Security of devices becomes a prime concern and needs to be addressed at the design stage

Billions of connected devices have caused participants in the Internet of Things (IoT) to reassess their approach to security. Jim Douglas, the chief executive officer of Wind River, tells Robin Duke-Woolley, the chief executive of Beecham Research, that developers of IoT applications and devices recognise they can no longer rely on patchwork approaches and instead must take a comprehensive view of security.

Robin Duke-Woolley: At what point in Wind River’s history did security become a key focus area for the company?

Jim Douglas: Security is embedded in everything we do. This goes back to the founding of the company in 1981. The company‘s first customers were primarily aerospace, defence and industrial organisations which were very security and safety oriented. So, from day one the foundational pillars of the company were security, safety and reliability. The product line and operational doctrine of the company has grown out of that. Wind River takes a holistic approach to security, which includes the following key elements:
• Secure software development lifecycle
• Built-in security features across our portfolio
• Security services and support
• Prudent security incident response

Our products, services and expertise provide our customers with a comprehensive security solution with a safeguard as new threats emerge. In addition, our development processes and security capabilities meet the rigorous requirements of the industries and governmental agencies in geographies we serve.

RD-W: Which markets does Wind River serve?

JD: Wind River software can be found in all major critical infrastructure sectors where security is paramount. From aerospace to industrial, defence to medical, and networking to automotive, our customers include the world’s leading manufacturers, enterprises and governments.

RD-W: From a security perspective, what market changes are having the biggest impact on your customers?

JD: From a business and technology standpoint, connectivity in the critical infrastructure markets we serve has changed the security game dramatically. Historically, a majority of embedded systems were either not connected or were connected on proprietary networks that were not exposed to enterprise networks or the internet. Security concerns were always prevalent, but given the fact that embedded systems didn’t have external exposure, security was more focused on physical intrusion. With IoT, customers have begun connecting devices using IP-based networking solutions to extract data more efficiently and use it to drive improvement in how systems operate, to improve their uptime, and to extend their product lifecycles. The availability of 5G will accelerate the proliferation of connected devices, creating a much bigger attack surface that will need to be monitored and defended, posing a significant increase in security risks. This will require customers to have rigorous, end-to-end system-level security strategies. In addition, we will see artificial intelligence (AI) based security solutions gaining traction to aid in finding and preventing malicious activity that threaten embedded systems.

RD-W: Enterprise users often view security as complex. How should they view this?

JD: I think people do perceive it as complex, and further, there tends to be a rather short-sighted view regarding security. Specifically, there is a tendency to focus on individual pieces of the system and ensure those individual pieces are secure, versus taking a comprehensive system view.

With such a wide variety of known security threat types and new ones emerging all the time, developers of IoT applications and devices can no longer rely on patchwork approaches to mitigate risk. They cannot continue using a piecemeal approach to security where one weak link in the chain can take the entire system down. They need to be thinking end-toend rather than one-by-one. A comprehensive approach to security must take into account not only the entire IoT system – from edge devices to the network and the cloud – but also the entire system lifecycle, from development to deployment through operation and even to end-of-life.

RD-W: What do you see as the main challenges for your customers regarding security over the next few years?

JD: IoT security breaches have brought to light the urgent imperative to protect devices and systems from external threats. Security of devices has to be a prime concern of IoT system developers and device manufacturers, and needs to be addressed at the design stage.

Building security into devices poses both technical and business challenges. How much security is enough? You can over-engineer anything to be more secure, but at what price? Are you willing to compromise device performance, significantly increase the bill of materials (BOM) cost, or elongate your development cycle – all to implement security measures that you may not be able to monetise. This dilemma poses the biggest challenge facing customers when it comes to security. In parallel, experience shows that attacks on devices typically exploit multiple points of vulnerability. Closing even a few of these gaps can mitigate the damage. Technology such as the security features in VxWorks allows customers to take a scalable approach to security, adding as much or as little as the device requires for its purposes, making it possible to control costs and deliver devices on schedule while reducing the risks of security breaches.

We can’t forget though about securing legacy software, which will also continue to be a challenge for our customers. To address this challenge, we enable customers to partition legacy software with capabilities like virtualisation and realtime processes found in VxWorks and Wind River Helix Virtualization Platform. This helps limit the attack surface of the device when major, externally facing functions are impacted. Partitioning is a great security implementation to
mitigate the entire system from being attacked.

RD-W: How would you sum up how Wind River is helping customers address security?

JD: Security is so fundamental to IoT system development that it requires a well thought-out, end-to-end strategy encompassing all aspects of a target systems operational cycle including power on, boot up, runtime, network connection, sleep, power down, and all stages of the systems lifecycle, from development to decommissioning. This is why our customers turn to us.

First, we follow a strict security development process from design to coding, testing and build to ensure we deliver solutions that are highly secure and reliable for critical infrastructure IoT systems.

Second, with built-in security capabilities, our products enable customers to implement comprehensive security that minimises attack surfaces end to end, from devices through communications networks and gateways to the cloud.

Third, our professional services team offers security assessments to help customers understand the confidentiality, integrity and availability considerations of their system architecture, as well as sets security policies and guides their security investments. In addition, we deliver a consultative process to determine the type and level of security appropriate for any project and help build in security from step one and for every stage of the process.

Lastly, knowing we have billions of devices deployed with our technology and that savvy attackers could find vulnerabilities in even the most secure systems, Wind River has in place a best-in-class security incident response process that our customers rely on us for. Our stringent release process includes aggressive testing, and our team actively works with the research community and monitors a variety of security sources. Following responsible disclosure, we proactively notify customers of potential vulnerabilities, offering resolution measures in advance of vulnerability disclosure. Our response process helps protect devices from cyberattacks even after product deployment.

In summary, what’s important to our customers is having vendors like Wind River with a long track record of developing, delivering and supporting secure development processes to ensure our products are developed as securely as possible, building in security capabilities across our product portfolio, providing security services and support, and responding immediately when new vulnerabilities are discovered.

https://www.windriver.com/

SPONSORED INTERVIEW

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Snow Software study uncovers the realities vs. the promises of cloud

Posted on: October 26, 2021

26 October, 2021 –Snow Software, the global provider of technology intelligence, unveiled findings from its most recent survey, based on the input from more than 500 IT leaders from organisations with over 500 employees in the United States and United Kingdom to determine the current state of cloud infrastructure.

Read more

CloudM announces Archive feature which save businesses time and money while meeting compliance demands

Posted on: October 26, 2021

CloudM, a SaaS data management platform, has announced the launch of Archive, a new feature which allows users to easily, automatically, and safely store and recover user data, helping businesses to remain compliant without facing the mounting user license fees associated with traditional archiving and ediscovery solutions.

Read more