The Internet of Things offers us new ways to build potential value and offer it without human intervention. The seeming boon of the IoT is also its greatest risk. With over 26 billion devices projected to form part of the IoT in 2020, we face an urgent risk.
The IoT is different from traditional computers such as workstations and laptops, as it doesn’t rely on humans to function. The sensors collect, communicate, analyze, and act on data, offering new ways in which technology can create value for businesses.
But this blessing also creates opportunities for data to be compromised. Not only is data being shared without human knowledge, among many participating devices, but the shared data is also highly sensitive in nature.
As such, the risks are exponentially larger.
How can organizations manage this widening attack surface while still creating innovation in their digital initiatives?
What makes the Internet of Things highly spooky in terms of its security posture is the lack of global risk standards. IoT is a shared ecosystem and operating model that crosses private and public sectors. Yet, we lack uniform standards to govern and regulate the sector.
Standards are certainly on the way, but years off. Meanwhile, IoT applications grow at their own pace. For the lack of regulations, and despite the fact that some good initiative are emerging or exist, most organizations are forced to begin implementing and developing their own cyber risk standards with a lack of any complete guidance.
While consumers can’t be reasonably expected to secure their own devices, the issue of IoT cybersecurity can’t be solely viewed as a commercial one, but something with national security implications.
Should regulators have already intervened to ensure that devices are not sold unless they are designed and equipped with strong security features?
We think so.
Studies show that consumers expect security features to be built into their devices before they are sold into the market. But that’s far from reality. There is a growing gap between what consumers think they are buying in the form of tech hardware and what they are actually getting.
At TEHTRIS, we have some experts who made highly skilled penetration tests for years, worldwide. We found many tremendous 0days and we always shared them to the vendors: Apple, Google, Microsoft, Oracle, Intel, Twitter, Facebook, etc. And when we are asked to evaluate the cybersecurity of large scale IoT infrastructures, results can be very special.
Usually, we find complex security issues on the IoT devices themselves, or on the related Fog/Cloud infrastructures, where there are so many internal/external API with many security issues. In the worst cases, we were able to show that we could get a complete access over the IoT fleet. When this is a worldwide alarm home kit system, it implies that we can globally disable alarms on earth, open the doors, watch videos or listen through security cameras, etc. Scary.
The Current State of IoT Cybersecurity Regulations
Currently, here are some examples; showing how various nations are currently regulating IoT:
- California will be the first US state to pass cybersecurity law for IoT devices, titled SB-327 Information privacy: connected devices. The act is set to come into action in 2020 and requires that devices connected to the internet be equipped with reasonable security features.
- Another interesting bill at the US Senate level is the Cyber Shield Act of 2017. This is intended for the Department of Commerce to create a grading system for IoT device security, marking the level of security in each IoT device.
- Member of the US Senate recently introduced another bill – the Internet of Things Cybersecurity Improvement Act of 2019. This will need agencies within the federal government ad vendors providing connected devices to the government to directly communicate cybersecurity risks with any IoT devices.
- The UK government recently launched a ‘Secure by Design’ code of practice for IoT manufacturers to develop IoT devices with baseline security features.
- The EU Cybersecurity Act came into force in June 2019 and supports tailor-made certification schemes for specific ICT products, services, and processes. European Union Agency For Network and Information Security (ENISA) proposed a complete “IoT Security Standards Gap Analysis” to facilitate the adoption of standards and governance of EU standardization in the area of NIS.
There is a widespread cry for regulations in securing IoT. Several issues need to be thoroughly considered when addressing the regulation of these devices. Moreover, the implementation of mandatory security features will have an impact on the speed and cost of innovation.
Therefore, this is a road to lightly wade through.
According to NIST’s 2019 report on Considerations for Managing Internet of Things Cybersecurity and Privacy Risks, there are three fronts on which IoT cybersecurity and privacy need to be established:
- Device security
- Data security
- Individual privacy through the device lifecycle
The report points out that organizations must ensure proper risk mitigation throughout an IoT device’s lifecycle to address the potential risks associated with it. IoT devices are like the new kid on the block.
People in their homes and organizations in their offices are bringing in IoT devices, adding these devices to their network, without realizing the security implications of doing so. These things could be a kettle, your watch, a smart clock on a wall in your home/office.
Now, there is an urgent need to secure these devices because when an attacker manages to break the security of, say, a digital fish tank, they have entered into the network. Now, they can move laterally and gain access to your computer, also connected to the same network.
A chilling fact about the IoT is that we could connect devices with highly sensitive data to a network and then forget about it. This could become an easy gateway for malicious attackers.
What can we as individuals and organizations do to secure IoT apps and devices?
What you can do to safeguard IoT apps and devices
An integrated risk approach is no more an option. While most large organizations stress on a different cybersecurity approach based on region, product, or business unit, we at TEHTRIS beg to differ.
While that approach and philosophy worked once, it has now become obsolete. The IoT is compelling technology, media, and telecommunications leaders to take a close hard look at their decentralized approach to cybersecurity.
Safeguarding the IoT is complicated by the volume and nature of data, a majority of which is held and accessed by third parties. Therefore, organizations are now integrating their approach to cybersecurity with one umbrella-level cyber risk paradigm to address risks at all levels.
IoT is shaping up how we live. Applications are moving from proofs of concept to commercial deployments. Are you ready?