Tag Archive for: data security

“Security is the biggest issue holding back the broader development and deployment of IoT devices,” said Haydn Povey, founder and CEO of Secure Thingz, in his keynote at Embedded Conference Scandinavia (ECS) 2018.

The Internet of Things (IoT) promises a flood of amazing new products, including autonomous cars, networked medical devices, home automation and new devices in industrial applications. But data breaches affect millions annually, and there is real fear that hacked devices could be used for surveillance, fraud or even weaponization. Unless customers trust in the security of these devices, adoption will stall.

Make Security a First-Class Citizen During Development

Too often with IoT devices, security is an afterthought; sometimes it even gets scrapped due to time and resource constraints. But organizations cannot provide reliable security after the fact. Security must be addressed from day one, by both product development and leadership.

Consider architecture: There are many chipsets available that provide a security architecture for embedded devices, but less than 4% of new devices in 2018 include embedded security. The explanation for this oversight is obvious: Development begins without security in mind, leading to an architecture that omits it. And it’s not feasible to change the underlying architecture of a product after release to account for security.

Most importantly, security is everyone’s job. It’s a management topic that should manifest on all levels in the form of policies and guidelines.

The Argument for Security in IoT Devices

Security is often seen as a cost, but if you understand it correctly, you can turn it into a value proposition or a competitive advantage that customers are willing to pay premium for. For instance:

  • Today’s customers are increasingly concerned with security and privacy. Companies like Apple can charge a premium because they address these concerns.
  • Insufficient security can lead to counterfeiting.
  • Good security increases brand value and decreases the risk of brand erosion.
  • Security is required by law, and failure to comply can result in heavy fines.
Security as an Integral Part of Product Development

Once you recognize the importance of security, it’s logical to make it an integral part of your product development process. This means, amongst other things:

  • Security is part of the stakeholder needs and therefore must be part of the core requirements. This also applies to regulatory requirements, such as those derived from legislation like GDPR.
  • Make sure your architecture fits your security requirements, since architecture is one of the most difficult (and expensive) things to change after the fact.
  • Ensure your security requirements are tested. You achieve this by maintaining correct end-to-end traceability from requirements to test results.
  • Collaborate on all levels. If you want to prevent security from being patched on an ad-hoc basis, make sure that all teams communicate properly. For instance, an engineer might be tempted to write custom code to detect a Denial of Service (DoS) attack, but this might be addressed more efficiently on the architecture level.
  • Implement a product line strategy and perform systematic reuse. Security extends to the complete lifecycle of products, so you must be prepared to provide security updates for years to come. Also, reuse allows teams to use previously tested elements, improve quality and accelerate development.

Embracing security today provides more than just a competitive advantage – it may be crucial for survival. While a product development platform alone is not enough to address security, it’s ideal for implementing the policies and frameworks established by management.

To better understand how Jama Software can help you ensure security throughout the product development process, visit us at Embedded World 2019.

With the rising amount of connected devices in circulation, the number of potential targets for hackers and other cyber criminals to exploit continues to rise. Among the most common targets for attack: medical devices.

A survey released in October of 148 healthcare IT and security executives, conducted by Klas Research and the College of Healthcare Information Management Executives (CHIME), showed that an astonishing 18% of provider organizations had medical devices impacted by malware or ransomware in the last 18 months.

Medical devices were defined in the report as “biomedical devices used by healthcare-delivery organizations in the pursuit of patient care.”

The report also stated that only 39% of the respondents were “very confident or confident that their current strategy protects patient safety and prevents disruptions in care.”

Although organizations are making gains in developing and maturing their overall security programs, the report says, progress has been slow. This is particularly true when it comes to securing medical devices, the study shows. Unsurprisingly, respondents cited patient safety as their top concern with unsecured medical devices.

“Unsecured and poorly secured medical devices put patients at risk of harm if those devices are hacked,” said Russell Branzell, president and CEO of CHIME, in a press release about the report. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”

Adam Gale, president of Klas, also weighed in on the findings: “Safeguarding medical devices requires a joint effort by provider organizations and device manufacturers. Many providers have the basic building blocks for a general security program in place and are making progress.”

A large majority of the survey respondents (96%) identified manufacturer-related factors as a root cause of medical device security issues. The majority of respondents also reported struggles related to out-of-date operating systems or the inability to patch devices, which have been found to be major security risks. The study also discovered that, on average, one third of medical device manufacturers have said their devices cannot be patched.

“Medical device security is a three-way relationship between provider organizations, the manufacturers, and the regulators,” said Dan Czech, director of market analysis-cybersecurity at Klas, in the announcement about the findings.

Provider organizations can follow industry-accepted best practices such as network segmentation, Czech said. “Manufacturers can include security in the design of all products going forward and can consistently patch currently offered medical devices,” he said. “Regulators can provide incentives and disincentives for manufacturers and organizations to secure their devices and can offer the needed guidance to direct the healthcare industry.”

The threats against medical devices have become such a concern that two U.S. federal agencies recently announced a new initiative to address vulnerabilities. In October 2018, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in medical devices.

“As innovation in medical devices advances and more of them are connected to hospital networks or to other devices, making sure the devices are adequately protected against intrusions is paramount to protecting patients,” said Scott Gottlieb, FDA commissioner, in the memorandum announcement.

The partnership between the two agencies will enable them to share information about the constantly evolving threats against medical devices and help organizations in the healthcare industry proactively respond when vulnerabilities are identified.

This isn’t the first time the two agencies have collaborated on medical device security. In recent years they have been focused on the coordination of vulnerability disclosures. The partnership allows device manufacturers to receive technical information from cybersecurity researchers regarding identified vulnerabilities in their products so they can respond to potential threats in a timely way.

During medical device development, gaps and oversights introduce a variety of risks. Learn how medical device companies can identify and reduce risk during the development process, allowing more time for transformative innovation, with the Jama Connect Risk Management Center.

Author Bob Violino is a freelance writer who covers a variety of technology and business topics.

Just because a device is smart, doesn’t mean it’s safe. That’s the October message from the FBI about connected products, such as home automation and security systems, medical devices, and wearables.

In its recent statement, the FBI expressed concern about the vulnerability of unsecured Internet of Things (IoT) devices, which criminals could compromise to launch attacks on other systems, steal personal information, jeopardize physical safety and more.

The FBI didn’t mention any imminent attacks, but experts are paying serious attention to a powerful strain of IoT attack malware, dubbed “Reaper” and “IoTroop,” that may have already infected a million organizations, according to KrebsOnSecurity.

And while there are a variety of preventative measures consumers can take, such as frequently changing passwords and installing patches, the burden of ensuring hackers don’t gain access to unsecured connected devices can’t totally fall on the public. Improved security is also the responsibility of companies creating smart devices, and many are being called on to step up their game.

Designing Better IoT Security

The US Food & Drug Administration (FDA), for example, says it’s examining security gaps and safety risks in connected medical devices, reports HealthcareITNews. As part of its efforts, the FDA has created a risk management program utilizing resources from the National Institute of Standards and Technology (NIST), and is also instructing companies to focus on security during the product design process.

Whereas industries like healthcare must adhere to government-mandated regulations, consumer electronics — which is producing a huge portion of connected devices — does not.

That’s likely one of the reasons British chip-making company Arm just unveiled its Platform Security Architecture (PSA), which has support from companies like Google, Sprint, and Cisco. Arm’s PSA is a new, open-source, architecture system designed to act as a common development framework companies can work from to ensure their IoT products are safer.

As described by MIT Technology Review, think of PSA as a “set of free, open-source documents and code that define how a device’s software and firmware should be designed to make it secure—a kind of checklist and corresponding set of tools that should, in theory, help device makers build wares that are harder to hack.” At the moment, Arm has released the first draft of PSA specifications for its partners, with a wider, public release targeted for early 2018.

Moving Faster on IoT Development

Now, one of the biggest challenges is getting IoT product companies to take threats more seriously, and begin incorporating stronger security measures into their design.

In the recent Harvard Business Review Analytic Services report, “Bridging The Gap In Digital Product Design,” for example, just 24% of companies creating smart products said managing and securing large amounts of personal data gathered from connected devices is a major challenge.

That number was surprisingly low according to one expert quoted in the report, Hans Brechbühl of Tuck’s Center for Digital Strategies, who says it could mean that many companies don’t understand how big the issue is. “If your product or service gathers a lot of data, you’d better be ready to handle it,” Brechbühl says within the report.

If companies creating IoT products are looking for immediate ideas on how to begin remedying security gaps during development, there are certainly places to start. Better requirements management ensures products do what they’re designed to do, and decreases the amount of defects or vulnerabilities in its final release. Improving collaboration between development teams, specifically hardware and software, will also go a long way in averting inadvertent security blind spots.

For more insights on how product companies can tackle security of smart devices, check out our blog post, “One of the Biggest Security Problems Smart Product Developers Are Missing,” and the report, “Bridging The Gap In Digital Product Design.”

As part of an ongoing series, we’re looking at insights and trends uncovered within the Harvard Business Review Analytic Services study, “Bridging The Gap In Digital Product Design.”

If the TV network that brought fire-spitting, flying dragons to life can get hacked, so can your product. For companies, that should be one of the takeaways from the recent headlines about the data hack of HBO, which has resulted in confidential leaks from hit shows like “Game of Thrones.”

One would think with all the previous, high-profile data thefts from entertainment industry goliaths, such as Sony and Netflix, other businesses dealing with sensitive, customer information would take the threat more seriously.

In the case of organizations building connected products, that’s not nearly the case, according to the recent Harvard Business Review Analytic Services report, “Bridging The Gap In Digital Product Design.”

In fact, less than a quarter (24%) of companies building smart products today say managing and securing the large amounts of customer data being gathered from sensors is a big challenge, according to the report. That means more than three-quarters of businesses creating connected devices may not be taking the risks of data management seriously.

“Consumers are right to be fearful of their privacy and whether or not companies are protecting their data,” says Jama Software’s Director of Security & IT, Philip Jenkins. “A lot of companies haven’t totally thought it through, and the capability isn’t always backed with strategy or intention.”

Creating A Plan

Aside from keeping up with the marketplace, one of the main benefits of developing connected products is having the ability to monitor how consumers are interacting with your creation in real time. Businesses can then analyze that data and make more targeted improvements for future product iterations.

If a company plans on collecting data through its smart product, one of the first steps should be devising a plan for doing so. Deciding what information to gather, where it will be stored, and how it will be secured are all topics that should be explored as part of this process.

Otherwise, indiscriminately collecting customer information and letting it sit somewhere like a database creates a liability for both your customers and business. After all, an amassed trove of consumer information is gold to hackers. They could turn around and sell it to a competitor, charge a ransom for its return, or just dump it onto the internet resulting in a public relations nightmare.

For businesses creating smart products, particularly those new to the process, all it takes is one security blind spot to open yourself up to a breach. And, given the complexities of today’s products and speed at which technology is progressing, no company dealing with user data is completely immune right now.

Consider, for instance, that the wildly popular photo-sharing service, Instagram, which is owned by Facebook, recently discovered a bug in its API that allowed hackers to access contact information for millions of accounts, according to The Verge, allegedly including celebrity users like Beyoncé, Taylor Swift, and Selena Gomez.

Update: The recent cyberattack on Equifax— one of the nation’s largest consumer credit reporting agencies— wherein hackers exploited a weakness in website software and gained access to the personal information of 143 million Americans, is another unfortunate example.

Threats to data security not only include team members, processes, products, and other facets of your organization, but also any third parties you’re entrusting with critical information. The Netflix hack, for example, occurred after someone had been scanning the web for computers running outdated versions of Windows software, and discovered one at a partner production company of the streaming giant, reported Variety.

Since it’s still pretty early in the onset of connected products, how companies gathering data are tackling these issues is very much being worked out in real time.

Lessons from the Auto Industry

Sometimes, the risk of a security breach can extend well beyond data. The automobile industry, for instance, has been a leader in integrating connected software into new vehicles, but not without some serious speed bumps.

In 2015, Fiat Chrysler Automobiles (FCA) recalled 1.4 million vehicles due to a software vulnerability that allowed hackers to wirelessly break into automobiles and remotely control them, according to Computerworld. For its part, Fiat Chrysler issued a software patch to fix the hole, but it had to be downloaded to a USB drive, then plugged into a vehicle and uploaded.

An alternative solution for smart vehicle security looks to be software over-the-air (OTA) upgrades — which happen wirelessly, much like smart phone software updates. Several smart car automakers are moving to this option to save recall costs and reduce security risks, but it’s not without its issues either, such as the loss of revenue to car dealerships over repairs or customers voluntarily opting out of software upgrades in general. And, as the demand for technology like autonomous driving expands in the auto industry, cybersecurity issues will only play a bigger role.

Getting a Handle on Data Security

Smart vehicles aside, OTA upgrades can also be deployed to the firmware or software of other connected devices, resulting in benefits like a standardized upgrade process across products and faster time-to-market updates. Still, there needs to be a quick, easy, and secure way to run OTA upgrades, and businesses are still working on that process.

Another thing companies can do to get out in front of smart product security concerns is have their hardware and software engineers work closer together. Integrating hardware and software teams creates a better chance that the connected products being built are safer and more secure.

And if there’s even one positive thing to come out of a hack of a well-known, industry leader like HBO or Instagram, it’s serving as an alarm to other businesses. Unfortunately, in many cases, the organizations most concerned with these threats are the ones that have already dealt with the consequences.

Get a deeper look into the security issues companies developing connected products are facing, as well as the advice offered from leading industry experts, with our report, “Bridging The Gap In Digital Product Design.” The report also features insights from nearly 300 innovators from a variety of industries, including manufacturing, technology, healthcare, financial services, and more. 

Bridging the Gap in Digital Product Design

Digital technologies are converging with traditional products at dizzying speeds. This fast-paced, integrated evolution is changing product development, and many companies are struggling to retain their footing.

Despite the shifting landscape, one thing remains clear: an excellent product requires a solid development process. Helping companies improve product development is at the heart of what Jama Software does, but we know this complex practice extends far beyond our platform.

To get a better feel for the methodologies and pain-points teams are facing creating connected products, we sponsored a Harvard Business Review Analytic Services study. The resulting report, “Bridging The Gap In Digital Product Design,” features insights from nearly 300 innovators from a variety of industries, including manufacturing, technology, healthcare, financial services, and more.

What We Discovered

While we knew connected products were becoming more prevalent in our everyday lives, that trend has only just begun. A full 86% of organizations in our study have either applied digital technologies to their existing products or services, or are in the process of doing so.
86% of business and IT leaders are developing smart products or planning to
For many businesses, adding software to their physical products is already a challenging proposition. It’s compounded by stress from new competitors threatening disruption. To maintain an edge in this new reality, companies are being forced to act fast, and that’s placing significant strain on the development process.

In fact, 80% of those implementing digital technologies say they feel either somewhat or significantly added pressure to increase time to market for products and services. And an even greater majority (89%), expect that pressure to grow in the future. According to the report, some of the other big challenges businesses are facing with this transformation include ensuring new smart products work within the ecosystem of other connected devices, the clashing of traditional and digital product design, and trouble staffing and training the right employees.
89% of business and IT leaders expect somewhat or significant increases in time-to-market pressure from implementing digital technologies
When implementing any new process, there’s bound to be some unforeseen obstacles along the way. For instance, just 24% of respondents in the report identified the need to manage and secure customer data as a major challenge. The problem is many organizations may be underestimating this responsibility, according to Hans Brechbühl, executive director of the  Glassmeyer/McNamee Center for Digital Strategies at the Tuck School of Business at Dartmouth, who was interviewed for the report. That’s because while the constant flow of usage data can be advantageous for informing future product iterations, companies inexperienced in managing this information may not realize the evident risks.

What’s Next

There are so many valuable insights and trends within “Bridging The Gap In Digital Product Design” it’s more than will can fit into a single post. That’s why we’ll be diving deeper into some of the themes and findings in the coming weeks with a dedicated blog series, featuring observations from Jama Software experts.

And let me know any feedback or questions in the comments below. With so many major industries refreshing product offerings with connected devices, the conversation about the best methodologies for improving and maintaining this process is just getting underway.