There is news from the Department of Digital Culture Media & Sport (DCMS). As part of the drive to improve the security of the Internet of Things (IoT), they have published the Secure by Design Review. It seems that “Manufacturers of ‘smart’ devices will be expected to build-in tough new security measures that last the lifetime of the product”. This got me thinking about the scale and scope of the problems we face when securing our ‘things’.
We know that the ‘things’ we need to protect can range from a door entry system, to a fitness tracker and everything in between. The automotive sector, home smart devices, industrial control systems, physical security systems and traditional IT systems, none of them are immune to security problems. But why is that? All these years on; 20 years after the first successful global malware attack, we are still seeing these attacks successfully causing chaos. Now with a massively enhanced attack surface, thanks to the IoT, the possibilities and opportunities for criminals seem to increase every day. The National Cyber Security Centre (NCSC) has said that 99pc of successful attacks exploited a vulnerability that has existed for more than a year, attacks on our physical infrastructure but also our mainsteam IT systems – so it would appear that the IT world is not really faring much better than the physical world. In fact, recent research would indicate that there are issues of inertia prevalent within cyber security, with 46pc of respondents to the survey saying that their cyber security strategy rarely changes, even after a cyber-attack. What the research isn’t telling us is whether this means a successful attack, or simply an attack event. If we are talking about an actual attack, a successful exploit of a vulnerability, then this would seem to indicate a lack of appreciation across all security disciplines about the dangers of the IoT and cyberspace.
So, not for the first time, I find myself wondering about attitude, behaviour and culture. We know that when standards are applied or legislation enacted, things change and eventually culture changes. As someone who has worked across physical and cyber security worlds for so many years, I can appreciate that maybe I am lucky to be able to spot the vulnerabilities. But trying to communicate this to business and wanting to bring a positive message about security blending and converged threat, has not been easy. About five years ago everyone was talking about converged threat; it appeared on virtually every expo seminar agenda, articles were written, papers were distributed but yet I talk to both physical and cyber worlds and have yet to see the a widespread converged response to this converged threat you would have expected after such extensive coverage! It leads me to wonder if the chat around IoT will be consigned to the same fate; much talk, little action, continued threat and increasing cost to businesses and consumers as attacks have to be cleared up.
This is why my hopes were raised by this report from DCMS. Not because I think that on its own, and requiring widespread voluntary adoption, it will cure anything, but because it is at least a positive step towards genuine understanding and an acknowledgement that the threat is very real and things need to change. Going back to my question about why we are still seeing known vulnerabilities being exploited by attackers, reminds me of how easy it is to think that because nothing has happened to you, nothing therefore will or can. This thinking doesn’t arise if you get into your car and make a decision about whether or not you should wear a seatbelt. Most people these days, regardless of the legal requirement, accept that this is just common sense. Most of those people have not been in a serious accident, they just know that it is a risk of driving on the road. This change of behaviour from a time when seatbelts were never worn to a time when it is just accepted good practice has not just happened. It required legislation, extensive education and awareness, and an enforcement mechanism for non-compliance.
We are not quite there yet with our ‘things’. But as attempts to alert people to the need for vigilance in what they purchase and connect to the internet become more widespread we will achieve awareness, however, the various security standards, including the Secure by Design Review remain voluntary with no legislation to back them up and no regulatory framework for enforcement. So, just as no car manufacturer now would dream of designing a car without seatbelts, so too the IoT manufacturer response needs to rise up to match the draft Code of Practice contained within the review, and goods that are secure by design should be the norm not the exception; whether that is a web enabled jogging vest or a video surveillance system.
“Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyber attacks. Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s dolls.”
Those wishing to read more about the Government and DCMS Secure By Design Review, should click here.
Don’t imagine this isn’t about you or your devices; whether you sell them, use them or both, it’s about you and the IoT.
