Sternum offers embedded cybersecurity for IoT devices
Once an afterthought in the development of so-called Internet of Things (IoT) solutions, cybersecurity has become one of the primary considerations in the deployment of today’s connected devices. But while vendors are doing the best they can to harden equipment and software systems against attacks and educate end-users about employing good cyber hygiene practices, reducing vulnerabilities remains a herculean task.
However, rather than trying to lockdown IoT devices through the use of best practices, what if they could be secured from the inside out via technology? That’s exactly the goal of Sternum, whose Embedded Integrity Verification (EIV) solution is designed to provide end-to-end security for a variety of IoT devices.
“We secure the device itself. Most security solutions today are focused on network security meaning they connect to the network, identify all of the IoT devices and then let you know if there are any anomalies in the network or something like that. Lots of other tools are using static analyses to predict vulnerabilities inside the code,” Sternum CEO Natali Tshuva explains. “What we’re doing is trying to protect the device itself regardless of the operating system or vulnerability. We believe every device has vulnerabilities. You cannot create a device with zero vulnerabilities, especially in the IoT world when you rely heavily on components you have no control over.”
When EIV is incorporated into an IoT device, Tshuva says that it will embed different verification points into the device’s code that can verify whether or not the integrity of the device has been violated. “EIV is basically an on-device firewall,” she says.
The Israeli-based company, which is making its debut at GSX (Booth #3514) this year and has been recognized as a 2019 Innovative Product Award winner, was founded just last year with the goal of improving the security of connected medical devices.
“Medical devices are very different from other devices,” explains Tshuva. “They are based on a variety of operating systems, which are real-time operating systems. They are not a part of any organized network and the impact of protecting them is tremendous because it means you can provide remote care and monitoring for patients without worrying about cyber-attacks”
According to Boaz Shedletsky, Chief Business Officer for Sternum, the reason they decided to initially focus on the medical field was three-fold.
“First, it’s a life and death situation. Obviously we have to protect the device itself so we did our market validation/technical validation with pacemakers, insulin pumps and so forth,” Shedletsky explains. “Secondly, we see strong market awareness among patients who ask for secured devices. We want to protect these patients and improve their lifestyle enabling remote care. Lastly, we see regulation coming in from the FDA so it was a good place to start.”
However, according to Shedletsky, the company has also recently garnered interest from industrial equipment and HVAC makers for its EIV solution. One of the biggest challenges Shedletsky says the company faces in spreading the adoption of their technology is trying to prove their value proposition to OEMs and trying to build trust with potential partners.
“There is also a component of market education because some (companies) are just beginning to think about security needs for the different technical ecosystems,” he says. “We see a situation similar to the automotive space in 2014 where now medical device and industrial (equipment) manufacturers are understanding their needs around the security of their connected devices and we believe that as a company it’s a great spot and timing to be in.”
“I also see a lot challenges around what those companies refer to as security,” Tshuva adds. “We see a lot of times that people think that encryption is security or if they encrypt their communications it means their device is safe from cyber-attack or if they’re performing static analysis or penetration testing then it means their device is safe. Cyber-attacks work in different ways and the easiest way to penetrate encryption is basically to bypass it using a bug (vulnerability) to attack the device and it would be helpful if the market realized that network security cannot protect you from such scenarios. Moreover, the most vulnerable parts of an organization’s network are the IoT devices… so by realizing that protecting your endpoint IoT devices you will secure your network better; this is something we are working on educating the market about.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].