Isn’t it Time IoT Devices Were ‘Secure by Default’?

  • techUK techUK
    Friday05Jan 2018
    Opinions

    Security continues to be a key consumer concern. But what does this mean for devices and the companies innovating in this space? Gemserv’s Sean Gulliford takes a look.

The Internet of Things (IoT) has incredible potential to impact and improve the way we live, with innovative solutions being proposed across multiple market verticals. However, for the IoT to reach its full potential, security must be taken more seriously.

You wouldn’t consider connecting a PC to the internet without first ensuring that the latest updates were patched, and some form of anti-virus software installed. So why do consumers and businesses connect IoT devices to the internet without the same consideration?

The first thing to realise is that there is very little difference between a PC and an IoT device at a network level; both can communicate using standard protocols and therefore, once connected, are able to communicate with any other device on the internet, both essentially speak the same language, and are defined by software to specify their function.

However, unlike PCs, that have the resources to run additional anti-malware applications, IoT devices can be resource constrained and therefore it is important that security is built in from the start. Any IoT device should therefore be “Secure by Default” , meaning that it meets a certain level of security without required intervention from the user. As a minimum this should include:

  • Protected access to the device via a unique password, not a default password shared across multiple devices
  • The capability to support secure remote updates.
  • The ability to encrypt and protect sensitive data.

Consumers should ensure that a device meets these basic security criteria before connecting. Businesses that host IoT devices must understand that these devices form part of the organisations IT network, and therefore should be included in any security audit (e.g. ISO27001).

Whilst the pace of IoT innovation puts pressure on the ability to regulate these devices it should be noted that the General Data Protection Regulations (GDPR) and Network Information Systems (NIS) directive both come into force in May this year. Both regulatory measures have the potential to impact IoT devices and systems, for example:

  • Article 32 of the GDPR defines the requirements regarding “security and processing” of personal data, specifically listing the key security triad of confidentiality, integrity and availability. Therefore, an IoT device that collects and stores personal data is likely to be required to meet these regulatory requirements.
  • The NIS directive is concerned with the protection of essential services such as transport, water, energy, health and digital infrastructure, against cyber-attacks. IoT devices employed as part of any essential service will likely fall under this directive.

It should also be noted that the Department for Digital, Culture, Media & Sport (DCMS) is developing a “Secure by Default” code of practice that will provide essential guidance to both businesses and consumers.

In summary,

  • The IoT has enormous potential but more must be done to understand and communicate the potential risks that insecure devices pose.
  • Consumers should be aware of the minimum-security requirements for an IoT Device before connecting.
  • Businesses and Service Providers should ensure that IoT devices are “Secure by Default” and meet best practice requirements.
  • Businesses must include IoT devices in any network security audit and understand the impact of the GDPR and the NIS directive, coming into force May this year.

_______

[i] https://www.ncsc.gov.uk/articles/secure-default
[ii] https://gdpr-info.eu/
[iii] https://www.ncsc.gov.uk/information/networks-and-information-systems-nis-directive-security-objectives-and-principles

 

Post written by Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.

020 7090 1075

sean.gulliford@gemserv.com

Connected Home 2017 Cover

 

This post is part of a recently launched initiative looking at trends in the Connected Home market. Click here to find out more.

 

For further information on techUK's Connected Home work contact matthew.evans@techuk.org.

FROM SOCIAL MEDIA

Does the cloud skills gap impact your business? Come along to discuss with other members to learn how you can close… https://t.co/QJtnGHG0VK
Voting is now open! Special congratulations to techUK Non-Executive Director @SheilaFlavell1 for making the top 50… https://t.co/X9F3eLqyDy
Great to see so many techUK members and Board members included in this year's nominations list for @ComputerWeeklyhttps://t.co/SkaJ20P5OP
.@techUK president @JdR_Tech spoke to @thetimes ahead of its #TimesCEOSummit to discuss the importance of… https://t.co/1y5drrtXqR
Today the @BSG_Team published a report, authored by @AnalysysMason, looking at the challenges in deploying new mobi… https://t.co/DIzQopr6kF
Submit your vote to choose who you think should be named the most influential woman in UK technology for 2018:… https://t.co/f7NjRLeDs9
Increasing the number of professionals entering the cyber security sector is crucial to plugging the growing cyber… https://t.co/NA5fNwg3mx