Trustworthy and Resilient Connected Products

Connected products and their associated risks are under a microscope

With cyber everywhere, cyber vulnerabilities in connected products can be exploited to gain unauthorized access to data on—or transmitted by—products, the network, and the connected IT system. When compromised, threat actors can steal consumers’ information, manipulate data, exploit suppliers, hold systems or information for ransom, or manipulate connected products to harm consumers. In addition, the rise of new types of customer data (e.g., biometrics) collected significantly raises potential privacy concerns.

Back to top

Why now? Regulation is on the rise.

Multiple pieces of legislation have been passed in an attempt to improve product security, safety, and privacy posture in the United States (US). The myriad of regulations is growing.

• The US Senate proposed guidelines for securing products in the “Internet of Things Cybersecurity Improvement Act of 2017.”¹
• In 2018, California signed SB-327,² a law requiring that manufacturers (selling to users in California) of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security and privacy features by January 1, 2020.
• California also passed the California Consumer Protection Act (CCPA),³ which requires companies to adhere to privacy requirements on the collection and usage of California residents’ personal information by July 1, 2020.

Back to top

Security and privacy everywhere. By design anywhere.

It is not easy to secure connected products in highly dynamic environments where threats change from day to day. However, there is a way to combat the growing regulatory and threat landscape.

Manufacturers should consider implementing “security by design” and “privacy by design” processes into their product development life cycle to design a device from the ground up to be secure and incorporate privacy principles, versus adding security and privacy features after the device has been delivered to the market.

This by-design approach takes into consideration many factors—new regulations and guidelines, the current threat environment, technical testing results and more—as the device is being designed, built, and tested.

Those who procure products should build security and privacy/sensitive information requirements into their procurement process and act to securely implement and maintain the product and associated data once acquired.

Back to top

We can help—across the IoT and connected product ecosystem

Deloitte Cyber Product Safety and Security (ProdSS) services can help across the connected product ecosystems—product manufacturers, suppliers, third-party software and hardware providers, and digital platform companies—by lowering risks associated with advanced connected products.

Using a practical, business-centric approach, we advise many of the world’s largest, advanced global organizations on how to address product-specific issues and strengthen aspects of their product security and privacy programs, device architecture, and other issues related to the products they manufacture and/or acquire. Our wide range of services include:    

Trusted by the world’s leaders. Chosen by the world’s innovators.

We manage cyber everywhere so you can innovate anywhere. From the visionaries reimagining businesses and the disruptors changing industries to the pioneers creating new markets, Deloitte is helping organizations solve their complex problems. So you can build a confident future—one idea, innovation, and breakthrough at a time.

A cross-industry approach with continuous improvement and insights
Our deep industry view spans product, device, and other connected products across their lifecycles. We have experience performing product security and privacy maturity assessments for consumer products, health and medical device manufacturers; penetration testing products, medical devices, and connected vehicles; in addition to setting up customized monitoring tools on manufacturers’ lines and industrial control systems. Deloitte Cyber ProdSS professionals draw on the cross-industry insights and leading practices experience to identify issues and develop customized recommendations—isolating cyber gaps for clients that otherwise may not have been recognized.

We don’t rest there. Ongoing collective efforts are required to drive continuous improvement in connected product safety. Deloitte Cyber professionals contribute the insights garnered through project engagements across industries, applications, and connected things to assist in the ongoing development of standards and industry guidance. We have worked alongside Underwriters Laboratories and many other organizations, providing product security guidelines and standards feedback.

It is our commitment to help manufacturers and smart product consumers protect their data and realize the potential future of a hyperconnected world. And we are recognized for it by many of the world’s leading analysts: as a global leader in Internet of Things services, The Forrester Wave^TM; #1 by Gartner in market share for Security Consulting Services; and as a leader in Cybersecurity Incident Response Services, The Forrester Wave^TM.

Back to top

End notes

¹ California Legislative Information, SB-327, Information privacy: connected devices, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327.

² California Legislative Information, AB-375 Privacy: personal information: businesses, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

³ Congress.gov, S.1619, Internet of Things (IoT) Cybersecurity Improvement Act of 2017, https://www.congress.gov/bill/115th-congress/senate-bill/1691/text?format=txt.