It’s Time for an IoT Security Standard
The writing has been on the wall for some time. Worse, the recent DNS attack that brought down portions of the Internet strongly suggest that previously predicted concerns have become unpleasant realities.
The problem? Security, or the lack thereof, for the billions of things getting connected to the Internet. Unfortunately, enormous percentages of smart home security cameras, connected DVRs, industrial equipment controllers, wearables, medical equipment, cars, and many more devices are being put online with little to no security protection.
As a result, many of these devices are subject to hacking, in some cases, with potentially life-threatening results. And to make things worse, many are also vulnerable to be unwillingly overtaken and silently re-used in other types of cyber-attacks, like the DNS attack that rendered many popular web sites unreachable a little over a week ago.
This nearly complete lack of security has been talked about by some tech industry observers for years. But despite all the talk, little real action is being taken on an industry-wide basis.
Given the seriousness of the problem and its potential impact not only on our daily lives, but also on the security of critical infrastructure and even national security, it’s surprising and somewhat shocking how much inaction there has been. After all, devices that plug into the wall to get power require approval before other companies will sell them in the US, so why shouldn’t any device that gets “plugged” into the Internet require an approval process as well?[pullquote]Devices that plug into the wall to get power require approval before other companies will sell them in the US, so why shouldn’t any device that gets “plugged” into the Internet require an approval process as well?[/pullquote]
Many of the early electrical safety certification tests developed by UL (previously Underwriters Laboratories) were developed for the safety of consumers, but the impact on electrical power utilities was likely considered as well. In the exact same way, IoT security standards need to be developed both for the safety of an individual using a device, as well as the potential impact on the newest utility in our lives: the Internet.
To be fair, not all IoT security issues involve the possibility of immediate physical harm that electrically powered devices have, but some do. Plus, the potential societal disruption and associated physical threats that an IoT-driven security problem can cause could be much more widespread than any individual device could create.
Of course, the challenge of creating any kind of security standard is determining what exactly would be included and how it would be measured. Security is a significantly more complicated and nuanced topic than the spread of an electrical charge, but that doesn’t mean the effort shouldn’t be undertaken. It’s just going to take a lot more effort from more people (and companies).
Thankfully, there are several efforts being driven by individual companies to help address some of these security concerns. Chip IP company ARM, for example, whose technology is at the heart of an enormous number of IoT devices, recently added new levels of hardware security to its line of Cortex M microcontrollers. In addition, concepts like a hardware root of trust, trusted execution environments, biometric authentication and more are all being actively deployed by a variety of component and device vendors that feed into the IoT supply chain. While they won’t solve all security issues, leveraging these technologies as a starting point would seem to be a pragmatic approach.
In addition to setting those requirements, determining who administers the testing would have to be resolved. Logically, companies like UL and other members of the Nationally Recognized Testing Laboratories (NRTL) Program would be good choices. A strongly related development would also have to come from those companies who sell and/or install these types of devices. Technically, UL approval is not required to sell a device in the US, for example, but practically speaking, retailers and others who sell these devices are unwilling to accept them without some kind of approval for fear of potential insurance risks. An IoT security standard would require a similar level of support (and initial willpower) to be effective.
It’s certainly naïve to think that a single type of security standard could possibly stave off all the potential security threats that IoT devices are now raising. But it’s equally naïve to believe that nothing can or should be done about the problem. The task won’t be easy and early iterations may not be great, but it’s clear that the time has come to do something. Let’s hope some industry associations and other parts of the tech ecosystem have the guts to get an IoT security standard started and the will to stick it out.