IoT Security: Who Is Stepping Up?
The Internet of Things (IoT) is creating huge opportunities for businesses and society at large. Experts expect 30 billion connected devices to generate a market size of $1.7 trillion by 2020, according to an IDC infographic.
With all this opportunity at risk, it is reasonable to ask why industry leaders haven’t done more to address the ever-increasing IoT security concerns, which have been cast into sharp focus by recent high-profile distributed denial-of-service (DDOS) attacks.
Let’s look at the key stakeholders and discuss how they need to step up to help mitigate security risks and optimize the return on the IoT.
Government and Market Regulators
The IoT is a classic example of the tragedy of the commons, whereby the common resource of the internet is degraded by IoT device manufacturers, vendors and users ignoring security. This leads to IoT devices becoming vulnerable to manipulation by cybercriminals. U.S. Sen. Mark Warner recently wrote in a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler:
“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.”
Because security is a network externality, the prices of IoT hardware and software indicate neither the likelihood of security breaches nor the resulting costs of associated damage. According to Motherboard, market solutions have failed and governments must impose regulations to help fix the problem. That is a tricky proposition in a globalized economy.
All Talk, No Action
The incentive is there, but government agencies remain slow to act. The U.S. and European Union (EU), for example, have acknowledged that the IoT security problem demands attention. The appropriate remediation of that problem, however, is a matter of debate.
Several federal agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) issued IoT security guidelines, but these fall short of the legislative efforts some security experts are calling for. Indeed, according to CIO, U.S. lawmakers appear reluctant to regulate the market in this way.
The EU is also making efforts to address security concerns by proposing that companies comply with a cybersecurity rating and approval process for connected devices, EurActiv reported. There seems to be more of an appetite in Europe for this type of government intervention, and the EU seems more likely to incorporate these proposals in a legislative framework. How long before this happens, however, is anyone’s guess. The General Data Protection Regulation (GDPR), for example, will take effect in 2018, following four years of negotiation.
As usual, government intervention, whether it is the solution or not, will take time to implement. It will presumably take even longer for experts to assess its efficacy.
The Customer’s Burden
IoT customers must continue to implement best-practice security controls. These controls have evolved over the last two decades and should continue to adapt to the IoT systems of the future.
The recent DDoS attacks against IoT-connected apartment buildings in Lappeenranta, Finland, highlighted what can happen when operators implement weak cybersecurity on their systems. Devices are typically compromised when owners fail to update default usernames and passwords. Customers should be more vigilant and learn the basics of securing machines, routers and connected devices.
The Internet Service Provider’s Role
As internet service providers (ISPs) own the network and IoT solutions require connectivity, ISPs play a prominent role in IoT security. ISPs deliver better IoT security to their customers in two ways. First, they can monitor, filter or block potentially malicious traffic based on known patterns, which reduces spoofing. However, ISPs have been slow to adopt this standard due to installation costs.
ISPs can also notify customers if devices in their networks are involved in malicious traffic. Customers can then act on this information to secure compromised machines. IoT stakeholders must do more to encourage ISPs to take initiative when it comes to IoT security.
Guidelines for Software Developers
It is more effective to develop secure code for traditional applications than to create secure code for connected devices. Fewer and fewer IoT players are traditional software companies, with government agencies, consumer products and manufacturing entities moving into the space. These parties might not be as advanced as software companies in terms of secure software engineering.
To improve the situation, developers should start with solid foundations when coding for the IoT. According to the recent IBM white paper “IBM’s Point of View — Internet of Things Security,” this can take the form of solid security guidelines such as the following:
- Define security policy requirements.
- Design for security.
- Use app-scanning tools.
- Use threat modeling in the system design.
- Check all data that is passed through application program interfaces (APIs).
- Rigorously test open-source components and dependencies.
- Maintain code change records.
- Test for security.
It is important for the software community to both advocate and practice secure software engineering. As the IoT continues to define the future of cybersecurity, the industry must address the dangers of insecure code before it’s too late.
Device Manufacturers: The IoT Security Bogeyman
The bogeyman in the IoT security debate is the device manufacturer. There is currently no market incentive for manufacturers to actively implement security by design. If they were to actively make their devices more secure, however, what would they need to do? The Broadband Internet Technical Advisory Group (BITAG) recommended that device manufacturers take the following actions to enhance IoT security:
- Use current software best practices, ship with relatively current software, provide automated mechanisms for patching software and install strong authentication by default.
- Follow security and cryptography best practices, which include securing communications, encrypting configuration communications by default and authenticating communications, software changes and requests for data.
- Be restrictive rather than permissive when communicating.
- Continue to function even if internet connectivity is disrupted or the cloud back-end fails. A connected light switch, for example, should continue to function manually. This is even more important for devices that affect user safety.
- Support addressing and naming best practices such as IPv6 and DNSSEC.
These guidelines seem to make perfect sense, right? Unfortunately, device manufacturers are unlikely to take them seriously, at least in isolation.
To learn more about securing IoT devices, please download a complimentary copy of the Ponemon Institute’s 2017 State of Mobile & IoT Application Security Study.