As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— David Nosibor of UL Solutions takes us through four key points to simplifying security and combatting complexity in firmware updates.
Thanks to the growing popularity of the Internet of Things (IoT) technologies — tiny, low-power wireless chips that enable online connectivity — virtually any electronic device can connect to the Internet. IoT now powers industrial hardware, next-generation automobiles, smart home appliances, and everything in between. Statista estimates there are already 35 billion connected devices worldwide, hinting at how integral they’ve become to our daily lives, but each poses a potential security risk. Cybersecurity threats against connected devices are increasing, and attacks targeting IoT devices have become critical challenges for cybersecurity professionals.
Bad actors have specifically targeted firmware, the embedded software that enables these devices to perform their essential functions and connect to the Internet. Firmware vulnerabilities can give hackers easy access to security camera feeds, physical door controls, and small computing platforms that can hide or run malicious code. The ubiquity of intelligent connectivity means virtually everything can somehow be compromised through firmware. In 2021, Microsoft’s Security Team reported that a remarkable 83 percent of businesses experienced a firmware attack in the previous two years. Similarly, the National Institute of Standards and Technology (NIST) National Vulnerability Database shows more than a fivefold spike in firmware attacks since 2018.
Historically, firmware has been a widely overlooked element in device security, which is why it appeals to bad actors. Unlike computers, which let you change software or passwords as needed — and expect that you’ll do so — many early IoT devices were shipped with “good enough” software and common default passwords. They weren’t intended to be regularly updated, and as the number of devices dramatically multiplied, so did the complexity of updating them. The process of updating firmware on connected devices can be complicated. Wireless devices may require temporary physical connections for power or data during the update process. Some connected devices include components developed by different vendors, each with its own firmware. Vulnerabilities may linger in devices well past the time when they were initially discovered. Since manual updates can be time-consuming and impractical, firmware becomes a largely unprotected attack vector. If managing firmware were the only security concern, IT teams might be able to get it under control. Unfortunately, organizations are under constant pressure due to supply chain attacks, severe shortages of security expertise, and frequent regulatory changes. Many organizations are limited in their resources, specifically for cybersecurity, and flurries of cybersecurity threats have left them wondering how to respond.
Complexity is security’s greatest adversary and is only growing, thanks to the increasing number of connected devices and the challenges posed by firmware updates. Businesses that adopt IoT solutions may struggle to keep them up to date, leaving themselves vulnerable to firmware attacks and ransomware schemes.
While establishing a baseline level of security may initially appear daunting, organizations using IoT devices must take action, regardless of their resources. This is particularly important during the increased digitization of enterprises and industries. Considering security risks in advance will markedly improve any organization’s ability to reduce or eliminate insecure interconnections.
Organizations must focus on streamlining security as cyber-attacks are becoming increasingly sophisticated and targeted against latent weaknesses. Effective product security programs must pivot from reactive to proactive stances, starting with product development and continuing through the product lifecycle management. Moreover, these programs must meet both legislative and industry compliance requirements.
Simplifying Your Way to Security
Collaborate with All Stakeholders
Individual players may focus on their distinct roles and priorities when securing data and assets. Yet cybersecurity is a shared responsibility; collaboration among all stakeholders will help minimize gaps in security defenses.
Since malicious actors will continue evolving tactics, businesses must track and remediate all known vulnerabilities and threats across components, devices, and applications to maintain a solid security posture. Cybersecurity and Infrastructure Security Agency (CISA) is a great starting place for free resources and tools.
Verify Compliance and Test Regularly
Given the global nature of today’s markets and the changing regulatory landscape, it’s imperative to verify security compliance against international regulatory requirements, industry-specific standards, and security frameworks. Then, repeatedly test security. Doing this requires complete visibility into connected product lines’ security maturity.
Ensure Supply Chain Transparency
Considering the uptick in supply chain attacks, communicating product security to partners, stakeholders, and end-users has become critical. Asking suppliers for a software bill of materials (SBOM) can ensure outdated, vulnerable firmware and software can be addressed, easing security concerns across entire ecosystems.
Security cannot be treated as an afterthought. For both developers and users of connected devices, streamlined firmware updates must become a priority. In addition to releasing quality products on day one, companies must ensure they remain secure enough to safely operate within the modern threat landscape and can be easily augmented with additional protections as new risks emerge.
- Combatting Security’s Greatest Adversary: Complexity - August 17, 2022