By Jack M. Germain
May 13, 2021 5:13 AM PT
Efforts by several internet industry groups are focusing on new measures to fix inherent security weaknesses with the rapidly expanded use of internet of things (IoT) devices for enterprises and consumers.
Supply chain security company Finite State on April 27 announced a partnership with application security solutions Veracode to offer comprehensive coverage of connected devices and embedded systems. The security solution covers the pathway from the device firmware through to the web applications, infrastructure, and cloud services with which they interact.
This new partnership presents the most complete picture of product security for manufacturers and users of connected products at a time when the IoT device market is undergoing exponential growth, according to Matt Wyckhouse, founder and CEO of Finite State.
In a related development, the FIDO Alliance (Fast Identity Online) on April 20 announced a new, open IoT standard called FIDO Device Onboard (FDO) protocol that enables devices to simply and securely onboard to cloud and on-premises management platforms.
That announcement makes good on the company’s previous commitment announced two years ago to establish efforts that help fix what is wrong with the IoT’s missing security.
“We are seeing an increase in publicly reported security events targeting software supply chains. These continue to showcase the damage these incidents can inflict on even the most sophisticated organizations which is leading to mounting pressure on businesses to ensure that devices are securely developed and continuously reviewed for vulnerabilities and supply chain risks as part of their security program,” Wyckhouse said.
In 2019, the FIDO Alliance announced a working group dedicated to addressing IoT security standards in typical processes such as shipping devices with default password credentials. Relying on manual onboarding can leave devices and the networks on which they operate vulnerable.
That working group comprises members of Amazon, Google, Intel, Microsoft, Qualcomm, and others. This new standard addresses challenges of security, cost, and complexity tied to IoT device deployment at scale.
FIDO Device Onboard furthers the fundamental vision of the Alliance, which has brought together more than 250 of the most influential and innovative companies and government agencies from around the world to address cybersecurity in order to eliminate data breaches and enable secure online experiences.
The FIDO Alliance, a non-profit organization, is an open industry association that seeks to standardize authentication at the client and protocol layers. FIDO specifications support multi-factor authentication (MFA) and public-key cryptography.
“The FIDO Device Onboard standard builds on the Alliance’s ongoing efforts to help close the security gaps that currently exist on the web by expanding this work into IoT applications,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.
“Businesses recognize the huge potential of the IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics, and more,” he continued. “The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger, and more secure means of authentication for these important uses in industrial and commercial environments.”
What FDO Does
FIDO’s FDO specifications for IoT was collaboratively developed as a follow-up measure to its FIDO authentication standards to help address the global data breach problem. The specifications have reached the proposed standard status and is open and free to implement.
Initially, the new specifications target industrial and commercial applications. Developers can view and download the specifications here.
FDO leverages asymmetric public-key cryptography to provide the industrial IoT industry with a fast and secure way to onboard any device to any device management system. The business benefits from the FIDO Device Onboard standard include:
- Simplicity — Businesses no longer have to pay more for the lengthy and highly technical installation process than they do for the devices themselves. People of any experience level can apply the highly automated FDO process quickly and efficiently.
- Flexibility — Businesses can decide which cloud platforms they prefer for onboarding devices at the point of installation (as opposed to manufacture). A single device SKU can be onboarded to any platform, thereby greatly simplifying the device supply chain.
- Security — FDO leverages an “untrusted installer” approach, which means the installer no longer needs — nor is such access available to — any sensitive infrastructure/access control information to add a device to a network.
“This is a major milestone that aims to solve one of today’s critical challenges with deploying IoT systems. The new FDO standard will help reduce cost, save time, and improve security, all helping the IoT industry to expand rapidly,” said Christine Boles, vice president for the Internet of Things Group and general manager for the Industrial Solutions Division at Intel.
Implementing the FDO standard enables businesses to take advantage of the full IoT opportunity by replacing the current manual onboarding process with an automated, highly secure industry solution, she explained.
This latest FIDO Alliance initiative reduces the world’s reliance on passwords with simpler, stronger authentication. The new process prevents scalable attacks and account takeovers.
Research firm IDC expects the number of IoT devices to reach 55.7 billion worldwide. IDC also expects the IoT market to maintain a double-digit annual growth rate and surpass the $1 trillion mark in 2022.
Advancements in 5G connectivity and accelerated digital transformation of business operations have increased the adoption of internet-connected devices. However, with it comes heightened risk and expanded attack surfaces for security and development teams to harden and protect.
“Manufacturers of connected devices and embedded systems are under increasing market pressure to create and deploy secure devices without compromising speed of development or user experience,” said Peter Ellis, Veracode’s vice president of corporate development.
Finite State’s holistic approach is a single SaaS solution to analyzing these devices and the supply chain that underpins them. It helps customers quickly identify, prioritize, and remediate product security risk, Ellis explained.
A recent survey by Omdia and IoT World Today of both providers and enterprise users found a majority of businesses have serious concerns about breaches to their infrastructures. Of the 170 IoT leaders surveyed, 85 percent said security concerns remain a major barrier to IoT adoption.
Almost two-thirds (64 percent) of respondents stated that end-to-end IoT security is their top short-term priority. That issue surpasses edge compute (55 percent), artificial intelligence/machine learning (50 percent), and 5G deployments (28 percent).