For some aspects of connected device security, we simply require new approaches to existing processes. But as is often the case with emerging technologies, there are also new challenges that we haven’t had to tackle before.
Whether you’re a manufacturer of medical devices (IoMT), Industrial Control Systems (ICS), Operational Technology (OT), or consumer Internet of Things (IoT) devices, you’ve likely started to invest more in product security. It’s important to know what hurdles you must overcome in order to instill confidence in your product and stay one step ahead of malicious actors who may be targeting connected devices. Below are five new product security challenges that device manufacturers are facing today:
- Misconfigurations are the most common security issue. When you think of product security for connected devices, it’s important to note that you’re not securing a single program or application, but an entire ecosystem. When you’re building this system, you are responsible not only for the quality of the first-party software you write but also for the security of the system as a whole. In particular, your product development teams and product security teams need to work together to ensure that you are securely configuring the device. That includes secure configuration settings for the operating system, boot sequence, peripheral firmware, network services, and third-party software. Configuration issues can manifest lead to serious consequences. For example, shipping a product with hardcoded service account credentials can lead to reputational damage or fines due to regulations. These settings often live inside configuration files or third-party binaries, which are often overlooked.
- You have less control once the product is shipped. Even if you develop a secure device, if the end user doesn’t configure it properly then the device is still susceptible to an attack. Because you are handing these devices off to your customers, it is up to them to configure them properly, to make sure they’re downloading the latest firmware updates, and to report any security issues that they find back to your team to be addressed.
Some device manufacturers have attempted to address this issue by investing in specific teams to be on site in order to properly service and configure devices to ensure that they are properly secured. This type of investment can be highly costly and time consuming. But without device-specific tooling, the alternative would be to risk misconfiguration and leave open the possibility of a breach or an attack. The outcome of such an attack can be hugely impactful for the device manufacturer.
- Your supply chain is more complex, opaque, and vulnerable. You have different suppliers that are supplying both hardware and software components, which are sometimes tightly coupled to one another other. Because of how many vendors are involved in the supply chain—both from a hardware and software standpoint—you need to be aware of the risks and vulnerabilities that may enter your products through those channels. All of your vendors are running their own DevOps processes, hopefully with security integrated, but without the right tools you don’t really know what’s inside the software that gets incorporated into your development process.
Since you can’t control the security posture of your vendors, this means that your team is responsible for identifying and mitigating the vulnerabilities they introduce. The earlier you can do this in the development process, the less risk there is of passing these security issues on to your customers. To do this, though, you must be able to analyze the binary files found within your device firmware.
- Vulnerabilities and threats can enter late in the development process. You can do everything right in the development process in order to make sure all of your device components are secure, but it is imperative that you are still checking final firmware images. Some of the most serious vulnerabilities (such as issues with credentials) and the most sophisticated threats can be introduced in the final stages of development. We’ve already seen these types of attacks on connected devices, as well as high profile incidents like the SolarWinds breach.
- You don’t have the right tools. If you’ve tried addressing the connected device security issue, you’ve likely found that tools for secure embedded development are very limited or seemingly non-existent. As a result, the burden is placed on your team to develop your own toolsets to verify the security of your products. This requires time and specialized, experienced team members which you may not have.
To overcome these challenges, Finite State has developed an automated platform that is built specifically for analyzing connected devices and embedded systems. Using Device Composition Analysis (DCA), Static System Testing, and Static Program and Binary Testing, the Finite State Platform will uncover vulnerabilities across your product portfolio. From a robust Software Bill of Materials (SBOM), to supply chain and open source license risk information, to actionable remediation guidance, our platform empowers your team to develop secure, compliant products that will instill confidence from your customers, your board, and regulators. Schedule a demo to see how it works.