Jakub Jirsák - stock.adobe.com

BlackBerry calls for stricter internet of things security standards

All internet-linked devices should support software updates, though things that are prone to safety risks when hacked, such as connected cars, should adhere to higher security standards, says BlackBerry CSO

Government and industry-led standards are needed to secure internet of things (IoT) devices that are increasingly being used as vectors for cyber attacks, according to BlackBerry’s chief security officer, Alex Manea.

Speaking to Computer Weekly in Singapore, Manea said such standards should detail specific security requirements, such as mandating that every IoT device supports software updates.

“A lot of people are building devices with software that connects to the internet,” said Manea. “Those devices become targets for hackers as soon as they’re connected, and without security updates, you won’t be able to patch their vulnerabilities.”

Noting that the Mirai botnet – which disrupted internet services and infected home routers around the world in a 2016 distributed denial of service (DDoS) attack – comprises IoT devices that cannot be patched, Manea said security standards would prevent similar attacks from occurring in future.

While standards may set baseline security requirements for IoT devices, Manea acknowledged that it would not be possible to implement the same standards across a broad range of hardware devices.

“The fundamental concepts of authentication and data encryption should apply to all internet-connected devices, but at the same time, there will be standards that make sense for some IoT devices and not others,” he said.

For example, Manea said cars would require higher security standards because of fundamental safety risks. “Somebody who hacks a sensor may not necessarily pose a safety risk, though a hack on my car could take over the controls and steering wheel.”

The automotive industry is already putting in place security standards, and understands the relationship between safety and cyber security, Manea said, noting that BlackBerry was working with car makers to secure connected vehicles.

BlackBerry’s focus on the automotive sector as part of its move towards becoming more of a software and security supplier comes naturally, because its crown jewel, the QNX operating system for embedded devices, is widely used by car makers.

“The automotive industry is the most mature among all IoT verticals, and it’s one that will provide the most value in the short term,” said Manea. “It’s also where we’re getting a lot of demand from customers.”

Asked if BlackBerry planned to expand its reach into other IoT verticals, Manea said the company would look at the broader transportation industry, such as aerospace and trucking. “We’re also looking at healthcare, where there are direct safety concerns when a healthcare device gets hacked.”

Read more about IoT security

According to Gartner, global spending on IoT security is expected to reach $547m in 2018, mostly on securing connected cars, heavy trucks, commercial aircraft and construction equipment.

“The market for IoT security products is currently small, but it is growing as both consumers and businesses start using connected devices in ever greater numbers,” said Ruggero Contu, research director at Gartner.

However, the technology research firm noted that although 25% of cyber attacks on enterprises would involve the internet of things by 2020, IoT security spending would account for less than 10% of IT security budgets.

Consequently, IT security suppliers will need to provide usable internet of things security features because of limited budgets and the decentralised approach to early IoT adoption, Gartner said.

Read more on Endpoint security