Society has become increasingly connected through Internet-of-Things (IoT) devices, and with the ever-growing movement towards remote working, cyber resilience has never been more crucial. Personal computers often have less hardware and parts compared to ones found in an office, with hardware that is easy-to-obtain and simple to service. Businesses often require computers that are designed with heavy-duty processors, motherboards and other expensive, rarer components that makes external access more difficult. With 25% of professional jobs in North America expected to be remote by the end of 2023, the need for technology to be able to protect, respond, and recover from any malicious attack is vital.

A proactive approach to cyber security

The reliance on technology from people and businesses in day-to-day operations has elevated the importance of improving security to protect against increasing threats. Hackers have demonstrated the ability to take over and control cameras, microphones, and GPS-connected devices to intercept personal data. Despite global efforts to mitigate and contain the numerous cyber-threats, the number of cybersecurity breaches each year is growing rapidly.

Research shows that in 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year, and such attacks will only continue to grow in number as cybercriminals become more sophisticated. All too often, connected devices like security cameras and “smart” doorbells possess critical security flaws that leave them vulnerable. Furthermore, video streams can also be accessed, whilst built-in microphones can be used to listen to or communicate with people in their homes.

A successful attack can take critical systems offline and lead to highly sensitive commercial information being stolen. This results not only in huge financial repercussions – the average cost of a data breach in 2022 was $4.35 million according to IBM – but also to significant reputational damage for the business affected.

Ensuring Cyber Resilience in devices

To this end, TCG has published a new specification entitled “Cyber Resilient Module and Building Block Requirements”. This specification outlines clear guidance for device manufacturers and designers on how to develop cyber resilient devices and provides the security industry with tools to help successfully fend off a malicious attack.

The specification encourages the consideration of cyber resilient architecture from the beginning of the design process, rather than it being considered an afterthought. With the number of connected devices continuing to grow, so too does the likelihood that these will be built from the same flawed software prevalent in the technology of today. The movement towards increased IoT deployment can only be successful so long as integrity is maintained.

To date, there are some enterprise-class technologies – like Customer Relationship Management (CRM), Supply Chain Management (SCM), and Enterprise Resource Planning (ERP) – which provide some ways to secure and establish remote device management and recovery, but many of these are incompatible with IoT devices due to the variety of options available. Limitations in device cost, form factors, power needs, and availability of an out-of-band management all mean a solution is required to eliminate manual intervention, which can be an expensive endeavour. A device which is designed to be cyber resilient however, can avoid the need for manual intervention to recover from attacks.

As devices are often made up of numerous hardware and firmware layers – all of which will display potential vulnerabilities – it is possible that servicing will be required for the coding and configuration of the multiple layers. With this in mind, TCG’s Cyber Resilient Technology Work Group (CyRes) has created the concept of a Cyber Resilient Module (CRM) which can be integrated into different architecture components of devices in order to provide protection, detection, and recovery.

Whether it’s a system-on-chip (SoC) that has been integrated within an IoT device or a microcontroller unit (MCU) built onto a component within a larger device, the CRM has been conceptualized to allow designers to construct it in a manner which fits the requirements for their product. The concept of a ‘Cyber Resilient Device’, where a device contains at least one CRM, can even be extended to multiple CRMs within the same platform. This ensures that a number of different computing environments can benefit from the level of protection that the new specification can ensure, including peripheral device controllers and storage.

A ’future ready’ specification

With the CyRes specification, TCG has built the foundations to maintain IoT device protection and recoverability with minimized cost, power consumption, and hardware. If designers implement the concepts and requirements laid out in the specification, billions of devices can be kept safe and secure through cyber resilience.