The role of electronics manufacturers in device security

To preserve security, it’s important to start thinking about and planning for it as early in the development process as possible. That brings up the question: what is the role of electronics manufacturers in device security? Is it something device makers should be concerned about?

Security is neglected too often

The problem most of the time is that design and engineering teams aren’t collaborating or aligned with IT and security teams. This can lead to a serious disconnect in how devices are created and what kind of onboard security they offer.

With IoT and similarly connected technologies growing more popular, and creating more data to be potentially compromised, it’s apparent that security needs to be considered seriously. That has led to legislation like California’s Internet of Things Security Law, which requires all IoT devices that are sold in the state to include “reasonable security measures” built in. Not long after, the Internet of Things Cybersecurity Improvement Act of 2020 was also passed.

It forces manufacturers to consider security, and the implications for a lack of it, much earlier in the development process.

What does manufacturing-level security look like?

Medical and IoT devices, especially, would benefit from manufacturing-level security, but what does that mean exactly? What can manufacturers do to improve device security at the assembly level?

For starters, devices created using unsecured processes can be compromised at any time, and not just after they leave a store or warehouse shelves. With the right access, nefarious actors could compromise the devices earlier in the supply chain. That would lead to businesses and consumers alike acquiring pre-compromised devices. Attackers could then do any number of things, from gathering sensitive information to spying on individuals and organizations, and even tampering with devices remotely.

An answer to securing devices at the manufacturing level is to install hardware security modules (HSMs) that contain integrated security software and solutions. It would then be possible to sign the devices — with unique keys or digital certificates — to verify authenticity and control access. Without an authorized key, the devices cannot be accessed, modified, or used.

Implementing security certificates at the hardware level also helps limit the management processes required to store and access the private keys. It’s an answer for some of the complexities introduced while addressing secure hardware, in other words. One recent study found that 73% of surveyed organisations experienced downtime because of mismanaged digital certificates.

Hardware security isn’t the only problem that manufacturers face, however.

Software is the weak link

Even with secure hardware, the software used to access, configure, and control the devices in question is a huge concern. That could mean securing mobile apps, web services, or even locally distributed applications on a company’s intranet.

While some manufacturers may not be directly responsible for the software used to interface with IoT devices and modern electronics, many still play a role, and it also depends on the organization. Some manufacturers assemble the hardware and develop software solutions in-house, whether through a separate team or by outsourcing.

The software is then injected into the devices, for any number of reasons. A smart device might have software to not only interact with it but also sync it with mobile devices and remote services. Similar electronics may have proprietary software, meant only for interfacing with the device in question.

It comes down to what kind of security these software solutions are employing. Where are passwords stored and how is access handled? How easy is it to modify or gain access to the administrative platform of the software? What kind of information are the devices collecting and where is it all going?

It’s important to remember that while cybercrime may often involve more common forms of hacking, it also includes hardware manipulation, online scams and fraud, and identity theft. Advanced cybercrime and cyber-enabled crime may affect anyone, including the customers and end-users of electronic devices. So nefarious actors may be using the data collected and transmitted by electronics, instead of just trying to seize control altogether.

Manufacturers have an inherent responsibility to protect what data devices are collecting and where that information is going. If that means the content is being passed to a home server that’s owned and operated by the manufacturer or device maker, they must secure it reasonably and effectively.

What’s the answer?

Step one should be to train and educate personnel on the importance of security, as well as the ins and outs of cybersecurity, from both a hardware and software standpoint. By empowering team members, manufacturers can ensure that security is a foundational element of the design, assembly, and creation processes.

Most engineers understand the importance of security, and there are a host of certificates available, along with courses and training regimens that can improve their knowledge and awareness.

The best solution is to face security head-on, by designing and building protections from the ground up. Hardware security modules are just a start. It’s time to begin thinking about how to secure devices, no matter where they’re being used, and by whom. That includes securing the data electronic devices collect and the channels for transmitting, processing, and reporting it.