Cimdata Logo

CIMdata Blog

Thursday, December 07, 2017

How Do We Combat IoT Cybersecurity Related Recalls?

Written by 

LockAre warnings by experts about impending IoT security catastrophe stemming from unsecure and unsupported devices becoming a reality? From reading recent cybersecurity related publications, it does appear so.

Recalls May Become The Norm For IoT Devices If Security Doesn’t Improve Significantly[1] is the title of an article that describes a recent cybersecurity breach caused by lax security practices of a Chinese company, Hangzhou Xiongmai, which sells components for surveillance cameras and other gadgets in the U.S. Xiongmai’s IoT devices, the article has it, were part of a large botnet that caused a massive distributed denial of service (DDoS) resulting in major websites such as Twitter, Reddit, CNN, and others, becoming inaccessible to users. The hackers seem to have gained access to Xiongmai’s devices with default user names and passwords. Xiongmai’s recall appears to be the first debacle spurred by IoT devices participating in botnets and it certainly sets a dangerous precedent, especially since it was caused by the desire to sell the IoT devices as cheaply as possible.

Cybersecurity related recalls of connected devices in other industries seem to have been largely triggered by researchers or bug bounty hunters, who target vulnerabilities in products that are difficult for the engineering teams of the product manufacturers to identify. For example, the medical device maker, Abbott, recently voluntarily recalled 465,000 pacemakers[2] to install firmware update for patching a cybersecurity vulnerability in six pacemaker models that Abbott acquired when it completed its purchase of St. Jude Medical. The vulnerability, which could allow an attacker to modify the pacing commands of the devices or cause premature battery depletion, became known due to research by the cybersecurity firm, MedSec Holdings.

The first ever cybersecurity related recall of more than a million passenger vehicles[3] was triggered by two researchers wirelessly taking over the vehicle’s dashboard function, steering, transmission, and braking. The researchers remotely hacked a Jeep through the vehicle’s Harman Kardon radio and the Uconnect infotainment system via the Sprint network; the cellular carrier that connects FCA’s vehicles to the Internet. The recall eventually involved FCA sending USB drives with software updates to the vehicle owners to be installed through the port on their vehicle’s dashboard.

As the connectivity and complexity of products increases, the chances of their vulnerability will also increase, and the product manufacturers must carefully weigh potential product recall costs against the cost of designing for cyber threats. Manufacturers leveraging IoT must design their products with security in mind from the beginning as they do with safety and reliability today.

In the medical device industry, a potential approach for addressing cybersecurity of connected devices casts the cybersecurity risk analysis into a framework that resembles safety risk analysis based on ISO 14971.[4] In the automotive industry, the thinking is to address safety and security in an integrated manner through co-analysis, co-design, verification, validation, and certification.[5] A new analysis approach called Failure Modes, Vulnerabilities, and Effects Analysis (FMVEA) has been developed, combining the analyses of functional failures and malicious attacks and their effects on system dependability. Each system is divided into subsystems and potential failure and threat modes for each element are identified.

It appears that the tools for analyzing the cybersecurity risks could be like those used for dealing with safety risks, although differences exist in terms of time horizons for detecting failure modes and threat modes and resolving them. The security risk needs a more vigilant strategy due to malicious intent that can occur over the entire life of the product, requiring new patches throughout, while unintended or poorly understood use case driven safety risk is likely to diminish with design reuse and improved understanding.

Nevertheless, both safety and security need careful analysis and upfront robust design to minimize the risks. This requires the ability to capture and reuse knowledge about prior failures and threats from earlier and similar versions of the products. CIMdata aims to help industrial companies capture and reuse past knowledge so that they can develop and deliver dependable products, and in that context, one of the areas CIMdata wants to jointly explore with industry is Semantic Technology-based Ontology. Given the growing engineering complexity and the vulnerability of products stemming from the increasing desire for connectivity and autonomous functioning of products, CIMdata believes that the challenge of knowledge capture and reuse must be addressed.

Let me know your thoughts!

Venki



[5] Automotive Cyber Security – Dedicated eBook for the Cybersecurity Professional - Automotive IQ

 

Venki Agaram

Email This email address is being protected from spambots. You need JavaScript enabled to view it.
ipad background image

Featured Cimdata Reports

ipadcontent
PLM Benefits Appraisal Guide

CIMdata’s PLM Benefits Appraisal Guide is designed to help potential PLM users evaluate the applicability and payoffs of PLM in their enterprise, and to help existing users of PLM monitor the impact it is having on their product programs.

ipadcontent
AEC Market Overview Report

The CIMdata 2017 AEC Market Overview Report presents CIMdata’s detailed analysis of the Architecture, Engineering, and Construction (AEC) market.

ipadcontent
PLM Market Analysis Reports

The PLM MAR Series provides detailed information and in-depth analysis on the worldwide PLM market. It contains analyses of major trends and issues, leading PLM providers, revenue analyses for geographical regions and industry sectors, and historical and projected data on market growth.

ipadcontent
PLM Market Analysis Country Reports

These reports offer country-specific analyses of the PLM market. Their focus is on PLM investment and use in industrial markets. Reports cover Brazil, France, Germany, India, Italy, Japan, Russia, South Korea, the United Kingdom, and the United States.

ipadcontent
Simulation & Analysis Market Analysis Report

This report presents CIMdata’s overview of the global simulation and analysis market, one of the fastest growing segments of the overall product lifecycle management market, including profiles of the leading S&A firms.

ipadcontent
CAM Market Analysis Report

This report presents CIMdata’s overview of the worldwide CAM software and services market. It also includes a discussion on the trends in the CAM industry and updates on the top CAM solution providers.