Who should lead the push for IoT security?
Industry groups and governmental agencies have attempted to improve IoT security, but so far there’s nothing comprehensive
11 February 2020 | 0
The ease with which internet of things devices can be compromised, coupled with the potentially extreme consequences of breaches, have prompted action from legislatures and regulators, but what group is best to decide?
Both the makers of IoT devices and governments are aware of the security issues, but so far they have not come up with standardised ways to address them.
“The challenge of this market is that it’s moving so fast that no regulation is going to be able to keep pace with the devices that are being connected,” said Forrester vice president and research director Merritt Maxim. “Regulations that are definitive are easy to enforce and helpful, but they’ll quickly become outdated.”
The latest such effort by a governmental body is a proposed regulation in the UK that would impose three major mandates on IoT device manufacturers that would address key security concerns:
- Device passwords would have to be unique, and resetting them to factory defaults would be prohibited
- Device makers would have to offer a public point of contact for the disclosure of vulnerabilities
- Device makers would have to “explicitly state the minimum length of time for which the device will receive security updates”
This proposal is patterned after a California law that took effect last month. Both sets of rules would likely have a global impact on the manufacture of IoT devices, even though they are being imposed on limited jurisdictions. That is because it is expensive for device makers to create separate versions of their products.
IoT-specific regulations are not the only ones that can have an impact on the marketplace. Depending on the type of information a given device handles, it could be subject to the growing list of data-privacy laws being implemented around the world, most notably Europe’s General Data Protection Regulation, as well as industry-specific regulations in the US and elsewhere.
The US Food and Drug Administration, noted Maxim, has been particularly active in trying to address device-security flaws. For example, last year it issued security warnings about 11 vulnerabilities that could compromise medical IoT devices that had been discovered by IoT security vendor Armis. In other cases, it issued fines against healthcare providers.
But there is a broader issue with devising definitive regulation for IoT devices in general, as opposed to prescriptive ones that simply urge manufacturers to adopt best practices, he said.
Particular companies might have integrated security frameworks covering their vertically integrated products – such as an industrial IoT company providing security across factory floor sensors – but that kind of security is incomplete in the multi-vendor world of IoT.
Perhaps the closest thing to a general IoT-security standard is currently being worked on by Underwriters Laboratories (UL), the security-testing non-profit best known for its century-old certification program for electrical equipment. UL’s IoT Security Rating Program offers a five-tier system for ranking the security of connected devices – bronze, silver, gold, platinum and diamond.
Bronze certification means that the device has addressed the most glaring security flaws, similar to those outlined in the recent UK and California legislations. The higher ratings include capabilities like ongoing security maintenance, improved access control and known threat testing.
While government regulation and voluntary industry improvements can help keep future IoT systems safe, neither addresses two key issues in the IoT security puzzle – the millions of insecure devices that have already been deployed, and user apathy around making their systems as safe as possible, according to Maxim.
“Requiring a non-default passwords is good, but that does not stop users from setting insecure passwords,” he warned. “The challenge is, do customers care? Are they willing to pay extra for products with that certification?”
IDG News Service