- Security TWENTY
- Women in Security
We must not let IoT security fall by the wayside, writes RIPE NCC’s Senior External Relations Officer, Marco Hogewoning, pictured. Briefly, RIPE NCC is a not-for-profit membership organisation that supports the infrastructure of the Internet; it acts as the Regional Internet Registry (RIR) providing global Internet resources and related services (IPv4, IPv6 and AS Number resources) to members.
The Internet of Things (IoT) has introduced a whole range of creative and innovative applications for homes and businesses, ranging from connected fridges and washing machines to security systems. With Intel predicting that there will be over 200 billion connected devices globally by as soon as 2020, the IoT’s impact will only grow. However, the IoT ecosystem has developed at such a rapid rate that its security and safety have become a secondary consideration. With a snowballing number of end-points that cyber threat actors can target, questions must be asked about who is responsible for the security of IoT devices.
A compromised IoT device can have an enormous and devastating impact on a network. Well-documented attacks, most notably the Mirai Botnet attacks of October 2016, which saw huge numbers of IoT devices infected with malware, have demonstrated how the vulnerabilities of unsecure IoT devices could be exposed with devastating results. Recent predictions by Spiceworks suggest that around half of all businesses will have installed an IoT solution by the end of 2018. With such vast numbers using IoT solutions, businesses can only become more integrated into the IoT ecosystem. Perhaps this helps to explain why over 50 percent of businesses questioned for a recent Forrester Consulting survey said they were very anxious about the security of the IoT.
The security concerns around the IoT are prominent, but one point of contention keeps cropping up – who is responsible for IoT security? This remains a grey area, because of the unique nature of IoT devices. Unlike traditional computers and smartphones, for example, IoT devices often lack a clear user interface and any updates must therefore be installed remotely and in an automated fashion. Also, IoT devices are expected to have a much longer lifespan, which for industrial applications can easily last decades. As such, traditional frameworks for limited guarantee by manufacturers no longer apply. The cybersecurity threat landscape is continuously evolving, and closed source and proprietary software solutions mean that users remain dependent on the manufacturer for updates for the entire lifespan of the device. Should the companies creating these devices therefore be held accountable for their safety? Is it reasonable to expect businesses to continue supporting devices which may be in use for a decade or more? And what happens when a manufacturer goes out of business?
Last March the UK government took steps to address some of these questions by introducing a new “Code of Practice” to boost IoT security, by clearly defining expected standards. Through this, organisations should be able to better understand their role in protecting the customers they serve, whether directly, or through an associated IoT service. Yet, in an ideal setting, responsibility for educating and regulating the IoT should not fall to a single regulatory body, like the UK government. A single, centralised, regulatory body would face huge challenges in bringing together the various competencies required to manage a complex, and ever-evolving, IoT ecosystem.
It is, therefore, reassuring to see that initiatives such as the UK government’s “Code of Practice” have been developed in collaboration with many related organisations. In fact, this initiative was made possible as the direct result of a collaborative effort that saw manufacturers, retailers and the National Cyber Security Centre supporting and informing the government.
A collaborative approach, linking related sectors, could help to stimulate an ethical responsibility among those involved, because they originate from cooperation between regulators and other entities with a stake in IoT. This approach is in many ways very similar to the culture of openness upon which the Internet was founded. This collaborative thinking has subsequently proven to be the bedrock of the Internet’s success and sustainability. Just as it did for the Internet itself, such efforts could help to foster a set of agreed values for IoT security.
These agreed values could develop into a set of common standards around improved IoT security procedures, that could be managed by stakeholders on a self-regulatory footing. Not only would this help to foster more secure IoT devices, but it wouldn’t hamper innovation – which more rigid regulation can sometimes do. Businesses must consider being competitive, of course, as they need to mitigate market and commercial pressures. So, moving forward cooperation on security and competition on features and services should be the model for tackling IoT security.
Ultimately, this will only happen if parties in the IoT ecosystem engage more closely to find constructive solutions to the challenge of IoT security. The Internet has demonstrated that collaboration and voluntary standards can help an ecosystem thrive. They could be of vital importance to achieving the safe IoT ecosystem that everyone needs.