The necessity of ‘Secure-by-Design’ in today’s fast-changing world
The new ‘Internet of Things’ world is characterized by millions upon millions of connected devices. With more insecure devices and network access points than ever before, ‘Secure-by-Design’ principles are essential for protecting against growing cybersecurity threats.
Over the last few years, digital technologies have transformed the world, affecting all sectors of business activity and daily life. The result is an Internet-of-Things (IoT) world, where everything is instrumented and interconnected.
By the end of 2018, there were an estimated 22 billion IoT-connected devices in use around the world. Forecasts suggest that this figure will increase to 50 billion by 2030 – creating a massive web of interconnected devices.[1]
To support this highly connected future, thousands of Internet-of-Things (IoT) devices are connected to networks every day. Additionally, appetite for new features and functionality has created a ‘need for speed’ in terms of the development and deployment of new types of devices.
The rapid growth of complex, connected devices
Many IoT-connected devices are now highly complex, incorporating advanced AI algorithms and other next-generation features.
IP-based video security cameras are a good example of this. Over the last 15 years, they have evolved from simple analog video cameras, into complex, fully digitalized IoT devices driven by machine learning (ML) and artificial intelligence.
Like other types of devices, evolution has been driven by customer demands for improved functionality and connectivity. This demand also created urgency in the development process, with providers competing to offer the most advanced features as fast as possible to win customers and market share.
Balancing development speed with security considerations
The race to develop more feature-rich, more connected IoT devices has fulfilled customers’ operational needs, but there have often been compromises in terms of security.
After all, building security into all aspects of the production process takes time – a precious resource that is not always available. Because of time pressures, several device manufacturers have opted for development and production speed over security.
The consequences: a global spike in cybersecurity incidents
The consequences of speed over security has been an enormous increase in serious IoT cybersecurity incidents. Cybercriminals have been able to access millions of IoT devices relatively easily, simply because these devices were not developed and produced with security-in-mind.
By the end of 2016, for example, the Mirai Botnet had become world news and IoT security started to get some serious attention. This is a clear example of what can go wrong when insecure IoT devices like baby monitors, network routers, agricultural devices, medical devices, home appliances, DVRs, cameras, or smoke detectors are connected to the internet without proper security provision.
In the case of Mirai, attackers were able to hack into millions of insecure IoT devices – in this case, cameras. They then used the combined computer power of the devices to launch targeted DDoS (Distributed Denial of Service) internet attacks.
And the lesson still hasn’t been learned
Unfortunately, many more cyber incidents with IoT devices have happened since 2016 – and continue to happen every day. Security researchers from F-Secure issued a warning in 2019, that cyberattacks on IoT devices are growing at an unprecedented rate. They measured “a three-fold increase in attack traffic to more than 2.9 billion events.”
In the research, this growing threat was attributed, in part, to “a basic lack of defenses in aging firmware or architectures, and part down to a lack of info-security housekeeping. Often IT departments are not even aware of all these devices on their networks.”[2]
The critical importance of ‘Secure-by-Design’ production
One key way to prevent damaging attacks on IoT devices is to improve the defenses of these devices. Unfortunately, it is extremely hard to add effective security after the IoT device is produced and/or installed. Instead, the most effective way to prevent breaches is to implement security during device production – often known as ‘Secure-by-Design’ production.
Secure-by-Design is about building security into every stage of the production process, from the conceptual phase to the final delivery phase – as shown in the graphic below:
In the conceptual phase, security requirements are defined; in the design phase, a security architecture is developed for the product design; in the development phase, software code review and code scanning will take place; in the verification phase, pen-testing is executed and in the delivery phase security training and technical support are provided. All these security measures in the production process improve the cyber resilience of a video security camera and make costly cybersecurity improvements afterwards unnecessary.
How to make Secure-by-Design an organizational priority
There are several prerequisites for manufacturers who want to integrate Secure-by-Design principles into all aspects of their production process. First, there needs to be commitment at an organizational level to invest in the security of each product. This may have an impact on production costs, but it will also dramatically improve the security and credibility – and therefore value – of products by providing certain security assurances to customers.
As an additional requirement, Secure-by-Design requires manufacturers to be open to penetration testing (pen testing) by third parties once devices are designed, manufactured, and operational. This ensures that products are able to withstand new and emerging cybersecurity threats – as well as existing ones.
Ultimately, Secure-by-Design principles require manufacturers to be truly serious about bolstering their cybersecurity and protecting their customers against security breaches. This is the case at Hikvision, where we use ‘Secure-by-Design’ principles to minimize the risk of damaging cybersecurity attacks across our product range. For more details about how we do it, please read the security white paper.
[1] Source: https://statista.com – H.Tankovska, 26 Oct 2020
[2] Source: Forbes.com – September 14, 2019