Listen on Your Platform of Choice
#beyondthenow IoT security Podcast
In this episode of the #beyondthenow IoT security podcast, Dr. Juan Nogueria, Senior Director of Connectivity Center of Excellence at Flex, joins David to explain how Flex approaches IoT security for devices, why cybersecurity cost is still a challenge, and why there should always be space on the bill of materials for security.
Listen to a Sneak Peek
We should not be saying that security is adding another cost on the BoM – it shouldn’t be considered like that. It should be something that is necessary, like the power supply, you need to power the device and you need to have security as well.
Dr. Juan Nogueira
Key talking points in this episode:
- Introduction to Flex and its role in the connected devices industry. [01:03]: “I think you can describe flex as an end-to-end product services company. And that means that we help all sorts of companies bring their products to market. Including medical devices for drug delivery or connected medical wearables for glucose monitoring. We also make everything from entertainment and information systems to coffee machines or domestic appliances.”
- Juan's role in Flex, offering connectivity solutions. [04:10]: “Customers are continuously growing, asking for connectivity solutions because as you know, everything has to be connected now but not everybody has the know-how in-house to add connectivity to their products. So, this is where we help them.”
- Is security a growing concern with Flex’s customers? The concern is growing but it’s not always well understood. [05:15]: “Unfortunately, what security means in IoT is not always well understood.”
- Using the example of the construction industry, it’s easy to overlook why security is truly important in this use case. [5:40]: “One of our customers in the construction business is called machine marks. It's a company that monitors and tracks its customer’s usage of large construction machines. The device, we developed it for it. In the past, all this data was being collected by hand, but now they are using this device to collect all these data. So, all this data is transmitted to a cloud for further analysis. And, you know, one may think, well, why do you need the security there?”
- We need to think beyond security only being for “complex systems” with high-value assets, we need to consider the business impact when everyday operations are interrupted. Time is money! [06:28]: “It is very common to only think of IoT security to prevent access to complex systems, you know, like a car or nuclear plant or stealing confidential data in a medical device. Of course, there is privacy involved there.”
- The business cost of failure when things go wrong - A modest device performing a modest activity can have a huge impact, at scale, the relationship between the devices and the business impact must be realized. [07:56]: “That relatively modest device performing a relatively modest activity actually has a huge impact at scale, if you're connecting hundreds or thousands or millions of those devices. And so, for your end customers to realize that relationship between the security in that device and how that would impact their business if it doesn't go right is really important.”
- We often have to educate partners on the importance of security – take a car as an example, you don’t ask 'is this car secure?'-you just assume that it is. You cannot assume things are secure in IoT. [8:50]: “Many times, customers don't ask for security because they see security as not important in their use case or many assume that security is something intrinsic to the IoT device. So when you buy a car, you don't ask the dealer, if the car is secure, you assume that it has been designed following some security standards and protocols, but this is not the case in IoT. So we are trying to be proactive and show the customer that security is important.”
- Flex's proactive approach showing their customers that security is important, it needs to be considered and built-in at the beginning. It’s important to demonstrate security credentials with certification programs like PSA Certified as it adds credibility to the investment in security and means they can demonstrate best practices with our customers. [09:19]: “It's something that has to be considered from the beginning. And showing that we work with security in mind, like for example, you know, passing or going through a certification program, like PSA certified validates from somebody from an outside organization that the device is secure. We show them that security in IoT is not only if you have a nuclear plant.”
- Discussing the PSA Certified 2021 Security Report and the feedback that cost is still an issue for OEMs. [10:20]: “Demand for security is growing, yes. But at the end of the day, the total cost of ownership is the main concern of customers. I think the customers really need help to understand what they need for their problems related to security and what that's likely to cause. Many OEMs, of course, the big guns, have their own manufacturing and they manufacture their own products, but many other OEMs have less expertise on connected devices and security and they don't have huge teams. So, at Flex we can play a role here and immediately offer a platform that is intrinsically secure. And that means certain security standards are already there from the beginning.”
- There is always room in the Bill of Materials (BOM) to compensate for the additional cost of security, it’s just as necessary as your power supply. [13:15]: “How do you monetize security? It should be in ROI or maybe more than ROI is a cost of inactivity. How much may it cost you to not invest in security in the future? How much is going to cause you in downtime or delay or if you need to replace thousands of millions of devices you have deployed because of someone breaching your security? I can tell you there is always room for security in the bill of materials (BOM). We shouldn't be saying that security is just adding another cost to the BOM. It should be something that is necessarily like the power supply.”
- Fragmentation of regions and markets for product security, your target market affects how you build your product. [15:10]: “Not all areas have the same concept of security or privacy in all the world. Something that maybe is normal in some country, or some region can be totally unacceptable in other. You also have to work with partners that can bring this regional know-how and knowledge with your products.”
- All markets must consider security, the high-impact industries are leading the way: automotive, industrial, medical. [16:28]: “I think it is related also to the type of devices. Flex has two main segments. One is higher reliable systems and the other one is flexible solutions. So maybe security is important because it may be more related to the end-customer in the sense of hacking a camera or a microphone. But maybe other areas are more willing to consider security as an investment because they are higher reliable systems: automotive, medical or industrial. These may impact lives. That cost of failure is more.”
- Relationship between IoT, security, and machine learning/artificial intelligence in the edge. Moving intelligence from the cloud to the edge will change everything about the way we design products. [18:11]: “Moving the intelligence from the cloud to the edge device, this will change completely the way we architect or design devices today. Machine learning is also a trigger here, but I do expect many other tools will appear in the future. At Flex absolutely plan to add this intelligence to our IoT platform because we see there will be a growing demand for these capabilities in the next year from our customers.”
- Flex is not just creating IoT but is also embracing IoT so that they can benefit from AI and digital transformation. This brings excitement but also brings opportunities for security breaches. [20:10]: “Flex is also one of the largest manufacturers in the world. We are also starting to apply these technologies in our factory. So, we also apply AI to learn from our machines and to get all this data to improve our processes. Linking this to security there’s also a risk of a potential breach here. We have to pay attention because at end of the day, AI is about algorithms and training, and they learn with time. So, we must be sure that the algorithms don't lag in unexpected ways and take the wrong decisions which may have an impact on your business.”
- The opportunities for production lines, and then reducing the risk in manufacturing (things like downtime of broken machines). Plus, the challenge of technical debt/retrofitting existing machinery, so that those machines can benefit from digital transformation too. [21:50]: “Many machines are now becoming connected. Machine makers are adding sensors everywhere, but there are still thousands, or millions of machines out there running, and they will run for years unconnected. After retrofitting these new IoT devices that collect data and interpret these data, we have intelligent algorithms that can reduce downtime in factories or give you some hint that a machine is going to break.”
- It’s another example of an area where you think security might not matter, but of course, it’s incredibly relevant. [23:45]: “And you could ask why does security matter in that kind of contained environment, but actually is the machine being used within its designed capabilities? Are there gray market repairs that are happening that are outside of the warranty?”
- What will the world look like in five years? The IoT landscape will be well established and 5G will be deployed in both public and private networks. [24:10]: “In five years I do expect that 5G will be well-established and will be a normal, everyday network. This 5G network will not only be deployed in public networks but also in private areas, in factories, in the same way, you have wi-fi today. This will trigger the deployment of IoT devices because you will have 5G networks and then you can deploy as many IoT devices as you like with real control of those devices and a reliable connection.
- Juan’s advice for device security implementations now to secure tomorrow. [26:58]: “I would recommend talking to your partner about how to design your device and security. Try to adopt existing security standards or regulations that may be global or in your region. What is most important is to do this from the beginning, starting during the concept phase. View security as another building block of your device.”
Share this page
The PSA Certified name, PSA Certified logos, PSA Functional API Certified logo featured on this website are registered trademarks or trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. All rights reserved. Other brands and names mentioned on this website may be the trademarks of their respective owners.
Copyright © 2021 Arm Limited (or its affiliates). All rights reserved.
Sign Up To Stay Up to Date With Our Latest Podcasts Episodes