Five myths about Cybersecurity in the IoT - and what's really behind them

Whether smart machines, networked production lines or automated processes: The increasing digitalization of industrial applications is leading to a rapidly growing number of networked IoT devices. However, as the complexity of infrastructures increases, so do the requirements for cyber security: especially in times of NIS-2 and the Cyber Resilience Act (CRA), there is an acute need for action in many sectors. Despite all this, numerous myths surrounding the topic of IoT security persist. So it's time for a realistic assessment - and for a partner who takes a holistic approach to real security.

Myth 1: “We have a Trusted Platform Module - that's why it's safe”

For many years, it was enough to refer to a Trusted Platform Module (TPM), regardless of how it was used, to fulfill the issue of security. However, successful attacks have shown that this is not enough. The perspective has changed here. Security arises transparently from the hardware, which checks the initial code at system startup. The subsequent software components continue this process.

Myth 2: “We can update in 24 hours - everything is safe”

As a common means and as a first measure, it is important to install updates. Techniques such as DevOps and automation make it possible to generate updates quickly. However, it is highly questionable whether these will reach the devices in time, as 1-50% of all IoT solutions are not permanently online and it often takes 1-2 months for the next service technician to visit them. Here it is important to implement concepts such as “layered defense” so that even in the event of a root exploit, for example, no further damage occurs and the device can be restored to a secure state with the next update.

Myth 3: “We use Docker - it's safe”

At the height of the IoT hype, complete solutions that were actually reserved for data centers were also brought into the field. Docker is a good example of this. The hope was that this would lead to abstraction and rapid interchangeability. In practice, however, it quickly became clear that this was not easy to implement due to local interfaces that could not be abstracted. The consequence was that the substructure had to be individualized and Docker containers usually ran in privileged mode, which made them a target for attack. Likewise, not only the system had to be maintained, but also the system in each Docker container. In order to achieve a scalable solution here, it is necessary to reduce the complexity or implement it natively, which also reduces the costs for the required IoT hardware.

Myth 4: “Meeting the new standards is expensive”

Many of our partners are unsure how to deal with CRA and what it means. The new RED directive with its addendum, EN18031, offers a foretaste. The positive aspect here is that the standards are harmonized, which means that some of the requirements are exactly the same. Kontron sees itself here as a platform provider that not only supplies a piece of hardware, but also the entire substructure for the customer application. This means that the majority of requirements can be covered well with products such as KontronOS or KontronAIShield. The customer application only needs to be adapted minimally. Requirements such as device-specific passwords, DDOS prevention or updates/maintenance are already fulfilled.

 Myth 5: " IoT/Security is expensive"

In the IoT environment, a competition has established itself in recent years that is very much defined by features and functions. However, it is also important to understand that requirements such as “providing updates” must first be considered individually. As devices without/disabled connectivity must also be supplied here. In most scenarios, centralized management makes sense. But here too, there are many levels. Starting with simple file sharing options through to sophisticated, database-based solutions. . With the Kontron-susietec solutions KontronOS or KontronAIShield, all options are open here, if necessary, as required. Ultimately, it is a build or buy decision.

Conclusion: A partner who thinks holistically

The requirements for IoT security are constantly increasing - both technically and in terms of regulation. With a broad security portfolio that integrates hardware and software, includes AI solutions such as the KontronAIShield and is produced in Europe in compliance with the GDPR, Kontron is ideally positioned to meet these challenges. Our offering not only provides comprehensive protection for your systems, but also ensures the long-term sustainability of your IoT infrastructure.

If you would like to learn more about current security standards and how to make your systems fit for NIS-2 and the Cyber Resilience Act: Read up here or contact our team of experts directly.