As public and private sector entities gradually march toward 5G, the financial burden of piling security standards could force some Internet of Things device manufacturers to walk away from highly regulated markets like defense.
Of course, many security hurdles for IoT device manufacturers are not specific to 5G. But the transition to the latest protocol will likely result in specific standards for network integration, led by government, but potentially adopted by private sector entities in the longer term.
"The issue is that smaller, faster, cheaper is not very compatible with secure," said Keith Gremban, program manager within the Office of the Under Secretary of Defense for Research and Engineering, in an interview with SC Media. Gremban also participated in a panel on 5G standards in the Department of Defense, hosted by the D.C. chapter of AFCEA. "Picture a start-up trying to get a product out the door. They've got a [venture capital firm] looking over their shoulder, anxious for ROI. They've got the competition breathing down their necks. Are they going to delay product release by six months to make the product secure? Will the VC let them do that?"
The same holds true beyond IoT, he added, pointing to challenges in widespread adoption of a "secure" car, despite numerous incidents of automobiles being hacked.
Ultimately, IoT device manufacturers have a bevy of security requirements to address, particularly for those that plan to target the government market. The march to 5G creates a sense of urgency around those, while also introducing new demands among potential buyers.
“With IoT, we first need a way to do software updates, because if a vulnerability is discovered, you need to be able to push out updated non-vulnerable software. Second, you need a robust way to do secure enrollment on the devices so that there isn't some default username and password that make it vulnerable,” said Charles Clancy, senior vice president and general manager at Mitre, during the panel. “If you can fix those two things, you’ve gone a long way toward addressing the rampant vulnerabilities that led to things like the Mirai botnet and the Dyn attack a couple years ago.”
Those legacy challenges already inspired federal legislation. The Internet of Things Cybersecurity Improvement Act of 2020, which was enacted Dec. 4, 2020, prohibits federal agencies from purchasing any IoT device that fails to meet minimum security standards, and mandates the National Institute of Standards and Technology to develop, publish and update security standards and other related guidelines.
But 5G considerations will go beyond certification against predefined security standards, Clancy added.
“Then you've got to figure out how to integrate the solutions into a much broader architecture around 5G that would provide the connectivity,” he said. “So, for example, if you're enclaving off a bunch of IoT devices so that they are protected from the internet, you may also be protecting them from firmware updates. And how do you vet those firmware updates? There are all kinds of interesting challenges that will need to be sorted out.”
In comments provided to SC Media after the panel, Clancy pointed to a notable pivot from consumer IoT (CIoT) to industrial IoT (IIoT). He also expressed optimism if standards efforts succeed in three areas: development of security frameworks and best practices for 5G network slices supporting critical infrastructure industries (for example, the Transportation Department should develop frameworks for connected cars and drones operating over 5G); establishment of security requirements for IIoT devices and a test and evaluation regime to certify such devices, which is already underway; and better scrutiny of the M2M protocols and their security.
In terms of the latter, Clancy said "the underlying standards all support the needed security, but there are plenty of ways to mess up the implementation."
"I really don’t see any of this as a damper for the IIoT market or supporting vendors," he added. "5G is new, so we’ll need new IoT devices to connect to 5G, and if we can get the standards set early enough in the process, security can be baked into these new devices as they’re build and deployed."
The DoD, in partnership with the Cybersecurity and Infrastructure Security Agency, is exploring some of those IoT considerations within pilot projects currently underway, Gremban said.
“We’ve got a number of vendors working on different security approaches, zero trust architecture, PKI-as-a-service and so on, that we could use to try to take advantage of the capabilities that IoT offers, without opening up any vulnerabilities,” he said. “That's going to be an interesting research area over the next couple of years for us."
And yet, many IoT companies might not bother waiting. Combined, existing certification requirements and the need to comply with emerging 5G standards creates a heavy economic burden, which could lead some to delay or even walk away from opportunities with government. Should those same standards trickle to the private sector, as they often do, those companies could find their products less viable in the long term.
A key challenge will be “if you can solve the economics problem, because security costs something,” said Vincent Sritapan, section chief for CISA's Cyber Quality Service Management Office. “In IoT, [manufacturers] want that low-cost sensor. We [within CISA] looked at it and said, ‘Well, you can just apply this security part.’ Well, that increases [cost] by X cents. When you talk about IoT and millions, billions or trillions of endpoints that may exist, that does equate to bottom-line dollars.”
“For industry, it is that balance in trying to make that work,” Sritapan added. “The cost barrier is a challenge.”
Indeed, Gremban pointed to start-ups that see the time required for compliance with additional security standards as impeding their ability to gain traction in an increasingly crowded space.
“It’s a real tough play for a small company especially," he said. "DoD is such a tiny part of the market that most manufacturers won't even think about them. I do wish that we could do something to make security a mindset among the entire development community, though."