IoT security: Decisive action is needed
In recent years, the number of internet-connected devices has soared from millions to billions. A range of smart gadgets has become popular among consumers, and industries are increasingly moving from IoT proof-of-concept to production.
Thirty-eight percent of enterprises have company-wide IoT deployments in production today, according to a report by Zebra Technologies. Eighty-four percent expect to complete IoT implementations within two years. Use cases range from self-monitoring refrigeration systems that can predict operational problems and proactively schedule maintenance to connected factories that can track thousands of machines and pieces of equipment in real time.
But security vulnerabilities are threatening to tear down IoT’s progress, especially as it moves into B2B spaces and industrial sectors where the risks and stakes are much higher.
A study by security company Gemalto found 90% of consumers lack confidence in the security of IoT devices. Nearly two-thirds of IT professionals surveyed by security vendor Pwnie Express reported more misgivings about device threats in 2018 than they had the year before.
It seems inevitable that IoT security will command more and more government attention. The attack surface is growing exponentially, yet much of the public is unaware that connected devices can be used to attack other devices. And the industry hasn’t done enough to address device security. This combination is putting pressure on legislators and regulators around the world to intervene.
Lawmakers find themselves trying to fill a vacuum left by the unanswered question of who is responsible for IoT security standards.
Gartner has described what it calls “disturbing trends” in IoT, including that “product and service vendors are paying little attention to scenario- or vertical-specific requirements for IoT security” and “technical standards and frameworks for IoT security are almost nonexistent or beta editions.”
Thus far, however, companies have faced little concrete legal obligation to build stronger security into devices. It’s still common for devices to ship with hardcoded passwords or standard admin passwords that hackers can figure out and exploit too easily. When a security compromise is discovered, updates aren’t always rolled out in a timely manner, and sometimes not at all.
The landscape is dotted with a few new laws and regulations, such as a California law mandating that manufacturers of any internet-connected devices include “reasonable” security features, including unique, user-set passwords for each device rather than generic default credentials that are easier for an intruder to discern. Some security experts, however, have criticized the law as too weak.
There’s a lot more to be done. But it will be interesting to see just how aggressively governments push. Will they rely on stronger laws to force the industry to more effectively tackle IoT security? Or gentler approaches, like the United Kingdom’s government website that provides a voluntary code of practice?
So, what will it take to boost IoT security?
Strong action may be required to get the industry’s attention. A major IoT security incident, of course, would add urgency to the situation, but to date there hasn’t been one that has attracted international attention in the same way as high-profile attacks on retailers, social media sites, government agencies and others in recent years.
The wheels of government often move slowly. However, the paradox of growing IoT adoption and heightening security concerns is creating pressure for governments to do more. The issue is almost certain to come to a head, and soon.
Security must take precedence over innovation if confidence in IoT is to grow and severe security issues are to be avoided. If we get this right, though, adoption will continue at an exponential rate.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.