Will New IoT Security Frameworks Push Compliance Obligations to the Forefront of Security Discussions?
The Internet of Things (IoT) is increasingly embedded with our daily lives. Worldwide we’ve seen an increase in the number of IoT devices to over 35 billion online devices. This includes cellphones, Wi-Fi-accessible cars, televisions, fridges, and anything else that is connected to the internet. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Cybersecurity has become too costly for businesses to ignore. As a result, cybersecurity for many businesses has naturally become a top priority. By 2023, global spending on cybersecurity is expected to increase to over $157 billion – up from $60 billion in 2019. However, for each device that is added to the IoT sum, the number of potentially compromised users whose data or security has been breached also increases. Vulnerability management for devices and networks is a common approach to dealing with security breaches. Yet, for IoT devices, vulnerability management has yet to be standardized or implemented. A report from IoT Security Foundation found that over 86% of consumer IoT device manufacturers do not have any form of vulnerability reporting. This process needs to change soon.
While there are no standards for securing an IoT device, new recommendations for securing IoT devices are in the works. The US Department of Homeland Security (DHS) published recommendations for securing IoT devices back in 2016, but none of these recommendations have passed as required by law. The European Union is in the process of proposing international standards for governing IoT devices. Developed by the European Telecommunications Standards Institute (ETSI), these standards are intended to develop a foundational guideline for IoT cybersecurity. This includes security and data protection provisions for consumer IoT devices such as:
- Reporting implementation
- No universal default passwords
- Implement a means to manage reports of vulnerabilities
- Keep software updated
- Securely store sensitive security parameters
- Communicate securely
- Ensure that personal data is protected
These standards will be implemented by law and will force other countries to consider their IoT standards. The UK and Australia are in the process of proposing the legal codification of IoT standards. John Moor, managing director of the IoT Security Foundation, argued that while “the proposed standards don’t all use the same language, they’re basically all describing the same things.” While adding connectivity to every device is convenient in some respects, these systems should remain intentionally air gapped. Often companies that produce cutting-edge technology do not stop to ask the basic question, “Can we still effectively secure this?” This subsequently leaves the end user vulnerable and in a precarious position, as the manufacturer generally claims no accountability in the event of a breach or data integrity being compromised.
Our Take
IoT is slated to become increasingly integrated into our lives. While this degree of integration is expected, the standards for IoT must also expand in tandem with its growth. While most nations have preliminary IoT policies enacted, they often offer little more than a symbolic gesture. IoT has experienced a rapid expansion of connected devices, and the privacy policies and accountability have thus far been unable to keep pace with this growth.
For businesses, there has been a lack of accountability. For many IoT manufactures, the approach has been to achieve the bare minimum so that they can simply “check the boxes.” For example, consumer-level IoT products are often produced at the lowest cost possible. As a result, security and vulnerability reporting functions take a back seat, as only the bare minimum is needed to be cleared for public consumption. IoT as an industry has experienced growing pains for the past couple of years, the consequences of which are now being felt.
Consider what IoT consists of: routers, printers, home speaker devices, televisions, and many more devices. Most of these devices only use the most basic of credentials for authentication and security. Even more troubling is that some of these IoT devices have no security protocols whatsoever. On the consumer side, most end users are unaware of the security features of their IoT products. Furthermore, manufacturers’ patching or vulnerability disclosure processes are inconsistent or nonexistent. These factors combined make IoT devices tantalizing for cyberattackers, and it is only a matter of time before these devices are attacked and repurposed.
The creation of vulnerability baseline policies in some countries is a step in the right direction and will force a discussion about vulnerability disclosures and IoT security. Arguably, IoT manufactures should have included security measures and vulnerability disclosure policies with the initial inception of their products – not after the fact. However, because it was never asked of them, they either purposefully neglected these security measures or decided to never include them at all. If a manufacturer of IoT products is to continue in its production, we may see significant changes in the future. As of 2019, only 13.3% of IoT-producing companies have a disclosure policy in any form.
These preliminary discussions will pave the way for full-fledged legislation. As mentioned already, the European Union, the UK, and Australia are in the process of implementing standards for governance of IoT devices. These upcoming standards will force compliance for manufacturers down the line. While the US does have some recommendations in place for securing IoT devices, these are only recommendations, not compliance obligations, and as such do not extend to every state. Some states, like California and Oregon, have implemented standards requiring “reasonable security features” to be added to IoT devices. Manufacturers will be given additional standards in order to increase the security competency for themselves, as well as for clients. This should help rectify the fact that IoT devices are more susceptible to cyberattacks than other technology, in part due to their lack of standards.
Any use of IoT devices in businesses should be met with caution. Without the proper security basics, these products can become more of a liability than a business enabler. Be aware of what is on your network and ask yourself, “Is this technology secure enough to be on our network?” or alternatively, “Do we have the processes in place to secure it ourselves?” It is critical that manufacturers of IoT devices get on board with new regulations because whether with or without their approval, compliance regulations will be coming down the line.