When we think about our physical safety, it is contextual and adaptive. In sharp contrast to how we think about IoT security. Even though our physical well-being is increasingly being threatened by cyber vulnerabilities in IoT technologies, we tend to ignore IoT security, or at best oversimplify it. I wrote more about cyber-kinetic threats of IoT here.
Just because a winter jacket secures us from the cold in the winter, doesn’t mean we wear a jacket year-round. It also doesn’t mean we think a jacket is our only form of protection. We know that while a jacket is useful in the winter to keep out the cold, sunscreen is necessary in the summer to protect us from the sun. We know that a jacket won’t protect us from being mugged in a notoriously bad neighborhood. We also know that a jacket won’t replace going to the gym or eating well to prevent heart disease. Similarly, wearing a jacket doesn’t protect us from a burglar if we forget to lock the door.
There are many facets to our safety, but because we protect ourselves from these threats instinctively, and have been doing so for millennia, we understand the complexity of our traditional physical safety.
In our evolution, we are now on the brink of an era in which cyber-kinetic vulnerabilities of IoT technologies will become a bigger threat to our physical safety than the weather or traditional violent crimes.
The same complexity of physical safety, and more, applies to securing IoT. Sure, preventing manufacturers from hardcoding user credentials into devices is one way to secure IoT, but that only accounts for one facet of IoT security. The threats are as extensive as the network is. IoT security has to account for both physical safety and cybersecurity. Moreover, security needs don’t stay the same. As industry leaders come up with more defenses, wily cybercriminals flex their creative muscles to overcome them.
IoT security also has to become contextual and adaptive; capable of changing to support rapidly morphing threat and business use cases; and has to cut across traditional silos of cybersecurity, health and safety, engineering and others. In the world in which after few decades of effort we are still losing cybersecurity battles daily, how can conscientious companies move forward with addressing new and significantly more complex IoT security threats?
One recommended step is by adopting an IoT security framework. Put simply, an IoT security framework allows a company to get its bearings when it comes to properly securing its devices or network. By no means are such frameworks band-aid solutions. Rather they serve as a tool or a checklist for what layers of the internet of things companies need to pay attention to. Additionally, they offer steps and best practices for securing the internet of things.
The issue is this: While several industry leaders have developed IoT security frameworks and standards, none of these frameworks have earned broad adoption. As a result, companies that are driven by innovation view IoT security as a pesky afterthought.
What’s clear is that there needs to be more government involvement when it comes to IoT security. At least until the industry more broadly accepts that IoT security, if done right, can become a competitive advantage and even speed up innovation.
Both consumers and organizations want (and need!) IoT security frameworks
From the consumer’s point of view, the motivation is obvious. While consumers don’t take IoT security (i.e., printers, cameras, DVRs) as seriously as they take the security of their smartphones or laptops, they’re still not particularly fond of the idea of hackers using their webcams to launch a distributed denial-of-service attack to shut down sites like Spotify and Twitter. While consumers are slowly becoming aware of IoT security threats, they don’t understand the whole extent of the threat or know how to evaluate the security of their devices.
The motivation for organizations is a little more interesting. Critics argue that there shouldn’t be government regulations for IoT security because it will halt innovation. And yes, organizations aren’t exactly jumping to take the lead, but they are anxious about their exposure.
Lack of government involvement in IoT also means lack of clarity about where each company’s responsibility lies. Organizational leaders wonder: What are my company’s responsibilities? What is my organization’s exposure? Where are our liabilities? Because it isn’t clear who’s responsible, will my organization take the hit in the market for something that wasn’t necessarily our fault?
What we’re left with is a scenario where organizations know IoT security is something they should think about, but that their consumers aren’t yet demanding. To innovate quickly, they’ve put IoT security on the backburner, but they’re aware that their responsibilities will increase in the future.
But when exactly will those responsibilities be required by law? It seems like this won’t become a priority until a huge IoT breach that directly impacts consumers takes place. When there is a catastrophic hack of pacemakers, autonomous cars or traffic lights, the public will certainly demand more regulation and demand it loudly. But why wait until the worst happens?
Another reason governments must take the lead on IoT security frameworks is to help consumers gain a basic understanding of what a device needs in order to be secure.
For instance, the public is only now learning about just how prevalent cyberbreaches can be. Size, longevity and market capitalization aren’t enough to prevent a cyberattack if you don’t know how to protect yourself. In other words, if your house has a heavy front door with a retina scanner, it won’t do much if there’s a tunnel going into your basement you don’t know about.
With IoT security frameworks, consumers aren’t certain what they should demand from their IoT devices. If even IT professionals have a learning curve to overcome, you can imagine the amount of effort it would take the everyday consumer to assess a device’s security. If governments took the lead on developing a framework that fed into an eventual accreditation, consumers could look for a “seal of approval” that a device is up to snuff. This would give companies an incentive to secure their devices since consumers wouldn’t want to buy a device without such approvals.
What should be done
- GSMA’s IoT Security Guidelines and Assessment
- Internet of Things Security Foundation’s IoT Security Compliance Framework
- Industrial Internet Consortium’s Industrial Internet Security Framework
Secondly, at present, these frameworks offer guidance more on how to think about securing IoT, not what specific steps need to be taken. For instance, the Strategic Principles for Securing the Internet of Things document released by the Department of Homeland Security in 2016 is only a 17-page document. For a framework to become a basis for accreditation, it has to offer more detailed requirements.
Thirdly, frameworks are meant to be something industry builds on, not something that industry settles with. The framework owner has to build a process for continuous and rapid improvement of the framework in order to match the speed with which the industry is developing.
Once there is a basic IoT security framework in place covering the many facets of IoT security and mandated by regulators, we’ll have something that innovators can build on.
Originally published on IoT Agenda on January 9, 2018