The importance of ensuring connected devices are protected throughout their entire lifecycle
In modern society, connected devices power so many different elements of our lives – from our smartphones and cars to our home appliances and even the medical solutions that we rely upon.
With our reliance on all these devices, and the vast amounts of data that we share with them, it is vital that we’re able to have trust that our sensitive information will be protected. While many original equipment manufacturers [OEMs] harvest device user data to deliver better customer experiences, it stands to reason that consumers will be far less willing to share their data if they aren’t convinced that it’ll be kept secure. Not only does having poor data security deter customers from using an OEM’s products, but it can also lead to the manufacturer incurring severe penalties if they are breached or found to have misused the data.
As the threat landscape continues to evolve at an alarming rate – recent figures show there are approximately 2,200 cyberattacks committed each day – and new dangers to data security constantly emerge, encouraging consumers to share their data is becoming an increasingly challenging task for OEMs.
It’s not just personal data that’s under threat though – unsecure devices also pose a considerable threat to physical safety as well. For example, it was reported in October 2023 that fake parts were being used in some commercial aircraft, with worn components distributed by suppliers under the pretense that they’d come straight from the production line. This was certainly an alarming development, and one that served to illustrate the vital need for devices to be kept secure throughout their entire lifecycle.
The concept of ‘born secure’ devices
Achieving this goal is, however, entirely dependent on a critical first step; namely, ensuring that devices are ‘born secure’. Effectively, this involves an OEM assigning a digital birth certificate to a device – known as a trust anchor – that is inserted into each unit as it rolls off the production line. Trust anchors provide a line of communication between the device itself and external systems, helping OEMs to prove that all parts present within are legitimate and can therefore be trusted.
Through the trust anchor, manufacturers can then remotely assess both a device’s history and its current state following deployment. If a device’s history shows, for example, that it has at any point failed certification, contained an unsecure software version, or been involved in a crash, it becomes much less likely that it will be considered trustworthy. However, the real power that ‘born secure’ devices give to OEMs comes from the additional data associated with their identity. This can include information like whether the device has passed a Quality Assurance [QA] test, whether it was sold in region A or region B, and potentially even which customer it belongs to.
Thanks to the trust anchor, OEMs can remotely access this data, and ensure that it and other sensitive information – including which updates have been installed and what alarms have been triggered – is kept safe. This helps to greatly improve customer confidence in the technology, increase usage, and position the OEM as a cybersecurity champion – all of which are becoming increasingly integral as hardware and software security continues to be such a hot topic and an issue that consumers and regulators alike expect OEMs to address.
The rise of regulation
With so many threats out there, and devices routinely falling victim to attacks, it’s clear that OEMs will need to continue enhancing their efforts when it comes to security and safety. This is precisely why emerging legislation is such a welcome introduction; only by adopting a uniform approach can OEMs hope to properly tackle the growing danger that cyberattacks pose.
The upcoming EU Cyber Resilience Act [CRA] stands as one of the most significant pieces of legislation in this regard. Following an agreement between the European Commission, Council and Parliament in late 2023, this act is set to come into force later this year. It will impose requirements on OEMs to improve the security of all hardware and software products that they manufacture, taking security into account from the design and development phase and right throughout the entire lifecycle of a device.
In addition to this, manufacturers must ensure that they follow a coherent cybersecurity framework, and that the security properties of products with a digital element are transparent. As such, the CRA is set to have a transformative impact on OEMs and cybersecurity, underlining the urgent requirement to ensure that devices are ‘born secure’.
There are a number of emerging standards that can help address the new regulatory requirements. For example, the Internet Engineering Taskforce’s [IETF] Remote Attestation Procedures [RATS] formalize the way relying parties (servers) can establish a level of confidence in the trustworthiness of attesters (client devices). RATS introduces the entity attestation token (EAT token) that describes a device state and assist OEMs in determining whether to engage in secure interactions with it. Engaging with such standards is not simply a box ticking exercise for OEMs, but can bring tangible benefits regarding security.
How Trustonic can help
At Trustonic, we recognize that many OEMs will require support in strengthening security functions like key injection and attestation to ensure both compliance with emerging legislation, and that devices are born, and remain, secure throughout their lifetime.
By incorporating our Trusted Execution Environment [TEE] into their products, manufacturers can separate critical code and data from the less secure parts of their devices, thereby ensuring that security forms an intrinsic part of the design process, instead of being a mere afterthought. The TEE provides OEMs with a robust foundation to build a wide range of secure applications and services across their device architecture, supporting them in ensuring compliance with both existing and emerging regulations and, in doing so, building trust among consumers.
The solution has been certified against a Common Criteria protection profile defined by GlobalPlatform to EAL5+*, positioning it as the ‘gold standard’ for consumer Internet of Things [IoT] cybersecurity. As the speed with which cyber threats – and the legislation aimed at combatting them – accelerate, it’s imperative that OEMs don’t take a ‘DIY’ approach to the security of their devices.
We have helped countless manufacturers to achieve compliance with regulations all around the world, and are constantly looking ahead to what’s coming down the tracks. As such, we are perfectly positioned to support OEMs in ensuring compliance with cybersecurity regulations, and that each and every product that they manufacture that contains a digital element is ‘born secure’.
* Trustonic’s EAL5+ certificate can be found on the Common Criteria website: https://commoncriteriaportal.org/files/epfiles/NSCIB%20certificate%2022-0291872.pdf
