Few connected products have gone through independent testing and evaluations that could head off security problems during their use.
Wayne Stewart, Cyber Security, Canada • Intertek
It has become a truism that cyber security is one of the most significant risks for manufacturers today. These risks have the potential to cause a great deal of damage; identifying potential risks, security breaches and managing the aftermath all require valuable time and resources.
Yet many connected products today have not been designed with cyber security in mind. Even fewer have gone through independent testing and evaluations. Connectivity is often introduced as an add-on or upgrade to existing products not originally designed for the online world. For connected products, and at every stage of the product’s lifespan, proactive cyber security measures are a must. These measures include a risk management strategy for product design and development through manufacture and release, independent security testing, and security updates after products are introduced.
Cybersecurity testing and certification can help minimize cybersecurity risks, ensuring a successful and timely product launch. These steps can also be valuable tools in marketing products and assets because they help build a manufacturer’s reputation as a provider of secure products. To size up a product for cybersecurity risks, it is important to first understand the cybersecurity landscape and the most important threats.
In the connected world, multiple points of entry provide pathways to increasingly sophisticated and complex attacks. There are many threats that developers and designers should consider when designing a connected product.
Malware: This is the most frequently encountered threat in today’s cyber landscape. Malware includes executable code, scripts, active content, and other software designed to damage a computer, server or network. Primary malware targets are vulnerable software products, non-secure devices, and users.
Phishing: Accounting for nearly 90% of social attacks, phishing is fraudulent outreach designed to trick targets into sharing sensitive information via electronic communication or social media. In addition to this initial security breach, most successful phishing attacks are followed by malware installation.
Viruses: This malicious software replicates itself by modifying other programs and inserting its own code, subsequently “infecting” a device or software. Viruses can cause system failure, corrupt data, waste virtual resources, increase costs or steal data and information. Viruses have been known to cause billions of dollars in damages.
Botnets: A botnet is a network of connected devices that have been compromised with malware. It is used to perform distributed attacks, steal data, send spam, or allow attackers to access devices and/or connections. A large percentage of IoT devices have been vulnerable to attack and, when compromised, have become unwitting participants in large botnets.
Denial of Services (DoS): A specific attack where the perpetrator seeks to make a device or network unavailable by disrupting services of a connected host. This type of attack is becoming more widely used, growing in frequency, size and duration, with numerous high-profile incidents in the past year.
Ransomware: Ransomware software holds data or systems “hostage” unless a ransom is paid. Incidents of ransomware are on the rise, with healthcare providers and critical infrastructure being particularly vulnerable to this type of attack.
Web-based Attacks: As implied by its name, these incidents are committed via exploiting security holes created through outdated web browsers and compromised websites and applications. They can be used to harvest data or infect systems.
Stolen Devices: Loss or theft of unencrypted devices can provide criminals easy access to personal information, leading to breaches and security risks.
A number of factors can further exacerbate cybersecurity risks. For example, tactics using higher technology, like artificial intelligence and machine learning, reduce the effort needed to attack and exploit products and networks. Likewise, higher-volume attacks intensify cyber risks through increased frequency and processed data. Finally, a shortage of skilled IT experts can make it difficult to respond to the increasing number, scale, and complexity of attacks.
Recently, we have seen targeted attacks that used compromised development systems in one company’s network to launch sophisticated malware deployed in the environments of their customers. The compromised systems were then used as platforms to infiltrate other sensitive networks, including government systems.
Products that are secure make it more difficult to breach other connected devices. Thus secure products help reduce damage as well as the time and resources needed to deal with the aftermath.
There are several options available to help ensure the cybersecurity of a connected product. These include testing against established standards and certification schemes. Additionally, voluntary testing can assure that products are designed and built with security in mind and implement best security practices.
Compliance and standards-based testing
Numerous standards can be used to assess connected devices. Applicable standards will vary based on product type. Some are appropriate only for consumer products while others apply only in quite different settings. So it is important to understand which standards apply and which certifications may be required for specific markets. Here are a few standards that apply to broad categories of connected products:
Common Criteria, also known as ISO 15408, is an international standard designed to specify and measure IT security through functional and assurance requirements, as well as product and system specifications and evaluation. Typically applied to the Information and Communication Technology (ICT) product category, Common Criteria certification is recognized by more than 30 countries, including the U.S., Canada, and many countries within the EU. It is recommended for IT product developers marketing products to government entities and for critical infrastructure.
In cryptography, Federal Information Processing Standard (FIPS) 140 is a U.S. standard also recognized in Canada. It has gained world-wide recognition as the de facto standard and certification for secure cryptographic implementations. Any products providing cryptographic services to the U.S. government or federal entities must be validated to FIPS 140. And it is recommended for products used by the Canadian federal government.
Payment assurance applications include pin-entry devices, encrypting pin pads, unattended payment terminals, secure card readers and hardware security modules used for payment. Payment assurance methods must be tested to schemes from various organizations, including the Payment Card Industry (PCI). These schemes ensure that products protect the buyer’s data. Testing includes physical security testing as well as network and unauthenticated application-level tests on systems and products. The payment space is evolving and now security testing and certification is also possible for mobile payment solutions under the PCI Secure PIN on COTS (SPoC) and Contactless PIN on COTS (CPoC) standards.
When it comes to the internet of things, the IEC 62443 and UL 2900 families of standards apply to connected products (e.g. IoT) used in the home. But they also apply for commercial settings, medical devices; and security and life safety signaling systems, such as alarm systems, locks, smoke detectors and similar devices.
Other standards such as ETSI EN 303 645 (Cyber Security for Consumer Internet of Things) uniquely target consumer products and are built upon a widely accepted security baseline. There are also private certification schemes such as Intertek’s Cyber Assured program. This scheme helps manufacturers clearly demonstrate a product’s security (covering the device, app and cloud) to consumers. It also provides security over the life of the product by continuously monitoring new emerging risks.
ISO 27001 is an internationally recognized standard covering the people, processes, technologies, and facilities used in daily activities. The process to prepare for compliance includes conducting a gap analysis, the creation and implementation of an Information Security Management System. Organizations using a risk management system focused on information security are eligible for certification under this standard.
Standards are just one way to assess connected products. Optional assessments conducted by testing based on industry best practices can assure that a product is secure and resilient. Often, these are voluntary evaluations that provide peace of mind and enhance a product’s appeal. These evaluations–which include vulnerability assessments, penetration testing, design review, privacy impact and threat risk assessments–should take place independently from the teams responsible for product development.
Vulnerability assessments (VAs) can evaluate a product’s susceptibility to known weaknesses and vulnerabilities. A VA uses specialized tools and detailed examination of application functions to test systems, networks, and cloud-based services. VAs can also include specific assessments to expose weak implementations of well-known communication protocols and applications. These assessments undertake comprehensive auditing and device testing in the context of a product’s intended environment to understand the risks.
Penetration testing, also known as ethical hacking, provides an attacker’s perspective, with experts attempting to infiltrate networks, systems, products, and applications. This approach results in a detailed report identifying exploitable vulnerabilities and recommended mitigation, as well as strengths and weaknesses.
Security design reviews study cybersecurity early in the design process. An early review is more economical and efficient than trying to add security later in the process. Regularly assessing security controls or network design for effectiveness and adequacy throughout the design phase will help to ensure product security.
Privacy impact assessments provide a detailed review of organizational or product privacy policies and controls to ensure compliance to legislation and security standards. Besides addressing the risks to privacy or privacy-related security they also identify mitigation protocols.
A threat risk assessment identifies assets that must be protected, the value of those assets, and associated threats/vulnerabilities. The assessment considers the impact of damage or loss and, most importantly, how to mitigate exposure or damage. A typical assessment will deliver a prioritized list of issues to be addressed.
The development of any connected device should follow best practices and industry-specific standards. It is important to include security throughout the development cycle. Adding security after the fact is rarely effective and always costs more. The product should be designed to be intrinsically secure. It is important to define all security requirements, including the types of possible threats and product vulnerabilities. Then, consider what safeguards to implement. Test throughout the development process to ensure you are not introducing security risks along the way.
Independent testing and security certification illustrate compliance with regulatory or industry requirements. An independent opinion confirms that controls are working as intended. It also outlines road maps for security improvement, improved operating processes and identification of key business assets.
All and all, the creation of a connected device can be challenging in a world where technology continues to evolve at a rapid pace. It is critical to illustrate that adequate measures are in place to ensure the protection, integrity and resilience of products, systems, information, and data. A proactive approach to leverage existing standards and undertake additional assurance assessments can mean the difference between a success and a failure.