kras99 - stock.adobe.com
Effective IoT security requires collaboration and clarity
IoT brings benefits to business, government and consumers. But those features shouldn't come at the cost of security or less privacy for its users.
When firefighters arrive at burning buildings, they must contain the blaze, rescue inhabitants and keep calm under pressure. As IoT devices are increasingly deployed throughout cities, firefighters could have access to more information that could save more lives and lead to less lost property through use of real-time data about surroundings impacting people in need.
In an emergency where IoT devices are available, responders can use the data collected to have a more efficient and often more successful response. Responders can learn about the occupancy of a building via occupancy sensors, surrounding infrastructure from utility and traffic light sensors, and the status of victims' health vitals through activity wearables. These previously unavailable real-time insights can help responders better prepare for situations and save more lives.
Life-saving applications such as these can transform how disasters are handled, especially if they are deployed at a large scale, but public safety protection should not come at the expense of compromised security and privacy for businesses, government agencies and citizens.
IoT devices are being deployed at an exponential rate, with 27 billion IoT connections expected by 2025. However, IoT security has not kept up with the torrential pace of innovation. As IoT devices with life-easing and potentially life-saving benefits see more use, the scale at which drastic cybersecurity attacks occur also grows.
To get ahead of security breaches, companies manufacturing these devices have a responsibility to rapidly address the vulnerabilities in their products. The risks of widespread IoT adoption should not outweigh the societal benefits.
Hackers have easy access
When implementing new smart devices into cities and homes, there is often an assumption that those devices have at least a base level of cybersecurity. While industry alliances and government agencies have published various guidelines and cybersecurity standards establishing minimum-level security, many IoT device makers and vendors have not adopted or implemented any of them.
Numerous devices that were previously isolated -- such as refrigerators, gas meters, cars and medical devices -- are now connected but often without rigorous consideration of security frameworks. These devices were never intended to interact with remote, unauthorized users, so access controls and proper credentials management might be weak or nonexistent. Hackers can exploit these simple security vulnerabilities without much effort. It is simple to access, and doing so violates the confidentiality and integrity of private user data and affects device availability.
For example, firefighters can use IoT devices and sensors to gain data about a building's status and inhabitants, but if devices were hacked, the gathered data could be inaccurate or potentially misleading. Firefighters could spend valuable time and energy to locate a person, with incorrect data pointing them to the wrong area. The devices designed to be helpful could become a detriment and hinder the firefighters' efforts to rescue building residents.
Cybersecurity is everyone's responsibility
Attacks on IoT device security can occur at all stages of production -- from the specification and design stage; to fabrication, packaging and testing; to the distribution and integration of end-user products. Chip manufacturers, device manufacturers and consumers each play an important role in IoT device security.
Many of the security shortcomings devices have are the result of unclear guidelines about who is responsible for security decisions. During IoT device development, one company may design the device, while another company provides software, operates the network that supports the device and deploys the device.
The confusion has led to inaction by all parties, especially because there is insufficient incentive to adequately secure products. It is important that industry leaders adopt IoT security standards and work together to address essential areas of improvement.
For many years, the IoT industry has been largely unenthusiastic to self-regulate, and as a result, there are now federal and state policies being introduced to guide security regulation in the industry, including the following:
- IoT devices must only run authenticated code.
- Use only secure interfaces for debugging and communication.
- Secure, remote software update capability is mandatory.
- All devices must have a unique identifier.
- Incorporate a vulnerability disclosure program and product incident response.
These requirements only cover basic needs, but they require device makers and application developers to radically increase the level of security in product development.
Consumers also must maintain their devices and enable devices to update while in use. They should also be vigilant about phishing and social engineering attempts for hacking.
New policies to address IoT security
In the U.S., new policy will require a baseline of cybersecurity protections in devices sold within the country. In May 2021, President Joe Biden issued the "Executive Order on Improving the Nation's Cybersecurity," which calls on agencies to enhance cybersecurity guidelines throughout the software and hardware supply chain.
Manufacturers can now to begin to implement security standards and work with others to create a universal industry standard -- before legislation dictates all requirements. NIST is working with the IoT industry to design, standardize, test and foster the adoption of general methods to protect IoT devices from cybersecurity breaches.
The Department of Homeland Security (DHS) is using NIST's work to create best practices and requirements for all devices sold within the U.S. DHS can only drive private sector industry action up to a certain point, and it is important that industry leaders work together to create and adopt standards for devices sold in the country.
In the European Union, the European Union Agency for Cybersecurity defines standards for common levels of cybersecurity capabilities across Europe. Their defined best practices have been in place since 2017 and are guiding European industry on IoT security fundamentals.
While governments and regulatory bodies can legislate a baseline of security standards, their primary role is to create the right incentives and encourage the development of necessary tools and resources so companies and consumers can make informed decisions. Once policy is developed, leaders in the IoT industry should already have a cybersecurity standard in place that effectively protects consumers' data and enables IoT technology to thrive.
About the author
Sharon Hagi is chief security officer at Silicon Labs and is responsible for overseeing the company's comprehensive cybersecurity strategies and best practices for delivering advanced security technologies and solutions. Hagi has more than 25 years of experience in the cybersecurity industry as a developer, architect and strategist.