Navigating the uncharted territory of IoT standards
The number of IoT devices connected to the internet is expected to surge to more than 20 billion by 2020, then explode in the next several years. Some stats forecast at least eight devices per person connected to the internet by 2022.
While these new devices represent increased opportunities for efficiency and productivity in business, adding them to your corporate network comes with an inherent risk. Often, manufacturers racing to keep up with this rapid adoption are not focused on security, and they presently lack specific minimal security standards and regulations they should aim to meet.
With the inability to update the vulnerability of development kits with patches, IoT devices open the door for attackers to access corporate networks and enterprise IT organizations find themselves struggling with the added burden and complexity of managing these issues and their implications. Modern chief information security officers (CISOs) are in uncharted territory when it comes to wrangling these standard-less devices.
While IoT devices bring obvious benefits, security researchers have long raised warnings that not all of them pack sufficient security mechanisms to protect and handle the data or telemetry they collect.
IoTs in murky waters
Much like the early explorers who ventured across seas and oceans in hopes of finding new lands and treasures, IoT evokes dreams of improving efficiency and cutting down costs for organizations and average users.
While manufacturers have rushed to create products that pack internet connectivity, not all have considered the security implications of connecting a device to the internet. While laptops and desktop computers are traditionally protected by a security solution, the diversity and fragmentation of IoT software and hardware make it all but impossible to install security solutions on those devices. Increased fragmentation of hardware and software, coupled with the adoption of large-scale open source and tweaked hardware design, means that most manufacturers focus on bringing IoT devices to market at low cost.
IoT devices have taken the world by storm, quickly flooding the market and there has been little to no standardization of security practices or frameworks designed for these devices. This means IoT manufacturers are not required to enforce even basic security mechanisms in their smart devices, such as strong and unique passwords, encryption or even security updates that fix known vulnerabilities.
Security researchers have proven repeatedly that IoT devices as benign as smart electrical sockets or even doorbells can be vulnerable to hackers and used in coordinated attacks on infrastructures or to compromise user privacy.
The lack of such standards for IoT devices leaves security more as an afterthought for some manufacturers. IoT security, by design, is rarely included in the roadmap. Rather, it is added afterwards.
Some vendors even have bug bounty programs encouraging security researchers to disclose vulnerabilities in their products and services the vendor might have initially missed, but this practice is only common among large organizations and manufacturers.
Sailing through IoT standards and protocol
Standards and protocols for building more secure IoT hardware and software services are already in the works or proposed by various organizations. A unified security framework that manufacturers can adhere to would let service providers and device manufactures collaborate seamlessly in integrating and deploying secure digital services for all IoT devices, regardless of industry.
Addressing security in the IoT layer technology stack from early on in the development process of IoT devices can help manufacturers increase the value of their products, and allow organizations and security service providers to manage, control and integrate IoT devices into their infrastructures.
While dozens of alliances and coalitions are forming in the hopes of bringing together the fractured IoT landscape, adoption and enforcement of these well-drafted security standards and protocols remains one of the biggest problems.
Early sailors’ maps were constantly updated, studded with sea monsters and warnings that sailors would fall off the edge of world if they strayed too far. The world of deployment and enforcement of IoT standards and protocols is in a similar state. Manufacturers regularly make up their own standards, unpatched vulnerabilities create ever-present danger zones, and outlaw armies of attacker-controlled smart devices threaten to push infrastructures and privacy over the edge. A unified framework and established set of best practices can help manufacturers to navigate this uncharted territory.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.