While computer system and device security is on the minds of business leaders and has been for years, some fundamental practices are still not being followed by a significant percentage of companies, according to a security expert who spoke at pre-conference session at the opening of Sensors Converge 2023.
Only 20% to 30% of companies take curbing security vulnerabilities seriously, estimated Shawn Prestridge, US field applications engineer manager for IAR Systems. The company makes security tools along with other products including compilers and debuggers with about 150,000 paying customers. He constantly meets with customers needing his advice.
“People have so often heard the security message that they may think [the solutions] are understood,” he said in an interview on the sidelines at the event. “We’re slightly better off than five years ago, but a lot of companies aren’t aware of the problem.”
In addition to the most prepared companies, he estimated up to 20% have little regard for computer security, almost adopting an Alfred E. Neuman “What, me worry?” attitude. The remaining companies in the middle, perhaps 50%, are neither well prepared, nor ignorant of vulnerabilities and how to prepare for them, he said.
One major reason cybersecurity matters more in recent years is the proliferation of connected devices, everything from defibrillators to smart doorbells that populate the Internet of Things. IDC on Tuesday released a forecast showing IoT spending in 2023 is expected to grow by more than 10% over last year, reaching $1 trillion in 2026.
What can be done about the security gap? Prestridge and other security experts argue for building in security from ground up, starting with security work by embedded developers who design new products for IoT. That’s a far better approach than bolting on security tools after a product has been developed and is on its way to a manufacturer or assembler. “I’m always amazed by the people who don’t want to spend on security but are willing to spend even more when a system or device is compromised,” he said.
“Security should start with the design of your product and go all the way through the lifecycle, including transfer of ownership for the device,” he said.
Noting that supply chain attacks are on the rise, he pointed out that code can be copied or modified anywhere along the chain. He called for companies to implement a zero trust philosophy, one that is shared across all teams inside a company.
Part of lack of security preparation is that too many companies are not fully informed on security regulations. Many companies are familiar with GDPR in Europe, but less informed about California’s SB-327 provisions or Oregon’s HB4155. Security laws are pending in 15 other states as well, he said. Penalties for CEOs at companies making products exposed to security hacks are on the rise. “Ignorance is no longer a defense,” Prestridge said.
While states are stepping up, Prestridge was especially critical of US government inaction. “The US is absolutely so behind Europe’s GDPR,” he said. “Politicians in the US are too focused on too many other things, including criticizing the other party.”
Prestridge offered a list of minimal necessary components of good security:
1. Secure provision
2. Secure boot
3. Access to security assets from application
4. Secure firmware update
5. Secure firmware authentication
6. Secure communication
7. Encryption of data at-rest
8. Firmware image management
Without naming the company involved, Prestridge noted that one medical device maker sold a defibrillator that had no encryption on the device. According to reports, in 2019, Medtronic, a Minnesota-based company, admitted many of its implanted defibrillators used an unencrypted wireless protocol that could allow attackers to change device settings.
Prestridge also recalled the Amnesia:33 vulnerabilities found in 2020 in multiple open source TCP/IP stacks commonly used in embedded devices. Exploits of those vulnerabilities could have resulted in remote code execution, denial service attacks or total compromise of the devices. Millions of devices were vulnerable, according to reports, including networking equipment, medical devices and industrial control systems.