The Internet of Things (IoT) has incredible potential to impact and improve the way we live, with innovative solutions being proposed across multiple market verticals. However, for the IoT to reach its full potential, security must be taken more seriously.
You wouldn’t consider connecting a PC to the internet without first ensuring that the latest updates were patched, and some form of anti-virus software installed. So why do consumers and businesses connect IoT devices to the internet without the same consideration?
The first thing to realise is that there is very little difference between a PC and an IoT device at a network level; both can communicate using standard protocols and therefore, once connected, are able to communicate with any other device on the internet, both essentially speak the same language, and are defined by software to specify their function.
However, unlike PCs, that have the resources to run additional anti-malware applications, IoT devices can be resource constrained and therefore it is important that security is built in from the start. Any IoT device should therefore be “Secure by Default” , meaning that it meets a certain level of security without required intervention from the user. As a minimum this should include:
- Protected access to the device via a unique password, not a default password shared across multiple devices
- The capability to support secure remote updates.
- The ability to encrypt and protect sensitive data.
Consumers should ensure that a device meets these basic security criteria before connecting. Businesses that host IoT devices must understand that these devices form part of the organisations IT network, and therefore should be included in any security audit (e.g. ISO27001).
Whilst the pace of IoT innovation puts pressure on the ability to regulate these devices it should be noted that the General Data Protection Regulations (GDPR) and Network Information Systems (NIS) directive both come into force in May this year. Both regulatory measures have the potential to impact IoT devices and systems, for example:
- Article 32 of the GDPR defines the requirements regarding “security and processing” of personal data, specifically listing the key security triad of confidentiality, integrity and availability. Therefore, an IoT device that collects and stores personal data is likely to be required to meet these regulatory requirements.
- The NIS directive is concerned with the protection of essential services such as transport, water, energy, health and digital infrastructure, against cyber-attacks. IoT devices employed as part of any essential service will likely fall under this directive.
It should also be noted that the Department for Digital, Culture, Media & Sport (DCMS) is developing a “Secure by Default” code of practice that will provide essential guidance to both businesses and consumers.
- The IoT has enormous potential but more must be done to understand and communicate the potential risks that insecure devices pose.
- Consumers should be aware of the minimum-security requirements for an IoT Device before connecting.
- Businesses and Service Providers should ensure that IoT devices are “Secure by Default” and meet best practice requirements.
- Businesses must include IoT devices in any network security audit and understand the impact of the GDPR and the NIS directive, coming into force May this year.
Post written by Sean Gulliford, Principal Consultant - Connected Devices, Gemserv.
020 7090 1075
This post is part of a recently launched initiative looking at trends in the Connected Home market. Click here to find out more.
For further information on techUK's Connected Home work contact firstname.lastname@example.org.