Research reports illuminating the poor security of Internet of Things (IoT) devices appear with what might be described as alarming regularity. We hear tales of poor password control, read descriptions of security breaches, and then we often hear calls for regulators and governments to do more to stop devices with poor security getting onto the market. With security problems so widely publicised, why isn’t the problem getting fixed, and where does the responsibility lie for taking action?
Why does the problem persist?
John Moor, managing director of the IoT Security Foundation, tells IT Pro there are three why IoT device security, or lack thereof, is still such a prevalent issue. The first is market economics; vendors are reluctant to invest in ongoing security support for devices that might have a life of ten years or more in a business or industrial setting.
Another is lack of regulation. “The general consensus is that regulation is needed, however it is very difficult to get right,” he explains. “Set the bar too low and it weakens the intention and may give a false sense of security. Set the bar too high and it will stifle markets and innovation.”
Moor’s third reason was, sadly, ignorance. “Some vendors do not understand the security implications of adding connectivity to their products,” he says.
Vendors aren’t the only ones with skin in the game, though. Governments can choose to take on a regulatory role, and those buying IoT devices also have a measure of choice in how they make purchases and in which devices they decide to buy.
The role of governments
A significant challenge for governments and regulators is the international nature of purchasing. Even in a business environment, an IoT device is quite likely to be bought off the page from an online seller. The device may have been made in a country with a different regulatory framework for IoT devices – or none – and the online seller may not be based in the same country as the purchaser.
While it has been argued this complexity makes regulation nearly impossible, Moor disagrees, saying: “This is challenging but doable. Governments can mandate responsibilities for domestic markets regardless of the source or point of purchase. For example, an importer of products can be regulated to ensure basic security features exist before making them available for domestic markets.”
Kevin Curran, IEEE senior member and professor of cyber-security at Ulster University, takes this point a stage further, arguing for a baseline of security compliance. “As the industry evolves, the need for consistency becomes more important to ensure interoperability and security for the system as a whole,” he says. “Tackling this issue at the root is key, so enabling manufacturers to ensure all devices meet basic security requirements in the development phase will help to allay fears that an organisation can be easily exploited through a single point of vulnerability.”
The UK Government’s proposed new law, sets a baseline. It’s aimed at manufacturers of consumer IoT devices, but, says Paul Stone, security delivery manager at Context (part of Accenture Security): “Nearly all elements of the Code of Conduct apply equally to consumer and business IoT devices.” Despite this he is sceptical about take-up, saying: “I have yet to see any manufacturer publicly commit to the guidelines even though it could be in a manufacturer's interest to do so, as a way to differentiate themselves from competitors.”
What should end users do?
Moor believes that businesses should be proactive, ensuring the suppliers of IoT devices have good security practices in place and demonstrate an acceptable level of commitment to security. Stone also puts the onus on business buyers, saying: “Businesses purchasing IoT equipment should demand evidence that the manufacturer is taking product security seriously. This could include requiring products to undergo testing by a third party and public commitments to follow standardised security guidelines, such as those published by the UK.” He thinks such action is powerful, adding: “Ultimately a business demand or requirement for good security will be more effective in driving up standards than intermittent enforcement by a regulator.”
It’s possible that if this kind of behaviour became widespread it might force industry change. Indeed Curran was optimistic that we will see a change before too long, saying: “the standardisation of IoT security will need to catch up with other already developed technologies, but with the rapid adoption by businesses due to increased remote working, this will most likely happen at a significant pace.”
