IoT security: The lessons to be taken from the finance industry

The latest Internet of Things (IoT) Security Regulations proposed by the Department for Digital, Culture, Media and Sport in January 2020 are undoubtedly a step toward ensuring that internet-connected devices are secure. However, the complex question of where the industry goes from here is threatening the future success of the IoT industry. The lack of penalties or punishments referenced in the draft legislation is an indication of where the roadblocks will form down the line – much sooner than expected. By Galem Kayo - Product Manager for Ubuntu Core at Canonical.

  • Saturday, 30th May 2020 Posted 4 years ago in by Phil Alsop

From millions to billions-

Cyber-attacks on IoT devices are rising exponentially. F-Secure found that attacks rose three-fold in 2019 alone, tipping the number of attacks into the billions. During its assessment, the UK government found that a ‘worrying number’ of devices still had basic flaws such as default passwords. Too many manufacturers did not transparently communicate to their consumers how long the device would be supported by security updates, nor who to contact in the event of a vulnerability being identified. There is clear consensus that regulation in this space is needed in order to bring about sufficient change to protect citizens and the wider economy from harm. But how far can this protection go in the case of these regulations?

What the latest UK regulations entail-

Businesses are not always bound by a single government, operating internationally and often driven by market share rather than consumer safety. The very nature of software means there’s no such thing as a flawless device – only devices with undiscovered flaws. Without repercussions for failing to protect their customers, manufacturers of connected devices will simply carry on as they have to date, especially when vast numbers of IoT products are developed outside a certain legislation’s geograpraphy. 

The latest regulations comprise of three main mandates for IoT manufacturers. Firstly, all consumer IoT device passwords must be unique and not resettable to universal factory settings. This makes it exponentially more difficult for unauthorised parties to gain access to devices. IoT device manufacturers must also provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner”. Finally, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale.

Where the cracks lie-

These regulations are a good baseline for increasing basic security measures, particularly when it comes to individual devices. However, these requirements are set to cause issues within the IoT industry, especially when it comes to how they might work on the global IoT stage. With governments across the world having their own standardisations and regulations, any kind of individual rule of law may create contention when it comes to rolling out products on an international scale. This may hinder the development of the IoT industry more broadly, if companies are having to adhere to fragmented sets of regulations which will increase manufacturing costs and time to market. According to Hogan Lovells,the EU is currently leading the way when it comes to IoT regulatory guidelines, but what happens when China and the US create their own set of legally binding rules? 

The latest UK regulations could see manufacturers ‘lowballing’ estimates of security lifetimes as a way of complying with incoming laws, in order to avoid any associated costs. This may also be difficult where some products have differing security lifetimes as opposed to other regions, leading to possible corporate damage. And for smaller businesses, the obligations are even more challenging. In order to comply, they will face high costs in having to set unique passwords for every device and to deal with end-user troubleshooting issues and requests. 

At present, without repercussions for failing to protect their customers, manufacturers of connected devices will simply carry on as they have to date, especially when vast numbers of IoT products are developed outside of this legislation’s geography. The fragmentation may also create a situation where having to tailor the design or production of IoT devices for different regulations will disincentivise businesses from offering IoT devices in certain places because of such conflicts. As 5G technologies become more and more widespread, the ill development of the IoT may lead to damaging economic impact if a country were to fall behind. Because technology is changing faster than regulators can keep up, it’s time for the industry to reflect and look at how they can lead the charge themselves.

A revolution from within-

Industry moves a lot quicker than government. Businesses need to be at the forefront of security in order to promote a culture of protection. Lessons should be taken from the financial industry, which introduced the Payment Card Industry Data Security Standard to create a living, industry-based certification. The Standard protects user data and helps to prevent fraud, and anyone that falls foul of hackers or isn’t following the standard then faces financial penalties. According to Varonis, these can be anywhere from $5,000 to $100,000 per month until the merchants achieve compliance.  

Formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express, and governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. The standards are an example of an industry own solution, which is globally recognised and successful in ensuring the industry holds itself to account to keep consumers safe.

With over 90% of 331 IoT manufacturers supplying the UK market not possessing a comprehensive vulnerability disclosure programme, the industry is simply not moving fast enough. The IoT industry must embrace the revolution for themselves, just as the financial industry did, rather than being led by the government. This will prevent the roadblocks that are already forming, which are threatening to derail the industry completely.