Why is IoT security still such a problem?

Talk about privacy by design and regulation has so far failed to yield results

Research reports illuminating the poor security of Internet of Things (IoT) devices appear with what might be described as alarming regularity. We hear tales of poor password control, read descriptions of security breaches, and then we often hear calls for regulators and governments to do more to stop devices with poor security getting onto the market. With security problems so widely publicised, why isn’t the problem getting fixed, and where does the responsibility lie for taking action?

Why does the problem persist?

John Moor, managing director of the IoT Security Foundation, tells IT Pro there are three why IoT device security, or lack thereof, is still such a prevalent issue. The first is market economics; vendors are reluctant to invest in ongoing security support for devices that might have a life of ten years or more in a business or industrial setting. 

Another is lack of regulation. “The general consensus is that regulation is needed, however it is very difficult to get right,” he explains. “Set the bar too low and it weakens the intention and may give a false sense of security. Set the bar too high and it will stifle markets and innovation.” 

Moor’s third reason was, sadly, ignorance. “Some vendors do not understand the security implications of adding connectivity to their products,” he says.

Vendors aren’t the only ones with skin in the game, though. Governments can choose to take on a regulatory role, and those buying IoT devices also have a measure of choice in how they make purchases and in which devices they decide to buy. 

The role of governments

A significant challenge for governments and regulators is the international nature of purchasing. Even in a business environment, an IoT device is quite likely to be bought off the page from an online seller. The device may have been made in a country with a different regulatory framework for IoT devices – or none – and the online seller may not be based in the same country as the purchaser.

While it has been argued this complexity makes regulation nearly impossible, Moor disagrees, saying: “This is challenging but doable. Governments can mandate responsibilities for domestic markets regardless of the source or point of purchase. For example, an importer of products can be regulated to ensure basic security features exist before making them available for domestic markets.”

Kevin Curran, IEEE senior member and professor of cyber-security at Ulster University, takes this point a stage further, arguing for a baseline of security compliance. “As the industry evolves, the need for consistency becomes more important to ensure interoperability and security for the system as a whole,” he says. “Tackling this issue at the root is key, so enabling manufacturers to ensure all devices meet basic security requirements in the development phase will help to allay fears that an organisation can be easily exploited through a single point of vulnerability.”

The UK Government’s proposed new law, sets a baseline. It’s aimed at manufacturers of consumer IoT devices, but, says Paul Stone, security delivery manager at Context (part of Accenture Security): “Nearly all elements of the Code of Conduct apply equally to consumer and business IoT devices.” Despite this he is sceptical about take-up, saying: “I have yet to see any manufacturer publicly commit to the guidelines even though it could be in a manufacturer's interest to do so, as a way to differentiate themselves from competitors.”

What should end users do?

Moor believes that businesses should be proactive, ensuring the suppliers of IoT devices have good security practices in place and demonstrate an acceptable level of commitment to security.  Stone also puts the onus on business buyers, saying: “Businesses purchasing IoT equipment should demand evidence that the manufacturer is taking product security seriously. This could include requiring products to undergo testing by a third party and public commitments to follow standardised security guidelines, such as those published by the UK.” He thinks such action is powerful, adding: “Ultimately a business demand or requirement for good security will be more effective in driving up standards than intermittent enforcement by a regulator.”

It’s possible that if this kind of behaviour became widespread it might force industry change. Indeed Curran was optimistic that we will see a change before too long, saying: “the standardisation of IoT security will need to catch up with other already developed technologies, but with the rapid adoption by businesses due to increased remote working, this will most likely happen at a significant pace.”

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020
Sophos warns customers of potential data leak
Security

Sophos warns customers of potential data leak

26 Nov 2020
Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Security

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

26 Nov 2020
Egregor ransomware could take up where Maze left off
Security

Egregor ransomware could take up where Maze left off

26 Nov 2020

Most Popular

80% of cyber professionals say the Computer Misuse Act is working against them
Security

80% of cyber professionals say the Computer Misuse Act is working against them

20 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
Weekly threat roundup: Cisco, BlueKeep, Apache Unomi
Security

Weekly threat roundup: Cisco, BlueKeep, Apache Unomi

19 Nov 2020