Industry views
17 Feb 2020

Security of IoT devices should be an intended side-effect

Guest Blog: Arun Sambodaran, Senior Technical Consultant – Connected Devices at Gemserv as part of our #StayingSafeOnline campaign week.

It’s hard to ignore the hype that’s surrounded the Internet of Things (IoT) over the past few years. As with any new technology, businesses and consumers alike have become inundated with products and services for which “speed to market” was clearly the only driver.

Today, good progress is being made on both sides; IoT solution providers are becoming more aware of evolving best practice, while businesses and consumers are getting better at due diligence, questioning further to find out if the product or service they’re procuring is robust and fit for purpose.

Last year, there were two signs that point to why the IoT market is maturing. The first was the increase in investment activity, with acquisitions by both foreign investors and incumbents looking to diversify their range of products and services. The other was the UK Government taking steps to trial initiatives that will inform policy, prove business models and shape future regulations.

Pro-innovation guidance

Back in May 2019, the UK Government launched a consultation on the regulation of security around consumer IoT devices and services. Following this voluntary code on IoT Security, the European Telecommunications Standards Institute (ETSI) has since turned that voluntary code into the snappily titled TS-103-645 specification. Australia and several cities in the United States are also rooting their policies in similar privacy and security frameworks for connected devices.

This month, the UK became the first to agree to legislate for the top three principles of the Secure by Design code which are:

  • no default passwords;
  • implement a vulnerability disclosure policy; and
  • keep software updated.

Global IoT standards are also emerging and mapping across existing enterprise standards such as ISO27001 and NIST (National Institute of Standards and Technology) frameworks. Several cloud and silicon vendors have aligned their best-practice frameworks to support companies and organisations of all sizes that are deploying these emerging technologies. Certification Bodies such as the British Standards Institution (BSI) and Underwriters Laboratories (UL) have been busy implementing certification tracks to help businesses comply with standards.

None of these requirements would sound new or unreasonable considering they have been largely applicable to the software and applications services market for many decades now. Part of the industry still thinks the push does not go far enough and that manufacturers should adopt more “secure by design” principles to ensure services and products protect the privacy of the user and secure them from preventable security breaches.

Thinking outside the box

From a procurement perspective, businesses are grappling with an awareness angle; do they want to promote good – and, maybe, harder – security requirements over other parameters, such as cost and convenience? There’s a balance to be struck; companies clearly want to become smarter and more successful by adopting these technologies. In doing so they are aiming to provide better services to their customers and improve their operational efficiencies.

When designing a connected product or service, decision makers generally tend to focus on business model and profitability. Assurance usually only comes once the strategy and design cycles have been built. Yet other factors become paramount when you’re deploying a solution across thousands or even hundreds of thousands of locations – such as homes, buildings or public infrastructure – rather than just a proof of concept. It is therefore vital at the design stage, that you should consider variables such as is the solution scalable; can it withstand widescale attacks, can the data be protected from customer to cloud, and can all the elements recover from downtime?

Next steps

Part of the solution is to have the right guidance that can help you ask the questions at the right time. If questions about security are considered at the strategy and early design stages, then you are more likely to embed robust assurances and get it right from Version 1.0. This means that the product or service being developed will not only withstand the nuances of the current environment but will also be well equipped to adapt to the unknown variables in complex future environments.

It also becomes easier to build a solid business case to invest in emerging technologies and successfully implement the transformational programmes you set out to in the first place.

You can read all our other guest blogs throughout the week here. 

Return to listing