Guest Blog
The law of stupidity goes something along the lines of doing the same thing over and over expecting different results – or was that insanity – oh dear.
When it comes to securing the Internet of Things “IoT”, the world cannot afford insanity, expecting different results from the same traditional ICT “cybersecurity”. No one can afford this.
IoT device designers must embed good security-by-design principles. Good security underpins safety and privacy. Safety and privacy are two product requirements consumers value highly, so IoT producers should be approaching these as potential selling points, to differentiate from competitors. We’d all rather drive a vehicle with seatbelts, airbags, traction control, all-wheel-drive and all the other modern safety features over one from the 1940’s offering more ‘traditional’ safety options. It’s time for the IoT world to respond.
Security, we are reminded by Fear, Uncertainty and Doubt (FUD) pedalling vendors, is like shifting sand – an ever-moving target. This self-interest aside, manufacturers still often throw their hands in the air when it comes to security, with excuses like; it isn’t sexy, it doesn’t help sell their widget; it’s costly to implement, its costly to comply and support; or it will slow their speed to market.
So the onus shifts back to the user, the purchaser, who is then expected to implement ‘good’ security policies and practices. Most likely this consumer is mum and dad who don’t yet have in place a household Information Security Management System (ISMS) certified to ISO/IEC 27001, or thousands of dollars and countless hours developing these good practices as corporate consumers do.
Facetiousness aside, this transfer of responsibility (blame) but not risk needs to cease. I am hopeful it will, because much like traditional ICT cybersecurity, organisations are becoming more aware of the risk to information around privacy of individuals, and the cost, and reputational damage should a breach occur – vendors included.
Boards understand that those risks can come home to roost, so the tradition of culling a CIO (or in some cases even a CEO) in the wake of a cyber incident will no longer protect members from regulatory follow up.
Brand damage has also proven compelling for boards in the wake of breaches.
This, of course, doesn’t help mums and dads out in the consumer world directly, but it should trickle down. Device vendors are starting to realise that embedding good security principles in products isn’t rocket science.
I’m not trying here, to kick IoT widget providers. I’m actually trying to encourage them to develop and deliver more secure IoT products and services.
A really encouraging start would be for providers to look at the IoT security documents published by various international standards organisations such as ETSI, ENISA and NIST. The principles and guidelines put out by Government Agencies, Departments and groups around the world, like the IoT Security Foundation (IoTSF) will be helpful.
Like the Internet itself, IoT knows no boundaries. IoT security is similarly a global challenge so there’s no point in re-inventing progress already made. Internationally we need to be aligned, to lift security for IoT consumers, big and small.
Governments everywhere acknowledge that IoT security is going to be a significant risk if not addressed by industry. In late 2019 the UK, US, Canada, Australia and New Zealand, collectively known as the Five Eyes (FVEY) released a joint statement of intent for the security of the Internet of Things.
It recognises the lack of security in IoT devices is a global issue, encouraging manufacturers to incorporate security-by-design and actively seeking out opportunities to enhance trust and raise awareness of security safeguards between those respective nations.
Recently the IoT Security Mark organisation put out a call for expressions of interest to participate in a Pilot of the IoT Security Trust Mark™ scheme (STM).
The global IoT Security Trust Mark™ certification and voluntary labelling scheme support the IoT Security objectives stated by FVEY. It also fulfils the conceptual framework for a conformity assessment program set out by the National Institute of Standards and Technology, with the principles:
- REQUIREMENT– How should it perform?
- DETERMINATION– How do we know it performs?
- ATTESTATION– Who says its performance has been demonstrated?
- SURVEILLANCE– What about assurances next week?
For IoT providers this means that they can have their widget put through its paces, by an STM Accredited Test Facility (ATF), to ensure that they reflect ‘good practice’, meeting a current IoT security baseline as set out by bodies such as ETSI, ENISA and NIST
The IoT Security Trust Mark also means their further, more ambitious claims about their product’s security have been independently verified. Contrary to popular rumour, the cost and timeframes for this process is capped to ensure value and timeliness without holding back product release schedules.
For all IoT consumers this means that we can check a participating vendors’ products for its published IoT Security Trust Mark™ on the STM Evaluated Product List (STM-EPL). Furthermore, vendors can voluntarily add the label (a STM QR code) into marketing and product collateral to directly link a consumer to that product on the STM-EPL. This enables IoT consumers to quickly check and confirm currency at any point in time (using a straightforward traffic light system for certified, suspended or expired).
“But”, I hear you say, “certifications for security are only good for the day they are issued. Tomorrow there might be an exploit for a new vulnerability.”
This is where the IoT STM scheme surveillance components comes in. Global vulnerabilities and exposures are actively monitored, by a STM technical Decision Authority (DA), and vendors of certified products are notified. The product’s certification is amended to a suspended state (yellow traffic light) until remediation is achieved. If remediation is not achieved within a given period, the product’s certification expires (red traffic light).
The scheme is global and supported internationally by affiliates and Host Country Associations (HCAs) who are third party groups seeking to drive the adoption of safe and secure IoT in their regions and territories. Through awareness raising and engagement with Government, Industry and Consumers.
Enquire today about becoming an IoT Security Trust Mark™ Affiliate, Host Country Association (HCA), Decision Authority (DA), or an Accredited Test Facility (ATF).
Matt Tett
Managing Director, Enex TestLab