Cybercrime, including malicious attacks from hacker groups, is taking center stage as industries from healthcare systems to car dealerships face steep consequences from these incidents almost daily. Costs related to a February ransomware attack on UnitedHealth Group are expected to reach at least $2.3 billion, while a cyberattack on Ascension, a large U.S. healthcare and hospital system, disrupted patient care at their facilities. Meanwhile, the cost of cyberattacks on the global economy is predicted to top $10.5 trillion by the end of this year, according to a report from IBM.
However, concerns over cyberattacks aren’t limited to industry and corporate technology systems. Additional cybersecurity concerns are rising over the explosion of connected Internet of Things (IoT) devices, resulting in global mandates and regulations. Recent developments including the UK’s PSTI Act, the Cyberresilency Act in the EU, and the U.S. Cyber Trust label program, are all focused largely on protecting devices. The landscape of devices has changed rapidly in recent years and the volume of devices has exponentially increased the risk of threats. According to a report in Dark Reading, while IT endpoints tend to be most at risk from cyberattacks, some IoT devices have significant vulnerabilities.
Taking proactive steps to protect devices is important for organizations, but building cybersecurity practices around software design and integration on interconnected devices is also critical.
IoT vulnerabilities linked to software
Some of the vulnerabilities common in IoT devices involve the use of open source software (OSS) as these devices connect to the internet and other devices. OSS is widely leveraged for its low cost, flexibility, accessibility and ease of use. But there are also security challenges that arise with the widespread use of OSS, including code vulnerabilities, as well as the use of default passwords. Software attacks linked to OSS continue to escalate, as hackers will exploit any vulnerability.
“Open source code is used everywhere in commercial systems,” according to a report in NextGov. “The 2024 Open Source Security and Risk Analysis Report from Synopsys found open source components in more than 96% of over 1,000 commercial codebases, with 84% containing at least one known vulnerability,” the report noted.
Some software security best practices for IoT devices and global integration
Software companies and manufacturers are increasingly taking steps to try to reduce the risk of their products by adopting Secure by Design principles, as recommended by the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
According to CISA, “during the design phase of a product’s development lifecycle, companies should implement Secure by Design principles to significantly decrease the number of exploitable flaws before introducing them to the market for widespread use or consumption.” Additional security features recommended for out-of-the-box products include offering multi-factor authentication (MFA), logging, and single sign-on (SSO) at no extra cost.
There are additional development and integration security approaches related to Secure by Design principles that become part of the process. These include:
DevSecOps
Short for development, security, and operations, DevSecOps is an approach to software development that integrates security practices throughout the entire software development lifecycle.
The DevSecOps approach means that security practices are “baked in” or integrated into every state of the software development process. This includes incorporating automatic testing tools into the continuous integration/continuous deployment (CI/CD) pipeline. This is also related to the concept of shift left, which involves fixing vulnerabilities in the software development process, using different approaches and tools.
DevSecOps should be implemented in the manufacturing process of IoT software.
API security
API security is vital to IoT device security as APIs make the interconnectivity between devices and various systems possible by providing the interfaces between devices and back-end systems.
Different types of APIs are involved with connecting and making IoT devices work together, which means sending information between networks and devices. However, Representational State Transfer (REST) APIs are typically used for mobile app development and IoT.
APIs are a frequent target of cyberattackers because of the data they commonly access including Personally Identifiable Information (PII), financial data or health care information, which are all enticing to hackers and other malicious actors.
An API security strategy is essential for not only software companies but any organization employing APIs. Best practices for resolving API security challenges include encryption with the latest TLS protocol, employing Zero Trust, requiring multi-factor authentication and using credentials, security keys and certificates.
Secure platform integrations
Using an integration platform to manage and integrate SaaS applications securely is also critical to reducing vulnerabilities of business IoT devices. An integration platform should provide built-in security features such as true end-to-end encryption, authentication, and other safeguards to protect privacy and data, and prevent unauthorized access to systems.