“Creating a system that is secure is not much more expensive than creating a system that is not”

A few weeks ago, the European Union Agency for Cybersecurity (ENISA) issued a study defining guidelines for securing the supply chain for IoT. For cause, as there is still a sheer number of unsecure devices on the market. F-secure, a cybersecurity company, released a report in 2019 that showed that IoT devices are disproportionately targeted by attacks. Why is that? Apparently because of how easy it is to get access to these devices. For some, vendors rush to market is to blame. For others, users have also their role to play. Be as it may, the issue is anywhere near being solved.

ENISA guidelines recommend that cybersecurity is being integrated into all layers of organizations, and also that ‘security by design’ is being weaved into digital products. In fact, according to the European agency, this should be a prerequisite for critical infrastructures and services. How to make better security decisions when building, deploying, or assessing IoT technologies? How does that play a fundamental role in Digital Transformation?

Security experts from various companies discussed the subject in a new webinar jointly organized by the IOT Solutions World Congress (IOTSWC) and the Industrial Internet Consortium (IIC), and sponsored by the Catalan Ministry for Digital Policy and Public Administration. They all agreed that the IoT threat landscape is complex and added that “security is at the foundation of the capacity to scale IoT services.”

Jan Münther, Head of Digital Product Security at OSRAM, admitted that, in general, the first wave of IoT did not care too much about security. “Back then everybody was happy to get things connected”. Yet, now, it is “a crucial aspect for the development of the IoT market.” Accordingly, David Maidment, Director of Secure Devices Ecosystem at ARM, underlined that “security allows confidence and trust”, which at its turn enables the market to scale. Thus, “security has to be built right at the beginning”, he pointed out. “And there is a great opportunity there”, he added. Actually, according to Statista, the IoT security market is expected to amount to nearly 31 billion U.S. dollars worldwide.

Jiwon Yune, CEO at Sigma Delta Technologies, echoed that sentiment but also highlighted that doing so inevitably requires to “change how traditional business models work.”

And there, the moderator, Anurag Gupta, Director of Business Development at ARM, wondered why it took so long to get to this point, i.e. to consider security a fundamental issue. Fabio Vignoli, Head of Product Security at Digital Solutions Division of Signify, considered that right at the beginning of IoT development “safety was an issue, not security”. But he also stressed that “the cost of creating a system that is secure is not so dramatically different from the cost of creating a system that is not.” Therefore, there are no more excuses. “Listen to your customers”, he recommended. “It also helps moving things internally”, he insisted.

In addition, Jan Münther recommended to invest in developers and help them understand security, while Jiwon Yune stressed the need to develop “efficient and flexible authentication and secure data transmission schemes” for IoT. Eventually, they all agreed regulations might also help. Yet, in the end, it all comes down to get down to work, they concluded.