The emergence of every new technology, like IoT, brings security concerns with it. This is because oftentimes the regulations and compliance are not fast enough to catch up with the pace of changes in technology. With smart technology reaching our homes, there is a need to solidify the security standards involved to mitigate the threat that consumers and their property are exposed to via hacking or other cybercrime activities. Needless to say, “If everything is connected, everything can be hacked.” In other words, the growing number of connected devices will increase our vulnerability to cyber-attacks.
Security Problems
Most consumers assume that security is already built into the IoT products. They can buy, with no set-up or subsequent configuration required for the voice assistants, smart lighting, or security cameras. However, this is not necessarily the case. Many take the view that you don’t need to worry about a traditional TV or fridge being secure, so why should you act differently when you plug in your new smart speaker?
Industry alliances and government agencies have published various guidelines and cybersecurity standards. Through that, they have establishing minimum-level security, not all IoT device makers and vendors have necessarily implemented them. And this is why we regularly hear stories about the hacking of smart appliances. In India, in the Smart Home market, the number of active households is expected to amount to 66.1m users by 2027. Hence, this will multiply the chances of hacking.
The IoT industry needs to act more speedily with regard to self-regulation on security. Further, governments around the world have felt compelled to step in to ensure that consumers are adequately protected.
Legislation in the Works
Technology laws can be complex. However, it is essential that both industry and consumers understand the implications of IoT security in relation to future regulatory measures:
Secure by Default:
One of the most crucial changes needed is for governments to encourage that IoT products are secure on arrival. New IoT products should function out of the box, with their security features already enabled. This means that once a consumer adds a new IoT device to their network, the device should not require any further configuration. Non-compliance could result in penalties. Besides, this will ensure a real impact on consumers as any company making or selling IoT devices will want to avoid damaging their brand because of failing to meet new standards.
Threat Modelling:
IoT device makers need to consider the threats and risks around how products will be developed, produced, and used. They need to research how consumers will operate the product- what kind of data it will process and who might want to compromise that data. Once companies understand who the most likely attackers are, they can design products that are capable of stopping them.
Breach Readiness and Processes:
Companies must show that they can respond effectively to cybersecurity incidents. They must have an operational security incident response process to address incidents affecting their operations. Further, they should have a product security incident response process to help customers address product-related security incidents.
Secure for Life:
Companies developing products with longer-term deployment periods must demonstrate that, for the duration of these products’ expected lifetimes, they can securely update/upgrade the security. This is in order to keep up with any new threats that might emerge.
Secure Operations:
Technology manufacturers must adopt security practices within their own operations, to ensure the products that they make are secure. For example, if a manufacturer is continuously experiencing internal security breaches due to negligent or compromised network security or a lack of security management processes, it is reasonable to think that its own product security may need to be improved.
Supply Chain Compliance:
Companies must show that they can effectively manage the risk of cybersecurity impacting their entire supply chain. Regular accountability checks must be undertaken to monitor standard security compliance over time, and as threats grow and change.
Creating common sense IoT security guidelines is not simple, but it is achievable. Moreover, there is no doubt that it must be done. Governments across the globe are encouraging and validating the cybersecurity approach many companies in the industry are already taking to secure the IoT. If the industry collectively shares best practices, security technology professionals can help legislators to draft regulations that keep consumers’ data secure while enabling IoT technology to continue to thrive in our day-to-day lives.
About the author:
Manish Kothari is the Senior Vice President at Silicon Labs India.
