With the Internet of Things (IoT) nearing 27.1 billion devices this year according to Cisco, a series of unprecedented cyber security risks are developing as the global rollout of gigabit broadband and 5G mobile networks continues. At a time when businesses and people are relying heavily on technology, it is critical the security of such devices is enhanced to safeguard against this increased threat landscape.

A real urgency for enhanced security
The nature of the devices at risk means the need for cyber resilience has never been greater. With hackers now able to remotely take control of components such as cameras, microphones, and GPS-connected devices in people’s homes, any attack can have significant consequences when it comes to the interception of personal data.

Researchers have identified that since August 2020, more than 3.7 million connected devices – like security cameras and baby monitors – had critical security flaws that left them vulnerable. The research found it was possible to exploit various security weaknesses found in multiple cameras. Its findings discovered that video streams could be accessed, whilst in-built microphones could be used to listen in or communicate with people at home and passwords changed. They also found that attackers could compromise other devices connected to the same network and use them to conduct further attacks.

There is also a real risk when it comes to businesses who utilize devices within their day-to-day operations. Not only can attacks cause on average $200,000 worth of damage, but vitally important systems can be taken offline or taken control of, whilst extremely sensitive commercial information is often stolen and used for industrial espionage. It came to light in 2020 that US aerospace and satellite companies were attacked in 2015, with hackers stealing intellectual property and important commercial data, costing millions of dollars and causing a breach of national security.

Creating Cyber Resilience
With this in mind, a new draft specification entitled “Cyber Resilient Module and Building Block Requirements” from Trusted Computing Group (TCG) has been released, to help vendors design Cyber Resilient devices, giving the security industry yet another powerful tool to fight the proliferation of cyber threats the technology industry is now facing.

Devices with cyber resilience built-in will be safer against attack from a system connected to the same network and, if compromised, can be recovered without manual intervention. As the dependence on technology grows, cyber resilience will prove critical for the future security of all interconnected devices and systems.

With devices being made up of numerous firmware layers and intelligent components, many of which have potential vulnerabilities, it is possible they may need servicing of the code and configuration of one or more layers. Defining a set of essential building blocks within its document, TCG’s Cyber Resilient Technology Work Group (CyRes) has created the concept of a Cyber Resilient Module which can recover these multiple layers and components while keeping them safeguarded.

The Cyber Resilient Module is an abstract computing concept that can take several forms. It could be a system on a chip integrated into an IoT device or a microcontroller unit that is part of a component incorporated into a larger, more complex device.  The concept of a Cyber Resilient Device can even be extended to multiple Cyber Resilient Modules in the same platform. This makes the specification relevant to a variety of computing environments including subcomponents such as storage and peripheral device controllers.

Cyber Resilience for the future of IoT
All Internet connected devices should be designed from the outset to protect themselves against network-based attack, with vendors employing a wide range of hardware- and software-based protection technologies to keep devices secure. However, bugs and misconfigurations can still lead to damage when it comes to assuring the authenticity and integrity of firmware.

Recovering compromised IoT computing devices often involves manual intervention. For instance, new authentic firmware may need to be reloaded on a compromised device from an external storage device or a secondary computer system. The manually repaired device must subsequently be rejoined to a network service using passwords or other credentials.

The revolution of IoT however is increasing the number of devices, many of which will be built from the same imperfect software in use today. As such, manual intervention for recovery or repair after a compromise will be much less practical or even unfeasible at scale, due to the number and variety of devices that may be either physically inaccessible or may lack interfaces for performing manual repair.

Many enterprise-class technologies which support secure and reliable remote device management and recovery are already available but may be unsuitable for many IoT devices because of limitations in device cost, form factors, power needs or availability of an out-of-band management channel. To address this, Cyber Resilient Technologies help to eliminate the need for manual intervention, and can be built with limited resources, such that simple IoT microcontrollers may be used in a broad range of applications. The current specification provides a variety of options to assist with automated recovery of a compromised device without complex or costly resources to perform recovery actions.

A secure future
TCG has created a baseline set of measures that vendors can incorporate to keep IoT devices protected and recoverable with minimized cost, power consumption and size of the hardware. This is a significant step forward for the security of billions of devices, where each can be kept safe and secure along with its network through achievable cyber resilience. This document is structured so other architectures and platform specific requirements can be added in the future.