i-PRO Blog Series: Week 3 - Product Security: What product security features to look for with IIOT devices by Will Knehr
This blog on the pillar of cyber hygiene is 3 of 5. Want to read up on the previous blogs?
Click on the link below.
Week1: i-PRO’s Internet of Things Cybersecurity Pillars to build a strong security program
Week 1 bonus: Resiliency – Will your devices be there when you need them the most?
Week 2: Cyber Hygiene - Creating a Culture of Cybersecurity in your Organization
Our next pillar is Product Security, which is all about what security features are built into a product or which security features can be configured on a product. For instance, does the manufacturer of the device ensure that security protocols are supported, do they offer the ability to encrypt data at rest or in transit, do they work to protect customer privacy, and do they update product firmware or hardware when vulnerabilities are detected? i-PRO ran a LinkedIn Poll and asked “How often do you think surveillance software and firmware should be updated?” 50% of respondents said it should be updated every three months, while 26% said every six months. 21% said every year, and only 1% said it shouldn’t be changed. I’m glad to see that so many people think it should be changed regularly, but I think changing it too often might become a burden on both manufacturers and users. In truth, it needs to be changed every time an improvement has been made or vulnerability has been patched. It’s going to vary, but the best manufacturers should be actively tracking and managing this process and pushing out notifications to all stakeholders.
Here’s an interesting thought exercise: let’s say that a person is interested in installing a baby monitor to listen out for their child, so they purchase a cheap device from the internet and connect it. At first, they love the device because they can hear their child from the other room, and they can sleep in peace. However, late one night they hear a voice coming from the monitor that says that there is a person watching their baby. Terrified the parents snap out of bed and run into their child’s room, only to discover that this was a sick prank. This is a true story (Yes, Your Video Baby Monitor Can Be Hacked. No, You Don't Have to Stop Using It (groovypost.com)); it turns out the cheap baby monitor had no security on it and was easily discoverable from the internet. Who bears the responsibility in this situation? Is it the parents for purchasing a device without any product security? Is it the manufacturer for making a device without security built in? Is it the hacker who decided to pull the prank on the couple?
The answer to these questions isn’t always cut and dry, but the best thing that consumers can do to protect themselves is to research the security of the products that they purchase. Consumers drive the market, and they vote with their dollars, if consumers are more concerned about security then eventually manufacturers will be forced to catch up. In a recent study conducted by Ponemon, they found that only 41% of IT professionals say that their organizations make product security a priority when purchasing products (Microsoft Word - 2021 3M Report Final2.docx (ponemon.org)). Being in the cybersecurity field for a long time, there isn’t much that surprises me, but due to all the ransomware and cyber-attacks that organizations have been under lately, I was a bit shocked that only 41% of organizations make product security a priority.
The consumer certainly has a responsibility to do their research when purchasing a product, but what about the manufacturer, should they be forced to build a more secure product? Once again, I don’t think this answer is so cut and dry. Sometimes consumers demand low-cost products and there just aren’t enough profit margins for manufacturers to build in security. Many manufacturers make different versions of products and charge more for the more secure versions. Sometimes it comes down to product usability and security features getting in the way of the product functioning properly or functioning in a way that pleases the user. And…. sometimes it is just plain ignorance on behalf of the manufacturer. They may not have a cybersecurity team or be aware of the vulnerabilities that exist in their products. Circumstances will always vary, but manufacturers should do all that they can to ensure that they deliver a secure product or at the very least offer the consumer an option to purchase a more secure product.
When it comes to IIoT products, here are some of the product security features or best practices that I recommend looking into:
- Check out the manufacturer of the product. Do they have a habit of producing a secure product and updating their software or firmware?
- Does the manufacturer have a way for researchers and ethical hackers to report vulnerabilities?
- Does the product offer basic security features like encryption and passwords?
- Does the product support secure protocols like HTTPS, MQTTS, and RTSP?
- Does the manufacturer offer hardening guides, white papers, or best practices when deploying their devices?
- Consider conducting a vendor assessment, especially if purchasing many products from an organization.
In summary, product security is about manufacturers building more secure products for their customers. Products that use encryption and strong authentication are more resilient to cyber-attacks. However, the market almost never turns unless the consumer shows a demand for a product or service. So, consumers have got to make their voices heard and demand products with security features. Together we can make the world of IIoT a more secure place!