Isn’t it Time IoT Devices Were ‘Secure by Default’?

  • techUK techUK
    Friday05Jan 2018
    Opinions

    Security continues to be a key consumer concern. But what does this mean for devices and the companies innovating in this space? Gemserv’s Sean Gulliford takes a look.

The Internet of Things (IoT) has incredible potential to impact and improve the way we live, with innovative solutions being proposed across multiple market verticals. However, for the IoT to reach its full potential, security must be taken more seriously.

You wouldn’t consider connecting a PC to the internet without first ensuring that the latest updates were patched, and some form of anti-virus software installed. So why do consumers and businesses connect IoT devices to the internet without the same consideration?

The first thing to realise is that there is very little difference between a PC and an IoT device at a network level; both can communicate using standard protocols and therefore, once connected, are able to communicate with any other device on the internet, both essentially speak the same language, and are defined by software to specify their function.

However, unlike PCs, that have the resources to run additional anti-malware applications, IoT devices can be resource constrained and therefore it is important that security is built in from the start. Any IoT device should therefore be “Secure by Default” , meaning that it meets a certain level of security without required intervention from the user. As a minimum this should include:

  • Protected access to the device via a unique password, not a default password shared across multiple devices
  • The capability to support secure remote updates.
  • The ability to encrypt and protect sensitive data.

Consumers should ensure that a device meets these basic security criteria before connecting. Businesses that host IoT devices must understand that these devices form part of the organisations IT network, and therefore should be included in any security audit (e.g. ISO27001).

Whilst the pace of IoT innovation puts pressure on the ability to regulate these devices it should be noted that the General Data Protection Regulations (GDPR) and Network Information Systems (NIS) directive both come into force in May this year. Both regulatory measures have the potential to impact IoT devices and systems, for example:

  • Article 32 of the GDPR defines the requirements regarding “security and processing” of personal data, specifically listing the key security triad of confidentiality, integrity and availability. Therefore, an IoT device that collects and stores personal data is likely to be required to meet these regulatory requirements.
  • The NIS directive is concerned with the protection of essential services such as transport, water, energy, health and digital infrastructure, against cyber-attacks. IoT devices employed as part of any essential service will likely fall under this directive.

It should also be noted that the Department for Digital, Culture, Media & Sport (DCMS) is developing a “Secure by Default” code of practice that will provide essential guidance to both businesses and consumers.

In summary,

  • The IoT has enormous potential but more must be done to understand and communicate the potential risks that insecure devices pose.
  • Consumers should be aware of the minimum-security requirements for an IoT Device before connecting.
  • Businesses and Service Providers should ensure that IoT devices are “Secure by Default” and meet best practice requirements.
  • Businesses must include IoT devices in any network security audit and understand the impact of the GDPR and the NIS directive, coming into force May this year.

_______

[i] https://www.ncsc.gov.uk/articles/secure-default
[ii] https://gdpr-info.eu/
[iii] https://www.ncsc.gov.uk/information/networks-and-information-systems-nis-directive-security-objectives-and-principles

 

Post written by Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.

020 7090 1075

sean.gulliford@gemserv.com

Connected Home 2017 Cover

 

This post is part of a recently launched initiative looking at trends in the Connected Home market. Click here to find out more.

 

For further information on techUK's Connected Home work contact matthew.evans@techuk.org.

FROM SOCIAL MEDIA

Rounding-off this #AISector deal day, Peter Bloomfield @DigiCatapult, discusses the importance of giving the small… https://t.co/2asDz6vOw7
Watch @vishalchatrath from @PROWLER_IO discuss the importance of transparency in machine learning for… https://t.co/gD5X6UogEO
"Politicians, business leaders and those building AI solutions have an ethical responsibility to minimise some of t… https://t.co/ICn3HOQ5I9
.@techUKdepCEO welcomes the Government's #AISectorDeal announced today @DCMS @beisgovuk. We look forward to continu… https://t.co/6KCOswB1v6
Matt Allison @AccessAlerts says that we need demonstrable public oversight into the development of AI. We need trus… https://t.co/ecjs6bqNlF
We must take responsibility now for the AI that will be built for tomorrow. Have a read of @InteriMarket's Bhumika… https://t.co/CtUSZKolcD
.@ImogenParker from @NuffieldFound and the @AdaLovelaceInst looks at the concrete steps we need to take for the UK… https://t.co/nYkaXZl6wQ
Tech the big theme at #BSIsf18 today - panel discussing importance of broadband and digital infrastructure to impro… https://t.co/wRGJUyAQ5d
.@BCCAdam gives #Bsisf18 keynote: says business needs clarity ASAP on future UK/EU relationship, migration rules, t… https://t.co/1d8KurC2Ro