Software Security Across the Intelligent Edge

Two billion PCs and 42 billion connected Internet of Things devices are expected to be part of our world by 2025. Nearly every device will work through the cloud in some way, and 80% of the data we create, consume and are a part of will go through the 5G cloud. However, currently, a mere 11.5% of all corporations are digitally transforming successfully, which means that a majority of organizations still face huge challenges to their ability to thrive in the coming digital-centred world.

The success of a business’s digital transformation is not a give-in, though as security vulnerabilities and concerns around IoT continue to grow. Security must cover every single endpoint device throughout the entire lifecycle. What are the key challenges, and where do you begin?

In this article, learn about the three dynamics impacting security and how you should prepare as you near the edge.

Table of contents

Three dynamics impacting security
Dynamic #1: The value of data has become more dynamic than the .1% of its lifecycle it was designed for
Dynamic #2: Security has to work across partnerships (inside and outside of organizations)
Dynamic #3: By definition, the new digital future is not clear. Can your security handle that level of ambiguity?
The edge
Experience matters
Access is everything
Defining a security policy
Questions to ask as your near the edge
Appendix: Security Worksheet for the New Digital World

Three dynamics impacting security

Security is foremost among those challenges. Imagine the complexities of designing security protocols in this new and evolving world. More than half of technology leaders see multiple security concerns directly connected to digital transformation initiatives, including increased cybersecurity risks (53%), cybercriminal sophistication (56%), and increased threat surface (53%). These threats are compounded by another concern shared by 40% of CISOs, CTOs, and CIOs: namely, the problems caused by rigid technology infrastructure—the sort of infrastructure tightly associated with embedded systems.

40% of CISOs, CTOs, and CIOs are concerned about the problems caused by rigid technology infrastructure—the sort of infrastructure tightly associated with embedded systems.

Consider three dynamics that are constantly changing around us, detailed in the following pages.

Dynamic #1: The value of data has become more dynamic than the .1% of its lifecycle it was designed for

The act of putting one core focus on a device is unlikely to be the wave of the future. The value of information is far more dynamic in a digitally centred world. The fact that 75% of leaders of major corporations say they have 200% less time than before to make decisions illustrates the need to have data rapidly available to support decision-making.

Data is more than ever dynamic in nature, in part because it originates from thousands or millions of different places, often coming in at the same time. What that data can be used for is driven by the moments that matter. That moment may matter in only .1% of the device’s lifetime—if we build it based only on the original design. In a dynamic world, the value of the information gathered in the other 99.9% of the device’s life could be valuable for other parts of the data infrastructure. In a connected world, data has multifaceted value, often reaching far beyond the core design.

The significance of the data revolution underway in devices is underscored by the struggle to secure that data, with more than half of all IoT devices vulnerable to medium- or high-severity attack and 98% of all IoT device traffic—including medical device traffic—left unencrypted. Specific classes of data require nuanced consideration of privacy implications, as the dynamic nature of data means it can inadvertently transform into Personal Identifiable Information (PII) subject to diverse regulations around the globe.

98% of all IoT device traffic—including medical device traffic— is left unencrypted.

Dynamic #2: Security has to work across partnerships (inside and outside of organizations)

Imagine you have a component inside an industrial machine managing complex power exchanges across a power grid. This device could also be in 10 other ecosystem partners’ products that are all working together. You want to know how that component is performing and also how the overall data ecosystem is delivering value-added insights that can be used in real-time. You might want to see how that data could be orchestrated in different ways going forward. Such opportunities for knowledge exist in the energy, distribution, medical device manufacturing, aviation and defence, and other sectors where the power of the device goes beyond its core functionality.

Think of data as having a network effect: The more devices connect in real-time, the greater the value of the information and data to the organization, given the digital transformation strategies researched by Forbes/Inc. Digital, 8 out of 11 industry leaders were convinced that the power of data in a digitally transforming world was going to help define their future success. And the more partners in the ecosystem, the greater the potential power of the data. That argument may sound abstract, but recent work by IBM’s Cognitive Systems group shows that the best and most economically effective AI comes from running all four AI formats (machine, deep, visual, and natural language) simultaneously: multiple data sets working together in real-time. With AI infused into nearly everything, the power of data partnerships is vast, delivering far more value than just one ecosystem can provide.

8 out of 11 industry leaders were convinced that the power of data in a digitally transforming world was going to help define their future success.

Dynamic #3: By definition, the new digital future is not clear. Can your security handle that level of ambiguity?

Ambiguity is our new digital future. Transformation is difficult, and the transformation of our security design and delivery is just as difficult. However, major corporations (Fortune Global 2000 companies) that are thriving in their digital transformations are exponentially more confident about their futures because they are building environments to handle that ambiguity.

Our volatile, uncertain, complex, and ambiguous (VUCA) world requires us to think about new ways to be secure. Being able to lean into this reality is essential because the rate of effective digital transformation (CAGR) has been slow: 11.5% since 2013. What we need to design for is a future of being able to secure data and enable the insights from that data to be used in real-time and, ultimately, shared across multiple ecosystems.

In the pre-digital world, the idea of security was well understood. Now the constructs needed to build in security must adapt daily, just as AI, the cloud, and 5G do. A future of intelligent edge devices designed for an adaptive world must be the prime goal for developers and applications management.

Think through three simple questions to see how well you are organizing for this new digital world:

1. Are you increasingly working with new design security requirements for your devices?
2. Is the VUCA world we live in seen as an asset by the organization and do security requirements hold you back or accelerate your ability to thrive?
3. Is your core security strategy likely to be very different in five years, as you digitally transform as an organization?

“By using a simulation model (VxWorks Simulator) in parallel with its equivalent embedded hardware, we can have it serve as the gold standard and potentially be able to detect anomalous behavior before it actually manifests itself as a system failure.” — Rick Kephart, Vice President, Software Development, Emerson

The edge

We are building and securing the new digital reality during two seismic shifts: a massive transition toward edge computing, specifically in the way enterprise data is captured, processed, and stored; and a generational shift in the workforce that will develop and operate the mission-critical intelligent connected systems of the future.

In 2018, only 10% of enterprise data was captured and processed outside of a traditional data centre; by 2025, that number will exceed 75%. Meanwhile, in 2020, Millennials became the largest percentage of the workforce.

Experience matters

The generation of developers and operators who are most experienced with legacy embedded systems are approaching retirement age, while a much smaller pool of embedded engineering talent is waiting in the wings. 82% of executives reported a shortage of qualified technical candidates, with 60% of companies identifying electrical engineering jobs as the most difficult to fill. Experience with IoT systems is vital to keeping them secure, as programming errors are a leading cause of vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database: “Operating systems and firmware suffer the most attacks: programming errors in these pieces of software and weak access control or weak authentication enable attacks at the lowest software-based level but the undisclosed vulnerabilities often affect these pieces of software as well.”

Access is everything

IoT and other devices at the edge are often physically accessible, exposed to a range of hardware-based attacks that are not common in more controlled environments. Risks are compounded by after-market availability of such systems for purchase, enabling cybercriminals to develop attacks at their leisure. Devices that are small, individually owned, and not built with security in mind may not be updated regularly and can provide easy access to the broader network to which they are connected. In a 2018 Ponemon Institute survey, 97% of risk management professionals stated that they believed that unsecured IoT devices could be open to a “catastrophic” security breach.

Three questions to ask as you near the edge:

1. Do you have access to engineering talent with the diverse set of skills required for the development, deployment, and maintenance of today’s IoT devices and related systems?
2. Do you have a digital experience strategy that will ensure that your devices are readily operable by a majority Millennial and digital-native workforce?
3. Do you have a complete understanding of the supply chain your device fits into—including your software supply chain— and encompassing after-market suppliers?

“There are updates that happen every single day about potential security exposures. We have a team here at TGCS that focuses on that; we partner with Wind River to make sure that the known risks are identified and that we respond quickly for our retailers.” – Gregg Margosian, COO, Toshiba

97% of risk management professionals stated that they believed that unsecured IoT devices could be open to a “catastrophic” security breach.

Defining a security policy

49% of design teams consider defining a security policy one of their most important projects. The CIA Triad is an industry-standard model that guides the development of a security policy, defining the necessary principles needed to protect a device from unauthorized access, use, disclosure, disruption, modification, or destruction.

The CIA Triad is based on the following three principles:

• Confidentiality implementations are used to protect the privacy of data in IoT systems. This includes data in motion, data at rest or stored on the device, data being processed by the device, and data passing to and from the device.
• Integrity implementations ensure that the device data has not been modified or deleted by an attacker. This includes data being generated or consumed by the embedded device as well as its programming data (the operating system, applications, configurations data, etc.).
• Availability implementations are used to ensure that an IoT device performs its intended function. This means an attacker cannot change a device’s intended functional purpose. This is of paramount importance to devices that perform life- or mission-critical tasks.

Project teams determine which components of the CIA Triad are required based on risk exposure, regulatory requirements, and IP protection needs balanced against cost, performance, and the device deployment operational environment. There is no single silver-bullet solution for protecting a device or system from all possible attacks. Rather, a layering approach that uses different mitigation controls delivers a multifaceted protection shield and, ultimately, a much stronger cybersecurity implementation.

Questions to ask as your near the edge

Are you successful in transforming or inadvertently expanding your threat surface?

Five Security Questions to Answer As You Digitally Transform

As the world of embedded systems and the operational technology (OT) domain become increasingly digital, and as the lifecycle of devices moves beyond fixed-function and break/fix, fundamentally different strategies will be required to securely design, deploy, orchestrate, and adapt the next generation of mission-critical systems.

1. Is your security strategy focused primarily on endpoints, or is it a truly system-level approach encompassing the cloud and providing a chain of custody for the data at the heart of digital transformation?
2. Do you have an established methodology for the simultaneous development of functionality and the security elements of your IoT systems, and if so, does this methodology support the proliferation of threats that come with digital transformation?
3. Does your system architecture support efficient management of and updates to edge devices from deployment onward, anticipating the next generation of security threats and affording the flexibility required to ensure security across decades in the field?
4. Do your existing enterprise security tools recognize the diverse industry-specific protocols of your IoT systems and, if not, how will you detect intrusion over these protocols as digital transformation accelerates enterprise and edge convergence?
5. Does your enterprise security perimeter encompass devices deployed to the field and, if not, how will you ensure secure connectivity between these devices and the enterprise?

Is your data in the clear?

Three Security Questions to Answer As You Build and Deploy Data-Centric Devices

Device manufacturers must embrace the new digital paradigm of interconnectivity and data dynamism, designing in security not only for data in memory or storage but also for data passing through a system or over a network, and for the keys used to encrypt that data. Meanwhile, they must also ensure that software and hardware are hardened against tampering that compromise data integrity. Does your organization have a comprehensive approach to data security and privacy, or are your development efforts focused exclusively on end-point security?

1. Will systems you develop be part of the 98% of IoT devices sending data in the clear, or will you encrypt your data?
2. Do you have a clear understanding of the deployment environment into which your systems will be fielded, the attacks that environment may be subject to, and how the deployment environment may or may not introduce privacy considerations?
3. Do you have a testing strategy to address the full range of threats to data security?

Appendix: Security Worksheet for the New Digital World

Are you organizing for a new digital and volatile, uncertain, complex, and ambiguous (VUCA) world?

1. Are you increasingly working with new design security requirements for your devices?
2. Is the VUCA world we live in seen as an asset by the organization and do security requirements hold you back or accelerate your ability to thrive?
3. Is your core security strategy likely to be very different in five years, as you digitally transform as an organization?

Are you successfully transforming or inadvertently expanding your threat surface?

1. Is your security strategy focused primarily on endpoints, or is it a truly system-level approach encompassing the cloud and providing a chain of custody for the data at the heart of digital transformation?
2. Do you have an established methodology for the simultaneous development of functionality and the security elements of your embedded systems and, if so, does this methodology support the proliferation of threats that come with digital transformation?
3. Does your system architecture support efficient management of and updates to edge devices from deployment onward, anticipating the next generation of security threats and affording the flexibility required to ensure security across decades in the field?
4. Do your existing enterprise security tools recognize the diverse industry-specific protocols of your edge systems and, if not, how will you detect intrusion over these protocols as digital transformation accelerates enterprise and edge convergence?
5. Does your enterprise security perimeter encompass devices deployed to the field and, if not, how will you ensure secure connectivity between these devices and the enterprise?

Are your data in the clear?

1. Will systems you develop be part of the 98% of IoT devices sending data in the clear, or will you encrypt your data?
2. Do you have a clear understanding of the deployment environment into which your systems will be fielded, the attacks that environment may be subject to, and how the deployment environment may or may not introduce privacy considerations?
3. Do you have a testing strategy to address the full range of threats to data security?

Do you have the necessary knowledge to succeed as you near the edge?

1. Do you have access to engineering talent with the diverse set of skills required for the development, deployment, and maintenance of today’s IoT devices and related systems?
2. Do you have a digital experience strategy that will ensure that your devices are readily operable by a majority Millennial and digital-native workforce?
3. Do you have a complete understanding of the supply chain your device fits into—including your software supply chain—and encompassing after-market suppliers?

Source: RTInsights