What should proper IoT regulation look like?
James Thorpe
Share this content
It seems we’re finally getting some regulation around securing the Internet of Things (IoT). Though good initial steps are being taken, regulators are struggling to keep up with the pace of innovation.
Governments and national assemblies the world over are currently in the process of drafting or enacting IoT regulations which aim to enhance security for one of the most promising new areas in digital technology.
The UK is doubling down on 2018 voluntary guidelines by making several of them mandatory for IoT device manufacturers. Elsewhere in Europe, German lawmakers will build on existing cybersecurity laws to include IoT regulations.
California’s new SB 327 law will come into force in January of next year, forcing manufacturers to put “reasonable security features” into their IoT products. On a national level, the US House of Representatives will soon vote on the Cyber Security Improvement Act of 2019 which will give the green light to NIST—the U.S. standards body—to draw up IoT standards.
In Japan, the government is still working out how it wants to regulate the IoT, but will apparently start enforcing standards at the beginning of 2020. Thai Telecom regulators are also drawing up an IoT regulation.
So, at least something is changing. The state of IoT security has been woeful for too long. Far too many have been far too eager to get their hands on a shiny new device and far too few have stopped to think about security. Manufacturers’ failures in this area have been widely trumpeted around the security community, but too often users have not gotten the message. For a long time, the warnings fell on deaf ears. Now, it looks like government bodies are looking to move the needle and motivate change. It’s about time, too.
The crux of the matter is that all of these poor security decisions taken by manufacturers are taken as cost calculations. Currently, many feel it is less expensive to follow good security practices than to ignore them. At the end of the day, manufacturers will pay for the insecurity of their devices. Whether that expense comes from the hands of an enforcing regulatory body, paying for legal and reputational damage following an attack, or paying for the proper security upfront – the expense of insecurity will come.
Growing calls for regulation may reverse that cost calculation. Rising costs from regulation targeting insecurity may force many manufacturers to change their approach as poor security becomes more expensive. IoT insecurity will have to hit them where it hurts: the bottom line.
Secure by Design
In recent years, governments have made a number of attempts to encourage manufacturers to incorporate security into their products with seemingly little effect. Last year, the UK government came out with the appropriately named Secure By Design, a series of guidelines on how manufacturers and consumers should secure IoT devices. The government made it clear that if guidelines weren’t followed the government would make them mandatory.
That’s exactly what the UK is doing; the government recently announced its intention to make the top 3 points mandatory. In accordance, IoT passwords have to be unique and not resettable to factory settings. They’ll also have to provide a public point of contact for a vulnerability disclosure policy and give consumers an idea of how long their devices will receive security updates.
Compliant manufacturers will be able to label their products, ‘Secure By Design’. This change represents a positive step for IoT security, allowing consumers to begin judging the security of the IoT products they use. In the long term, it will make security a metric in consumer decisions. Once consumers care, manufacturers will, too.
Secure By Design has its own weaknesses, but is a commendable start to a real need in the IoT space. It correctly recommends, for example, the elimination of hard-coded passwords and promotes secure credential storage—two critical steps in securing IoT devices.
What’s more is that it’s a great foundation to build on. ETSI has come up with a new “global standard” for IoT, which builds on the UK government’s efforts. Despite the forward movement, there are a number of requirements that regulators should consider moving ahead.
Mandating strong authentication for users and any digital connection, for example, would be a step in the right direction. Knowing that only trusted actors and messages have the capability to make their way into devices would go a long way toward securing the IoT.
The value of encryption
How the device handles confidential data is another important area, encryption should always be used of data both at rest and in flight. The ability to patch and do things like update a device’s firmware is another important security approach and is something that is embarrassingly rare in many IoT devices.
The integrity of the data and the operations of the device also will be important—to ensure the firmware is tamper-proof and that any data coming to and from the device is delivered safely and without outside manipulation is critical.
Looking ahead, many IoT devices will have long shelf lives. Regulators should start thinking about whether they’ll be ready for the threats of tomorrow, as opposed to just patching the vulnerabilities of today. This matters especially for safety-critical devices that will be used for long periods in industrial environments when faced with quantum cyber threats. Authorities should think about how they can keep manufacturers’ and users’ sights held to the horizon by recommending quantum-resistant strategies and cryptographic agility.
It’s also important to point out that security is a collaborative discipline. The fact that much of the responsibility lies with the manufacturers doesn’t mean that users are completely off the hook for their own security. Our recent State of IoT survey found that many organisations struggle with the lack of standards in this space—and are in real need of guidance as to how to securely implement IoT projects. Standards bodies will need to pick up the slack here.
Each industry will require different variations in its own guidelines, presided over by its own regulatory authority. Medical devices and equipment used in public utilities, for example, will require specific security requirements that consumer devices may not need.
The advent of IoT regulation is a positive step. We’ve yet to see the wholesale outcome of the trend but, at the very least, it signifies an increasingly broad awareness of the IoT’s risks.
The fact that governments around the world are realising these problems at the same time may help further secure the complex transnational supply chains that insecure devices often travel through on their way to market.
With any luck, that kind of consciousness will trickle down from governments to users—who will start holding manufacturers and retailers accountable for producing and selling insecure devices. As said before, IoT insecurity is a cost calculation—the more expensive implementing zero or bad security measures becomes for manufacturers the safer we will all be.
By: Mike Nelson, VP of IoT Security, DigiCert.