It’s no secret that there are significant concerns with Internet of Things (IoT) security. The concerns stem in part from several high-profile incidents. Late last year, for example, attackers exploited a vulnerability in a brand of IoT cameras to launch a DDoS attack on the website of security expert Brian Krebs. The following month, the Mirai botnet arranged 100,000 IoT devices to launch an attack on DYN, the DNS provider.
The industry has responded with numerous efforts and initiatives. Here’s a summary of some of those efforts.
Industry Initiatives Promote IoT Security in IoT Devices and Solutions
About a year ago, the Cloud Security Alliance released a 75-page report describing how manufacturers can develop secure IoT products. In January, Online Trust Alliance (OTA) updated its IoT Trust Framework to provide guidance on how to develop secure IoT devices and assess risk.
The following month the GSM Association (GSMA) released its IoT Security Guidelines. The GSMA brings extensive experience guiding the development of security solutions from the mobile sector. The specification aims to do the same for IoT by promoting best practices around securing IoT services. The group also provides an IoT security assessment for IoT vendors to evaluate themselves.
Government Action Helps Enforce IoT Security
Also in January, the U.S Federal Trade Commission (FTC) filed a lawsuit against an IoT manufacturer for in part making “deceptive claims about security of its products.” The lawsuit’s effect is expected in part to encourage the development of better, more secure IoT devices.
While the lawsuit might be the proverbial stick, the FTC also has its carrot. The IoT Home Inspector Challenge, for example, was a competition arranged by the FTC to encourage the development of technology tools to help protect consumers against the risks posed by out-of-date IoT software. (The winner of the challenge was a mobile utility for users with limited technical expertise to scan and identify home Wi-Fi and Bluetooth devices with out-of-date software and other common vulnerabilities. The software then provided instructions on how to update each device’s software and fix other vulnerabilities.)
The Department of Commerce’s Internet Policy Task Force, under the auspices of the National Telecommunications Information Administration, is reviewing “the benefits, challenges, and potential roles” for the government in advancing IoT. The group is working with various stakeholders to increase consumer awareness around the importance of security upgrades for IoT devices.
The British government issued guidelines for securing Internet-connected vehicles. According to Reuters, the government’s aim is to ensure that engineers seek to design out cyber security threats as they develop new vehicles. The new guidelines also include making the systems able to withstand receiving corrupt, invalid or malicious data or commands, and allowing users to delete personally identifiable data held on a vehicle’s systems, notes the report.
The Internet of Things Cybersecurity Act of 2017 introduced in August, represents an effort to establish industry-standard protocols and require IoT manufacturers to disclose and update vulnerabilities. The act looks to leverage the government’s buying power to drive change by requiring compliance by IoT devices purchased by the US government, notes Brian Krebs.
The General Data Protection Regulation (GDPR) has a number of requirements relating to the use of IoT within the EU. The regulation will take effect in May 25th, 2018.
Think we’ve missed some? Let us know. We’ll be growing this list regularly.
Read about IoT Security Best Practices