The UK government is moving forward with its plans to create regulation for IoT devices. The move follows a broad global trend to try and lock down the burgeoning but insecure world of the IoT, says Mike Nelson, vice president of IoT Security at DigiCert.
For too long now, Internet of Things (IoT) devices have been thrown to market replete with vulnerabilities that threaten strange new types of catastrophe for users. From attacks that leverage the very functionality of an IoT device – such as a hackable car or a doll that can be turned into a remote surveillance device – to events like the Mirai attacks which threatened internet infrastructure on a large scale. It’s for those reasons that the UK government has stepped up.
The regulations aim to build on 2018’s Code of Practice – Secure by Design – which offered a number of guidelines to IoT device manufacturers, as well as consumers, about how to securely build and use IoT devices. They include suggestions for securely storing credentials and other security data, minimising exposed attack surfaces, ensuring the integrity and continuous updating of the software on IoT devices as well as ensuring secure communication to and from the devices.
The code of practice added that it was being rolled out with the hope that people would comply, and if they didn’t, the government would start to make those guidelines mandatory. It seems that’s finally happened and regulators will now make at least three of those guidelines compulsory.
Firstly, IoT passwords have to be unique and not resettable to a factory default, thereby allowing an attacker to merely look that password up.
Secondly, manufacturers must have a publicly advertised contact for vulnerability disclosures, allowing bugs to be reported and fixed in good time.
Thirdly, manufacturers must clearly state the minimum length of time that the device will receive security updates, so that consumers can plan for offboarding or make other security decisions on that basis.
The devices that do comply will be able to proudly wear a stamp which signifies a government endorsement of this particular product’s security. It might seem like a simple move, but it’s one that profoundly changes the relationship between IoT security and the consumer.
IoT security left to manufacturers
While IoT security has heretofore been left up to manufacturers and then perhaps enterprise security teams to fix after the fact, Secure by Design’s certification scheme finally puts those security decisions in the hands of the consumer. Now, they can make those decisions before they introduce weakly protected, vulnerable devices into an otherwise secure network.
Now that consumers can take security into account when purchasing IoT devices, it can become a competitive differentiator. Manufacturers until now have created insecure devices largely because it was cheaper for them to do so. There was no market demand to make secure devices and not much that would make it profitable for them to do so.
Labelling devices and introducing security as a competitive differentiator for consumers will force manufacturers to think about how they can lose less and make more by thinking about security from the design stage onwards. Once consumers care, manufacturers are going to start caring too.
Calculation made too late
It’s a simple calculation which has been made far too late. For too long, the buck has been effectively left to manufacturers to secure their IoT products, with neither a carrot nor a stick to drive them forward. It won’t solve all of the security problems but it’s a commendable answer to a problem that has dogged this field for a long time. Governments around the world are starting to make sticks, but the clever thing about Secure by Design and its certification scheme is that it comes with a carrot too.
The author is Mike Nelson, VP of IoT Security, DigiCert
About the author
Mike Nelson is the VP of IoT Security at DigiCert, a global provider of digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.
Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.