Security is not a design requirement despite industry, government warnings
Manufacturers are going out of their way to come up with the most innovative, fanciest gadgets to satisfy consumers’ dreams, so why haven’t they joined the security trend to develop devices that are safe to use and won’t cause havoc?
The US Department of Homeland Security has stepped up, announcing guidelines for manufacturers to produce better, more secure internet of things devices, but no one seems to follow through and comply with safety standards.
IoT technology is “a full-blown phenomenon,” DHS Assistant Secretary for Cyber Policy Rob Silvers says, and all “government industries, consumers need to get serious about reasonable security being built into IoT devices […] before we’ve deployed an entire ecosystem.”
If it’s so important to introduce security in system architecture and early design stages, why is it not a design requirement for 22 percent of embedded systems engineers?
Life depends on safety-critical programs; if they don’t run properly or are flawed, the bugs could lead to injury or death. Almost 28 percent of respondents in a Barr Group study of embedded systems designers confessed that the devices they are working on could lead to injury or death. Half of the products in question, for example medical devices and control systems on transportation modes, need to be connected to the Internet full time or part time.
Furthermore, 19 percent of respondents said they don’t follow coding standards, 36 percent don’t use static analysis tools and as many as 42 percent seldom or never run code reviews.
“This is dangerously inadequate planning that puts all of us at greater risk,” said Michael Barr, CTO of the Barr Group.design requirement IoT guidelines iot security