Mobica: The Impact of Cybersecurity on Product Design

Moz, tell us about your role at Mobica

Having experienced working for companies in semiconductor design, consumer electronics and technology consultancy, my role involves designing the technical solutions that solve problems for some of the largest businesses in the world. One of my key responsibilities is to help bridge the gap between technical and commercial stakeholders, particularly during the sales process. 

What’s the most pressing challenge your customers are facing right now?

Cybercrime is a major area of concern, especially in regards to the Internet of Things (IoT). There are billions of connected devices around the world – and we are becoming increasingly dependent on them. 

It’s not unusual for people to have more than a dozen IoT devices within their homes. And when they leave home, there is also a good chance they will get into a connected car. They may even work in a smart factory, surrounded by thousands of connected sensors and actuators that are remotely monitoring and controlling the machinery around them.

Given this prevalence, it has become essential that all these devices are reliable and secure. 

IoT device manufacturers have not always prioritised security, however. In the early days of IoT, the main aim was to build devices that were good enough, and cheap enough, to encourage mass adoption. Stringent security measures were often a secondary consideration.

However, regulations such as the UK’s Product Security and Telecommunications Infrastructure Act and the EU Cyber Resilience Act have raised the bar when it comes IoT security, and manufacturers are having to reassess their priorities. 

So, what do you advise manufacturers to do?

Connected device security requires a different approach. Since the dawn of the internet, cyber security professionals have put guards and gates on the borders of corporate IT networks to protect them from intruders, but this approach will not work with IoT products.

Connected devices are often distributed in the field, outside the direct control of cyber security professionals. This means they are vulnerable to physical tampering and fault injection attacks. Their reliance on over the air (OTA) updates means they can also be a target for man-in-the-middle hacking techniques.

To combat these threats, manufacturers are having to make connected devices more resistant and resilient to attack. The assumption needs to be that a product could be breached at any time and, as such, a ‘zero trust’ mindset needs to be adopted. This will give manufacturers a better chance of being able to detect a breach and recover devices should the worst happen.

What effect will this zero trust approach have on how products are designed?

A zero trust approach will impact design in several ways. For instance, businesses will want to minimise the storage of sensitive data on the device. They will also want to monitor their product’s dependencies for vulnerabilities and apply fixes when available. 

With that risk awareness in place, manufacturers can incorporate a secure mechanism to interrogate and validate the firmware and software on the devices during each boot and at runtime. This can reveal whether a device is still trustworthy or has been compromised. In the event a device should fail this test, manufacturers can mark it down for recovery.

Manufacturers should also be looking at the processes they have in place to protect products on an ongoing basis. For example, end users will need to be provided with regular updates and security patches to protect devices from common vulnerabilities and exposures (CVEs).

Coming back to your role, how do embedded solutions play a role in IoT security?

This is where it all becomes quite technical. To enable the above security measures to be put in place, manufacturers will need to take advantage of embedded technology. This is likely to include the use of secure elements on microprocessors, which can be used to support a number of security related functions, such as secure storage, generation of keys, detection of modifications and the creation of a Hardware Root of Trust (RoT). RoT provides a highly secure method of cryptographically verifying communication – ensuring that updates are safe and have not been modified in transit. 

Manufacturers need to be wary of the fact that, although difficult, it is possible to physically extract keys and sensitive information from storage on the chip and also access keys before they are injected into a device at the manufacturing stage. A solution to this problem is to avoid handling the keys altogether, by using a Physical Unclonable Function (PUF). PUFs take advantage of the physical characteristics of a silicon chip, using the randomness of the material to provide a reliably unique and unpredictable secret key that isn't stored in memory. It does not need to be handled and cannot be extracted from the device by reading stored contents.

How important are these security systems to connected products?

Failure to protect devices will leave doors open to criminal hackers, leaving individuals and businesses vulnerable, and manufacturers facing the wrath of regulators. By embedding deeper layers of protection, however, manufactures can create greater resistance to and resilience from cyberattacks. This will allow manufacturers and end users alike to focus less on the potential problems and more on the benefits connected products can deliver.  

For more information on how to protect connected products please read the 'Securing the Connected Future' guide, which can be found at Mobica.com.

****** 

Make sure you check out the latest edition of Manufacturing Digital and also sign up to our global conference series - Procurement & Supply Chain 2024 & Sustainability LIVE 2024
******
Manufacturing Digital is a BizClik brand.