manager. This is the approach that more companies need to take.
This company is concerned about security standards and ROI, but they have a broader recognition of the importance of security. They recognize the need for the device to include adequate security based on its use cases and attack vectors, and that the tradeoffs are well thought out. What is most surprising is that this company is not building automation equipment for industrial automation or military usage, but vending machines.
There has been a tremendous amount of press regarding cybersecurity for critical infrastructure and embedded devices, including a presidential executive order. Everyone is worried about cyber-attacks concentrating on data – accessing people’s private financial information and stealing their money. However, if a cyber-criminal successfully attacks and penetrates control and communication systems at a utility, manufacturer, transportation, medical or DoD facility system, lives are at stake. People could die. This is a much bigger threat than a few million dollars, or a few candy bars, stolen by a hacker.
Companies are now finally becoming aware of the need to secure embedded devices and some companies are doing more. But more is not enough. If a vending machine company can make its objective “this has to be secure”, then so can everyone else. The fact that a vending machine company is leading the way has me worried.
Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for embedded devices. He is the architect of Icon Labs’ award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University. You can reach him at firstname.lastname@example.org