The Pentagon with the Washington Monument and National Mall in the background. As the Department of Defense works on standards to dictate 5G rollout, security requirements may be too much for IoT manufacturers. (U.S. Air Force Photo by Senior Airman Perry Aston)
As public and private sector entities gradually march toward 5G, the financial burden of piling security standards could force some Internet of Things device manufacturers to walk away from highly regulated markets like defense.
Of course, many security hurdles for IoT device manufacturers are not specific to 5G. But the transition to the latest protocol will likely result in specific standards for network integration, led by government, but potentially adopted by private sector entities in the longer term.
“The issue is that smaller, faster, cheaper is not very compatible with secure,” said Keith Gremban, program manager within the Office of the Under Secretary of Defense for Research and Engineering, in an interview with SC Media. Gremban also participated in a panel on 5G standards in the Department of Defense, hosted by the D.C. chapter of AFCEA. “Picture a start-up trying to get a product out the door. They’ve got a [venture capital firm] looking over their shoulder, anxious for ROI. They’ve got the competition breathing down their necks. Are they going to delay product release by six months to make the product secure? Will the VC let them do that?”
The same holds true beyond IoT, he added, pointing to challenges in widespread adoption of a “secure” car, despite numerous incidents of automobiles being hacked.
Ultimately, IoT device manufacturers have a bevy of security requirements to address, particularly for those that plan to target the government market. The march to 5G creates a sense of urgency around those, while also introducing new demands among potential buyers.
“With IoT, we first need a way to do software updates, because if a vulnerability is discovered, you need to be able to push out updated non-vulnerable software. Second, you need a robust way to do secure enrollment on the devices so that there isn’t some default username and password that make it vulnerable,” said Charles Clancy, senior vice president and general manager at MITRE, during the panel. “If you can fix those two things, you’ve gone a long way toward addressing the rampant vulnerabilities that led to things like the Mirai botnet and the Dyn attack a couple years ago.”
Those legacy challenges already inspired federal legislation. The Internet of Things Cybersecurity Improvement Act of 2020, which was enacted Dec. 4, 2020, prohibits federal agencies from purchasing any IoT device that fails to meet minimum security standards, and mandates the National Institute of Standards and Technology to develop, publish and update security standards and other related guidelines.
But 5G considerations will go beyond certification against predefined security standards, Clancy added.
“Then you’ve got to figure out how to integrate the solutions into a much broader architecture around 5G that would provide the connectivity,” he said. “So, for example, if you’re enclaving off a bunch of IoT devices so that they are protected from the internet, you may also be protecting them from firmware updates. And how do you vet those firmware updates? There are all kinds of interesting challenges that will need to be sorted out.”
The DoD, in partnership with the Cybersecurity and Infrastructure Security Agency, is exploring some of those IoT considerations within pilot projects currently underway, Gremban said.
“We’ve got a number of vendors working on different security approaches, zero trust architecture, PKI-as-a-service and so on, that we could use to try to take advantage of the capabilities that IoT offers, without opening up any vulnerabilities,” he said. “That’s going to be an interesting research area over the next couple of years for us.”
And yet, many IoT companies might not bother waiting. Combined, existing certification requirements and the need to comply with emerging 5G standards creates a heavy economic burden, which could lead some to delay or even walk away from opportunities with government. Should those same standards trickle to the private sector, as they often do, those companies could find their products less viable in the long term.
A key challenge will be “if you can solve the economics problem, because security costs something,” said Vincent Sritapan, section chief for CISA’s Cyber Quality Service Management Office. “In IoT, [manufacturers] want that low-cost sensor. We [within CISA] looked at it and said, ‘Well, you can just apply this security part.’ Well, that increases [cost] by X cents. When you talk about IoT and millions, billions or trillions of endpoints that may exist, that does equate to bottom-line dollars.”
“For industry, it is that balance in trying to make that work,” Sritapan added. “The cost barrier is a challenge.”
Indeed, Gremban pointed to start-ups that see the time required for compliance with additional security standards as impeding their ability to gain traction in an increasingly crowded space.
“It’s a real tough play for a small company especially,” he said. “DoD is such a tiny part of the market that most manufacturers won’t even think about them. I do wish that we could do something to make security a mindset among the entire development community, though.”