Still not a week goes by without a glaring example of operational security in the IoT world, and while on the one hand, this is a terrible state of affairs, on the other, that’s a big market opportunity for security service providers like Arxan. We spoke to Rusty Carter, VP Product Management, to recap 2018, and get a view of the year head.
Carter said that the last year has significantly changed the threat landscape and security environment, and industrial and government are becoming aware of the problem. He noted that while the new California legislation was good to see, it was absolutely not enough, although it does establish a baseline requirement that could be built on. Carter said that more fundamentally, legislation is bringing the problem into focus.
In some industries, Carter says legislation is necessary, as they are so far behind. He notes that they would probably prefer a wake-up call via the law, rather than through human casualties, or the resulting lawsuits. Carter says that the research community has started to sway opinions, especially in the automotive space. Collectively, he sees more research and vulnerability publicity.
Notably, Carter sees more reaction from the consumer side too, and that their interest is changing. To this end, consumers might end up being the driving force behind widescale change, as they vote with their wallets. For big purchases, the competition between the marques should ensure that they at least put security as a competitive priority, but that dynamic doesn’t yet apply for the cheapest purchases, which are likely going to be the least secure devices that a consumer would buy – thanks to cut corners in the race to the bottom.
Arxan has seen lots more automotive business in the past year, according to Carter, who said it was somewhat exponential. The automakers are now adopting security by design, but lots are still apparently in the learning phase – discovering what their particular vulnerabilities are. Carter is seeing some rapid adoption in that space, with lead-times often in the 12-18-month range, but some ready for the 2020 models that are only 9 months away.
Carter said that the largest automakers’ tendency to be so methodical should serve them well in the long run. However, that industry is still in flux, regarding the threat capabilities. We queried whether those capabilities were more along the line of the infamous Jeep hack, or more a case of skimming credit card details from IVI systems. Carter says definitely the latter.
Similarly, the business model for selling its cybersecurity services to the automakers is still evolving. There is not a one-size-fits-all approach, with Carter saying that it depends on the business or brand. Some are much more sensitive to protecting the brand, and so the typical spend can vary wildly – from just a data center offering or to the 8-figure range.
To this end, Arxan keeps a flexible set of options for the automakers to use. This accommodates per vehicle fees, per model licenses, or annual fees, and can also include retrofit services for protecting older models too. Typically, pricing is modeled in the cost-per-vehicle fashion.
We asked which markets were currently well-served by cybersecurity providers like Arxan, and Carter said that automakers and medical device makers were furthest along. This is due to the nature of regulation in their industries, as well as brand protection concerns, as well as the tendency for there to be more collaboration between competitors – as connected cars are going to sink or swim as a whole, according to Carter.
By contrast, Carter thinks utilities and transport are not well served, nor are consumer goods. This is owing to the different kind of threats and attack vectors, which in transport and utilities are more on the ransomware and terror side of things, while consumer attacks are more for fraud and invasions of privacy.
In Carter’s view, many are repeating the mistakes of the past, increasing their attack surfaces without understanding the increased complexity of a newly connected system – and the consequent issues of protecting it. Because of this, there are two ways this could go, according to Carter – that the industry will catch up before there’s a significant problem, or that they are blindsided by something very serious, such as a nation-state attack.
Carter sounds optimistic, and stresses that global politics and the threat of major cyber attacks means that industry should catch up. In tandem, consumers are now starting to take privacy and security seriously, voting with their wallets, which will go some way to turning around industry attitudes.
We asked what keeps Carter up at night, in the cybersecurity world. He noted that this was a good question, and that there were a lot of possible answers, and that he thinks the automotive and medical types need to adopt comprehensive security offerings faster. He notes that the biggest threats come from financial theft and device ransomware, but also pointed to the dangers of things like drones, in the wake of the recent Gatwick debacle.
Another trend that Carter anticipates is the translation of web attacks to the devices themselves. Rather than just attacking the systems with which these devices interface, he believes that we are going to see a lot more direct attacks on web-connected things. This seems quite timely, given the somewhat high-profile hack of a Nest device, which began blaring warnings of an imminent North Korean nuclear attack on the USA.