Growing Regulation of IoT Security

By Ofer Amitai

Hopefully, 2018 will mark the start of a new era in Internet of Things security regulation, in which governments, consumers and enterprise customers will begin demanding protection from device manufacturers.

While regulations governing Internet of Things (IoT) security features are beginning to be drafted, there is still not enough demand from the consumer side to warrant manufacturers' investments in security features. This begs a major question in 2018 of whether governments, in similar fashion to the United States and the European Union, will begin issuing security regulations on IoT device manufacturers that protect consumers and companies from digital—and even physical—risk.

Therefore, together with GDPR and other compliance regulations, we are likely to see more governments and industry authorities, such as the National Institute of Standards and Technology (NIST), stepping up in 2018 to enforce privacy, safety and security regulations on IoT manufacturers. This may also result in an increase in the price of IoT devices—which, up until this point, have been relatively low, as manufacturers struggle to carry out reverse compliance initiatives that come into effect.

The IoT—devices and sensors that connect, transmit and store information on the internet—is one of the major technology trends of the last decade. With Gartner predicting that IoT technology will be in 95 percent of electronics for new product designs by 2020, it's time to come to terms with the fact that the IoT is becoming an integral part of our digital and daily lives.

As with many innovative technologies, the benefits arising from the IoT are myriad—namely, increased efficiency, productivity and data-processing capabilities—but progress comes at a price, and in the case of the IoT, that means security. As the documented cases of IoT security vulnerabilities stack up, ranging from distributed denial-of-service (DDoS) and ransomware attacks to attacks on personal safety (demonstrated with the car wash hack at Black Hat 2017), the conversation around the IoT is shifting toward security concerns—namely, regulations for device manufacturers.

Slow and Steady Wins the Race
While it may seem simple enough to issue regulations requiring increased security for IoT devices, the current industry landscape indicates differently. To encourage IoT adoption early on, most major device manufacturers did not limit the use cases for their devices, developing devices that run on open and easily accessible platforms, use default access credentials, and operate on simple central processing units (CPUs). The result is that IoT devices are widely adopted as the next breakthrough technology in the smart home, office and factory, and carry a reasonable price point (in most cases), but are inherently insecure due to their fragile and usually simplistic computing structure.

The interesting bit is that although the term "Internet of Things" was coined in 1999, the first mentions of regulations only began appearing in 2016, some 17 years later. The London-based GSMA, a global trade body that represents the interests of mobile network operators, released a document in February 2016 that outlined IoT security guidelines and assessment, seeking to "promote best practice for the secure design, development and deployment of IoT services, and providing a mechanism to evaluate security measures." However, the document suggests more than it obligates, and as many IoT manufacturers have expressed, unless they feel pressure from the market, the responsibility for IoT security will fall on consumers, businesses and governments.

The European Union has issued position papers on the topic. An initiative led by the European Union Agency for Network and Information Security (ENISA) and GDPR regulation stipulates rules for how private and personal data collected through IoT devices can be used, and calls for real-time IoT device monitoring.

The United States is a different story. The first discussions of security regulations for the IoT surfaced at the beginning of 2017 with the first Federal Trade Commission (FTC) enforcement compliant against a computer networking equipment manufacturer that failed to undertake "reasonable steps needed to secure wireless routers or IP cameras from 'widely known and reasonably foreseeable' risks of unauthorized access." While this wasn't the first case brought to the FTC in the IoT space, as the FTC began addressing the issue as it pertains to consumer devices in 2015, it was one that got the U.S. government talking as it was brought against D-Link, a popular device and appliance manufacturer.

NIST has issued several reports governing specific IoT security issues, but has yet to issue directives or legal standards governing the manufacture of IoT devices. Furthermore, there are a number of independent IoT security projects, such as the Open Web Application Security Project (OWASP) and the Secure Internet of Things Project (SITP) that attempt to help the general public better understand security issues and vulnerabilities.

Amidst all this pseudo-regulatory soup, and as a result of major debilitating cyber-attacks made possible by IoT security loopholes (such as the infamous Mirai botnet), the United States and even some state governments have decided to step in. California, the hometown of high-tech innovation, was the first governmental authority to react with Senate Bill 327 in May 2017; the bill mandates privacy by design for IoT devices, as well as built-in security features from device manufacturers that are appropriate for the device and the information collected. This summer, the U.S. Senate began debating and drafting the Internet of Things Cybersecurity Improvement Act of 2017, bipartisan legislation to force vendors to establish basic security principles and uphold certain requirements if they want to sell to the government market.

However, the latter point on government usage is really the bottom line of the IoT security regulatory debate; it is likely that every industry will have to develop IoT security standards based on their level of usage, information collection and network type, so as not to inhibit the very goals that IoT sets out to achieve: greater productivity and technological innovation.

The Great Regulation Debate?
The funny thing is that security and computing experts that oppose government regulation are hard to come by. Even prominent anti-regulation industry figures like Bruce Schneier, the CTO of IBM Resilient, have called for regulations due to unprecedented growth of the IoT attack surface. At the RSA North America conference last February, Schneier said, "You can't talk about regulation versus no regulation—that ship has sailed. Now it's about smart or stupid regulation." The consensus is that neither competitor nor consumer pressure will force device manufacturers to integrate security features into their products, making it a "negative externality" for the IoT market.

That being said, the question remains regarding how IoT security regulations can be integrated into IoT products without affecting their price or features. One possibility is for IoT devices in the enterprise, such as automated heating, ventilation and air-conditioning (HVAC) systems, industrial machinery and other data-collecting tools, to be regulated with standards particular for each industry. This, paired with secure integration guides, the employment of security specialists and network visibility, segmentation and device remediation solutions could help more businesses (but mostly medium- to large-sized companies) control the IoT on their networks.

Things are a bit stickier in the consumer sector, as demand for smart products rapidly increases and awareness of the potential effects of an IoT breach is much lower. For this reason, IoT manufacturers should be required to issue educational campaigns on the cyber risks their devices present, suggesting ways to keep data protected while productively engaging with their product. Furthermore, governments, standards authorities and independent groups should come together to draft an effective strategy on how to push device manufacturers on the security issue.

Brainstorming meetings on the topic are already occurring around the world, but the immediacy of the issue isn't stressed enough. With the Mirai botnet, and now Reaper/IoTroop, as well as other examples at our backs, it's clear that the IoT has the potential to threaten not only private information, but entire infrastructural systems and even the internet itself if its vulnerabilities are not contained.

Hopefully, 2018 will mark the start of a new era in IoT security regulation in which not only governments, but consumers and enterprise customers, will begin demanding protection from device manufacturers. Just to be clear, the goal is not to completely inhibit IoT innovation, because the benefits of the technology are wide-spread and welcomed, but to create technologies, standards and practices that will allow for the safe deployment of the IoT, wherever that may be.

Ofer Amitai is the CEO and co-founder of Portnox, where he is responsible for day-to-day operations and setting the company's strategic direction. He has more than 20 years' experience in network security, during which time he established the first IT security team in the Israeli Air Force, managed the security division at Xpert Integrated Systems and served as Microsoft's regional director of security. Ofer is a proven innovator and thought leader in network security. He holds a B.Sc. degree in computer science.