Asaf Karas, CTO Security of JFrog. Photo: JFrog

Today’s consumer, business and industry landscape is increasingly polluted by connected Internet of Things (IoT) devices and operational technology (OT). Some of these are popular such as home security cameras, Wi-Fi routers and robotic vacuum cleaners, while others such as medical devices with remote monitoring, programmable controllers and electrical switches may not be as visible.

At the same time, 5G — a unique combination of communication technologies that allows high-speed, low-latency, ultra-low latency, and ubiquitous coverage — is virtually ubiquitous now.

Increased connectivity allows consumers and manufacturers the ability to remotely monitor and interact with products — collecting data from them, monitoring their performance, turning them on and off, and configuring their settings as needed. Increasingly, connected devices can even connect and communicate with each other without human intervention.

Asaf Karas, CTO JFrog Insurance. Photo: JFrog

While theoretically large, the growing number of connected devices has put a lot of pressure on product safety teams. After a chaotic period when many first-generation products were subjected to proprietary standards that often failed or even ignored basic safety principles, manufacturers are now guided by numerous national and global standards that define increasingly demanding safety bases in every product category. .

Confusion of standards

Better security standards are a positive development, but in real world conditions this comes at the cost of increasing complexity and confusion. There are up to 80 important standards to consult when producing a product – talk about a big compliance headache. These standards can also be complex and divergent depending on the industry or market segment in which they are applied, which makes expanding into new verticals a difficult undertaking for any company.

Various industry verticals are regulated by multiple standards, for example IEC 62443 for industrial systems and WP 29 for the automotive industry.

While these standards are designed to be clear and enforceable, in some cases there has been confusion regarding interpretation. Some standards are very high – referring to ‘integrity’ or ‘encryption’ without practical information for the manufacturer or user what this means. While others have been incredibly technical, providing hundreds of rules for equipment in a single vertical industry. Worse, these standards have been limited in the geographical area, and have not been implemented effectively or equitably with much consistency.

The need for clarity on these fronts is urgent as threats against connected devices are increasing rapidly as cybercriminals constantly investigate them for security vulnerabilities. New vulnerabilities within advanced equipment are discovered every day, which means that manufacturers need to integrate the ability to patch and update their models once they have reached the customer. The global pandemic exacerbated this pressure, with a significant increase in the volume of cyberattacks targeting home users and connected devices at a time when remote access to company assets and remote device management has become the norm.

International cooperation

Over the past 12 months, we have finally seen progress towards consolidating advanced equipment standards, with the automotive industry aligned with the UNECE directive WP29 and industrial control systems aligned and regulated according to the ISA / IEC 62443 series of standards developed by the ISA99 committee and approved by the International Electrotechnical Commission (IEC). There has also been a geographical spread between American, European and Japanese manufacturers, with regulators such as the FDA striving to provide industry-wide standards around connected devices.

An important development in the US has been the IoT Cyber ​​Security Improvement Act, which enables the National Institute of Standards and Technology (NIST) to formulate standards that will be consistently applied to all manufacturers seeking contracts with the Federal Government. This, together with President Biden’s Executive Order on Cyber ​​Security, could eventually result in a series of guidelines from NIST mandating a basic security base.

These regulatory decisions will help related equipment manufacturers unify the standards associated with connected industrial systems, ultimately forming de facto standards for all. However, the growth rate of the industry still exceeds the development of regulations charged with providing industrial environments where related products are becoming ubiquitous.

Securing this type of market requires strong working relationships between regulators and manufacturers – in all industries – and a willingness between vertical leaders to collaborate and share their standards and knowledge with each other. The biggest challenge to meeting Nirvana device standards is simply time. The landscape of technologies is constantly changing, making the threat landscape a moving target. With increasingly sophisticated cybercriminals targeting devices connected at alarming rates, the industry may find time to be a luxury it lacks.

Asaf Karas is the CTO Provider of JFrog Security