With the shift to working from home becoming more prevalent, the risk of attacks increases, creating a need for better security solutions for enterprises.
One of the worst threats an organization can face is involuntarily providing access to IoT devices by hackers. The harsh reality is that this can result in major financial losses, stolen sensitive information, or even ruined brand reputation.
That is why it is important to improve and maintain high-security levels of IoT devices throughout their whole lifecycle with the help of cybersecurity tools. This includes investing in Identity and Access Management (IAM) solutions that secure employee access and protect businesses from data breaches.
To discuss the relevance of security for enterprises, we talked with Darron Antill, the CEO of a company that focuses on helping organizations protect themselves from cyberattacks called Device Authority.
How has Device Authority evolved since its launch a few years ago?
Since our launch, we have continued to evolve our offer to our key verticals, including industrial, medical, and automotive, gaining significant global customer traction and becoming integral to their security environment. Our KeyScaler software platform has also continued to evolve to provide identity and data trust, and security lifecycle management for IoT devices, hence a truly end-to-end solution to solve our customers’ problems. This is recently further enhanced by KeyScaler Edge for smaller offline devices and use cases and is opening up the Retail sector market.
Alongside our growing customer base, we have also developed a healthy strategic partner ecosystem, working with Microsoft, PTC, Entrust, Wipro, and Venafi. We have expanded our integration capabilities and are now integrating with Microsoft Azure. Our work with Edge computing has also increased as adoption has become more sophisticated.
One of the main solutions offered by Device Authority is the KeyScaler platform. Can you tell us more about how it works?
The platform uses breakthrough technology with two device authentication methods to bring unrivaled trust to IoT devices. It also delivers automated device provisioning, authentication, credential management, and policy-based end-to-end data security/encryption.
KeyScaler™ was designed to be easily integrated into your existing IoT devices, applications, and platforms, such as Microsoft Azure, PTC, ThingWorx, and AWS IoT, and is perfect for Secure by Design IoT devices. It protects your vital digital infrastructures from security threats that can cost your brand millions, harm your reputation, and put your customer’s privacy at risk, with simplified security solutions.
Delegated Security Management (DSM) provides device makers and IoT applications with a turnkey, plug-and-play IoT security suite. It is easy to deploy, simple to manage, and provides policy-driven automation for scalability, coupled with an architecture and deployment model which enables small and large enterprises to scale.
You often emphasize the importance of the security-first approach when it comes to IoT devices. Can you tell us more about this vision?
The industry often talks about a secure by design approach which places security at the heart of each stage of development and deployment. However, this often does not go far enough to solve the customer’s own challenges. Currently, a gap or disconnect exists between the trusted and secure foundation provided at the time of manufacturing and the trust anchor and processes which support the secure onboarding and operationalizing of devices by the customer.
To truly secure IoT devices and instill trust, security must be managed throughout the entire device lifecycle, from such stages as onboarding, enterprise, and cloud integrations right the way through to decommissioning. By providing the ability to automate provisioning for IoT devices at scale, a solution to full device identity lifecycle management and enterprise integration, with KeyScaler, we are able to close the gaps in the IoT application and device journey. We provide a complete trusted IoT ecosystem that will help to unlock blocked or delayed IoT rollouts.
The recent Executive Order (EO) from Joe Biden is a good endorsement of this, where the EO is explicitly aimed at improving cyber security across the US national critical infrastructure. One of the requirements is to publish and maintain a Software Bill Of Materials (SBOM) for any devices/solution used across all digital infrastructure – IT, OT, IoT IIoT – essentially pursuing a Zero Trust approach throughout the supply chain.
How did the pandemic affect the IoT scene? Have you noticed any new security issues arise as a result?
The changes in how we live our lives and new working practices that evolved from the pandemic led to many organizations having to undergo digital transformations at pace. They needed to adapt to the changing world and continue to operate. As the saying goes, “necessity is the mother of invention”, and many more of these transformations have looked to benefit from the IoT. Coupled with the unsurprising increase in cyber threats over this period, this has meant that the security of any IoT rollout has been high on the agenda.
One area of specific growth has been The Internet of Medical Things (IoMT), which has been disrupting the healthcare industry for several years now, not only for patient care/safety time but also for cost savings and operational efficiency. Since COVID-19 appeared on the agenda, there has been an almost exponential explosion of telemedicine by healthcare systems from pre-COVID levels. This change happened almost overnight as COVID-19 spread. As a result of quarantine and states closing, health systems stopped seeing many patients in person. These IoMT devices and their ability to connect to Healthcare IT systems have huge benefits. However, the number of cyber risks within the healthcare sector, such as telehealth device flaws, insider threats, and the rise of targeted cyberattacks, have also increased.
What do criminals usually try to gain by targeting large enterprises instead of individuals?
The answer to any question about the motive of a cyber criminal is almost always money, but the aim can also be to inflict as much harm and damage as possible to critical infrastructure. The scale of a large enterprise’s IT estate often means that vulnerabilities can be exposed, particularly when sudden and significant changes have occurred. For instance, an increased number of employees working remotely and accessing networks from personal devices. This is certainly the case in relation to the IoT. As organizations continued rapidly incorporating more connected devices, the surface area for cyber attacks broadened. This can often act as a gateway to obtaining personal or financial data, ransomware attacks, or disrupting or hijacking high-profile operations and infrastructure.
Since Device Authority ensures security for various industries, what are the most common vulnerabilities you run into in each field?
The most common vulnerabilities are actually the same across all industries we work with. These are:
Could you share some tips for organizations looking to secure their IoT devices?
As an active and founding member of the IoT Security Foundation (IoTSF), we are committed to driving best practice within the industry. We have worked with other key figures within IoTSF to produce the best practice guide and a security assurance framework that enable organizations to achieve a trusted and secure IoT ecosystem and device lifecycle. We also work with a number of other industry bodies to support the best practice across the IoT ecosystem, such as FIDO. It has released Fido Device Onboarding (FDO), which is now integrated with KeyScaler, enabling customers to standardize on the initial device to cloud onboarding process.
In your opinion, what cybersecurity trends are going to emerge in 2022?
Identity access management (IAM) has received more attention due to organizations no longer working in closed environments where location can dictate security controls. Identity-first security will therefore become an essential day-to-day practice.
The growth of AI and machine learning means that machine identity management as well as ethics, governance, and how we protect datasets upon which AI bases decisions, will be a renewed focus. AI is as biased as the world in which it operates, so we need to design the ability for it to question, be skeptical, and ask for advice to keep it on the straight and narrow.
2022 will also see drive-in Edge-based computing for IoT, increased use cases in IoT Healthcare (post-pandemic), focus on IoT in Business and Industry, and ensuring IoT in Business is made resilient to cyber-attacks.
A more widely available quantum capability is also coming and there is potential for rogue actors to capture encrypted information (IP, government data, etc) now, in the anticipation that quantum will enable its decryption in a few years.
Legislation is catching up with risk and forcing IoT vendors to rethink and redesign their solutions. An example of this is Joe Biden’s Executive Order, stipulating that every device using software must publish and maintain a SBOM – aiming to provide visibility and supply chain trust in the US National Critical infrastructure.
Would you like to share what’s next for Device Authority?
We are continuing to focus on working with our customers to help deliver secure digital transformations and supporting them to move from the pilot stage with tens of devices to large-scale IoT rollouts with 100,000+ devices.
Our KeyScaler platform will also continue to evolve to further cater to the growth in Machine Learning (ML) and AI and we will expand our strategic and vertical solution partner base to accelerate and support our growth in the key vertical sectors – medical, retail, industrial, and automotive. KeyScaler is also well placed in IoT to help customers meet new and evolving legislation. The recent SBOM requirement coming out of the Whitehouse Executive order (due to be enacted in March 22) is a good example of this. Where KeyScaler can be used by customers to help meet this new requirement.
Finally, our sustainability agenda continues to be an important focus area. We are helping customers to maximize the environmental and social benefits that IoT and connected devices can bring. We continue to work with responsible partners and develop further employee initiatives to ensure that we are contributing positively to our local environments around the world.
The Internet of Things is becoming increasingly prevalent in everyday life through wearable devices; smart cars, insulin pumps and a range of other objects, ultimately changing the way companies do business. The economic impact of the Internet of Things will be measured in £trillions. The number of connected devices will be measured in billions. And the resultant benefits of a connected society are significant, disruptive and transformational.
One of the differentiating risk factors for an IoT device is that its domain is in the physical world - an attacker may be able to physically interact with your device. As a collection of engineers at Device Authority, many of us have an interest in hardware modding, and investigating devices for their security vulnerabilities in order to better protect them. This blog will give a brief overview of IoT hacking, and some links to tools we've found useful.
