For laboratory managers and scientists, the promise of the connected laboratory supported by the Internet of Things (IoT) is beginning to bear fruit. IoT connectivity enables instrument monitoring for asset management, optimizing instrument uptime and utilization. It allows tracking of instrument health to predict failures and facilitate support. IoT automates software updates and enables protocols and methods downloads directly to instruments. Clearly, IoT is transforming the laboratory into a modern, connected ecosystem.
The largest challenge with delivering connected devices is rooted in the ever-evolving cyber threat landscape. Specifically, maintaining the balance between connectivity and security in a rapidly changing environment. During Cybersecurity Awareness Month, we’re reminded that security is paramount in realizing the value of IoT. Let’s look at some of the common security challenges posed by IoT, and what measures are taken to counter these threats and ensure a safe digital laboratory.
IoT security concerns
In the IoT marketplace, we see how innovation often outpaces security. Global research firm Gartner predicts that the number of connected “things” will expand to 25 billion by 2021. IoT device manufacturers are rushing to beat the competition to market. And while the rapid pace of innovation helps drive the market forward, it can come at the expense of security.
Cybersecurity can become an afterthought in the product lifecycle. In many cases, security requirements are evaluated by product professionals who may lack the depth of knowledge of a cybersecurity specialist. In a rapidly changing cybersecurity landscape, it’s difficult for non-specialists to keep up with the latest threats and best practices for mitigation. Expecting product professionals across multiple product teams to consistently interpret government/industry guidance and build appropriate security controls is not realistic.
When it comes to product development, cybersecurity requirements often compete for the same development investment as other product features. This is why it is so important to have cybersecurity teams involved in product design from the onset.
More connected devices lead to more automation. Communications that once required human intervention are now handled automatically, making them more vulnerable to misuse. With IoT, device misuse can take many forms. Instead of targeting data, IoT breaches typically focus on computing resources. For example, you might see a collection of IoT devices harvested for their compute power, and then leveraged by criminals in a distributed denial of service (DDoS) attack or cryptocurrency mining. These types of attacks not only damage the target, but also rob the device of the resources needed to meet its intended purpose. In cases involving medical devices, these attacks are especially dangerous.
The combination of rapid growth, increased vulnerability, and evolving legislation can be a recipe for trouble.
Security by design
Building cybersecurity into connected products is critical to realizing the full potential of IoT in the lab. The concept of the connected lab with all devices communicating and sharing data seamlessly can only be achieved when security risks are mitigated.
Effective product security starts in the product design phase, with qualified cybersecurity specialists evaluating requirements and making recommendations. Using a security by design approach led by a centralized security team is essential to building smart, secure, and connected ecosystems for the laboratory. By centralizing the security team, companies create a powerful resource of cybersecurity experts tracking the latest trends, threats, and market requirements. This team can lead the security design discussions with every product team and business unit, helping understand risk profiles and consistently deploy cybersecurity best practices. Every product with a connectivity component or access to data should collaborate with this team.
This centralized approach enables consistent interpretation of security guidance/frameworks/regulatory requirements. With that guidance in mind, the team assesses each product to understand the value of the data and the device’s compute resources, and then constructs appropriate security controls and boundaries around these devices. Product security is not one-size-fits-all. Working with the business, the security team can understand the context of the device and build a plan to secure it. The product security team should also collaborate with the Data Privacy Office to understand the latest legislation around protected data.
The security by design approach enables companies to avoid the bolt-on security mindset. Instead of security as an afterthought, security becomes part of the product design process. Working with the product teams builds a shared ownership of security. Product security becomes everyone’s job, guided by a single team of cybersecurity experts setting a standard that all products must achieve.
Balancing security and connectivity
Every connected device carries some level of security risk. The goal of any security program is to minimize the device’s risk profile to a point where the rewards of connectivity far outweigh the risks.
Balancing security and connectivity takes a community effort. The FDA collaborates with key leaders throughout the industry to establish and implement security controls and best practices that all companies can follow. By partnering with the FDA and participating in cybersecurity community initiatives like I Am The Calvary, leading companies help raise awareness and promote security research. By cooperating with peers, companies can share insights, best practices, and lessons learned to raise the bar against cyber threats.
Using a security by design approach with a centralized security team supported by collaborative processes, companies can minimize the gap between innovation and security and maintain a proper balance between security and connectivity.
Joel Cardella is the Director, Product & Software Security, Corporate Information Security (CIS) Program at Thermo Fisher Scientific. Joel has over 25 years of in-depth IT, consulting, and information security management experience.