Serg Nvns - Fotolia
The IoT Security Foundation announced the launch of its vulnerability disclosure platform, VulnerableThings, for consumer IoT in October. The platform prepares vendors for IoT security regulations and provides an easier way for security researchers to report vulnerabilities.
Organizations already use available vulnerability disclosure reporting processes and resources -- such as Mitre's common vulnerabilities and exposures program or NIST National Vulnerability Database -- the IoT Security Foundation intends to simplify the difficulties researchers and vendors must navigate. The platform guides manufacturers with policy templates and prompts to resolve consumer IoT vulnerabilities and comply with industry standards. Security researchers can submit vulnerabilities and track the manufacturer's progress to resolve them.
"Anytime you have the ability to do public disclosure of vulnerabilities, that ultimately leads to a stronger and stronger security model. It'll take time for the platform to get accepted and used, and it'll take time for those disclosures to get reported. It's not a solution that solves a problem overnight, but it is a move in the right direction," said Merritt Maxim, vice president and research director at Forrester Research.
Vulnerability management is a recognized basic security practice. All IoT manufacturing team members, including the board of directors, supply chain managers and product security staff, must understand coordinated vulnerability disclosure to protect their products.
"Whether you choose VulnerableThings to help you along the way or not, make sure you have a channel for reporting issues in the wild and the processes in place to resolve them. This is necessary to protect your business, your customers and the wider IoT ecosystem from attack," wrote John Moor, managing director at IoT Security Foundation, in an email.
Why an IoT vulnerability platform matters to enterprises
The VulnerableThings platform focuses on consumer IoT, but overall IoT trends make connected product security a growing consideration for enterprise organizations.
"[IoT Security Foundation has] targeted the consumer IoT sector initially because that is where we see regulation coming first -- the preparatory stages are well underway across several geographies and we know there is a real appetite here in the U.K. to get this in place as soon as practically possible… VulnerableThings seeks to address those real and practical issues across all IoT sectors," Moor said.
Johan VermijSenior research analyst, 451 Research
IT and operational technology (OT) teams converge when organizations introduce IoT devices, and the COVID-19 pandemic forced home networks with smart devices into the mix.
"With global lockdowns earlier this year, everybody started working from home. Suddenly, people were managing nuclear facilities from their kitchen table. You have to think about a new security approach, because you now have the IT, the OT and let's call it HT -- home technology -- converging in as well," said Johan Vermij, senior research analyst at 451 Research.
Smart home consumer devices introduce technology to enterprise networks beyond the typical BYOD policy. Many employees might have Amazon Alexa, Google Assistant and smart doorbells or security devices within hearing or viewing range of their work computers and connected to the same network. Working from home raises questions of whether organizations must manage personal security networks with consumer IoT and how it affects employee privacy, Vermij said.
Organizations have started to think about what kinds of policies they might need to manage home devices, Maxim said. They might list certain brands known to be less secure and prohibit them on home networks. It would be hard to enforce, but an IT admin might use such information to guide policy around smart device use.
With a public vulnerability reporting platform focused on consumer IoT, manufacturers will likely step up their secure development, which carries over into their enterprise products, Vermij said.
Manufacturers don't always prioritize the security of IoT products because it's an additional cost. They might offer security features as an addition to the product, but consumers and enterprises must pay extra. If security becomes a larger priority in the manufacturing process, then IoT can benefit, Vermij said.
Awareness remains a security issue
Despite the number of cyberthreats and the best practices to secure devices, analysts still name security awareness as IoT security's primary risk.
The "Voice of the Enterprise: IoT, The OT Perspective, Use Cases and Outcomes 2020" survey from 451 Research in August found that 26% of respondents said that security concerns are the biggest inhibitor for deploying IoT projects, Vermij said.
Many organizations struggle to secure the thousands of devices they deploy, and as they try to scale up, the devices become more difficult to manage.
"We do have these tools to manage the risk, but [organizations] don't know what their risk is, especially if you look at factories with legacy equipment," Vermij said.
Legacy equipment often predates the internet and machine operators might not know what these machines could do when connected. Organizations also have IT security specialists, but the security risk of a conveyor belt with sensors is different from an email program, Vermij said.
One of the top security concerns is user behavior. For workers on the machine floor, security is often a nuisance and they feel like it prevents them from efficient task completion, Vermij added. If workers don't care and view security as the employer's concern, organizations will have trouble with security policy implementation.
"If you can get that security awareness into [workers'] own lives and have them think of the security of the things they buy, then it could boost on how they think about security in their office as well," Vermij said.
Whether it's with consumers or the enterprise, security and privacy is usually the single biggest concern with IoT device deployment, or, at least, almost always in the top three, Maxim said.
Such IoT vulnerability platforms continue to highlight security issues, and as these offerings grow, device manufacturers have started to prioritize security measures and bring awareness to organizations.