Study Shows an Industrial Internet of Insecure Things

The rate of embedded security protocols is not keeping pace with the increased number of cyber attacks.

Barr Group 2018 Security Infographic Final

Barr Group recently unveiled some findings from their 2018 Embedded Systems Safety & Security Survey. According to the survey, of the embedded systems developers working on internet-connected or IoT projects, 22 percent do not list security as a product requirement. This would seem to counter the trend of an increasing number of cyberattacks targeting internet-connected devices. Barr Group sees it as a warning that these attacks will continue against the embedded system industry.

Based on survey data from 2018 as well as results from prior years, the embedded industry is showing modest improvement when it comes to making security a design consideration during product development, rising six percentage points from 2016 to today’s 67 percent. However, 33 percent of embedded engineers and 22 percent of engineers designing internet-connected devices are still neglecting to focus on security during product design.

According to Barr Group CTO Michael Barr. “For both new internet-connected and non-internet-connected projects, developers are increasingly designing applications that use more than four CPUs per system. These complex systems significantly increase the potential attack surface and are inherently more difficult to secure.

“Failing to focus on security during the design process, especially for internet-connected devices, may be putting the entire network and potentially the devices’ end users at risk.” According to the 2018 survey, 25 percent of developers designing products for the IoT are working on devices that could kill or injure people if hacked.

Further compromising the state of IoT security, survey results reveal that engineers developing IoT devices are still neglecting to implement industry-recommended design practices known to raise security levels of embedded systems. Of the engineers designing internet-connected devices:

  • 54 percent lack regular code reviews.
  • 49 percent fail to perform static analysis.
  • 33 percent lack a written coding standard.
  • 17 percent lack a bug database.
  • Less than half of all embedded engineers designing for the IoT encrypt their data.