IoT and OT devices now outnumber conventional computing devices such as PCs, smartphones, and laptops by two to one, a ratio that will rise to three-to-one by 2025. Is regulation now overdue?
If market data company Statista is correct, there are now around 13.8 billion Internet of Things (IoT) devices in the world, a definition that covers everything from smart TVs, smart speakers, thermostats, security cameras, and doorbells to motor vehicles and a growing array of Internet-enabled M2M industrial operational technology (OT) and medical monitoring. By contrast, Gartner reckons it’s more like 21 billion devices, including those being used by two-thirds of the world’s enterprise networks.
Significantly, IoT and OT devices now outnumber conventional computing devices such as PCs, smartphones, and laptops by two to one, a ratio that will rise to three-to-one by 2025. Beyond that, it’s anyone’s guess but it’s not hard to believe that the growth of smart cities and universal IoT enablement might one day mean that there are ten, twenty or a hundred times as many of these devices in the world as any other type of computer.
What’s striking about all this IoT and OT – or ‘smart’ products as the former is now more commonly termed – is how little anyone knows about its security, past or future. IT professionals are probably sick of hearing about this, hoping against hope that someone is working on a solution. In fact, a lot of agencies are working on a solution. The issue is that the problem keeps getting larger and more complex the more engineers think about how to solve it.
Secure by Design Regulation
But what is that problem? According to the UK Government, which trailed an initiative called Secure by Design in 2018, the IoT malaise is that too many hardware makers have been turning out poorly-designed and secured smart products because it was the cheapest and fastest way to make money. While this read like a set of good practice guidelines, the Department for Digital, Culture, Media & Sport (DCMS) followed up in 2019 and April 2021 with drafts of binding laws, which have now expanded to include other connected devices such as smartphones. Among the eminently sensible proposals:
- Hardcoded/default passwords will be banned. Every device must mandate a unique password, including after resets.
- Makers will have to set up public contacts for vulnerability disclosure.
- Makers will have to state how long devices will receive security updates. Importantly, this will also apply to smartphones, which today are often quickly orphaned without buyers being made aware of the implications.
There will also need to be secure updating mechanisms, better back-end security and APIs, and upgraded privacy protection, to name only some improvements. The DCMS has even thought about the issue of assurance – third parties that might test products for compliance – offering a modest funding pot to encourage organisations to set up commercial schemes.
The UK Government is not the only one interested in taming IoT security, with the IEEE Standards Association, the IoT Security Foundation, the GSMA, the Cloud Security Alliance, OWASP, the EU’s ENISA, and a US IoT Cybersecurity Improvement Act, all working on the same issue in similar but not identical ways.
Will Regulation of IoT Work?
Secure by Design’s timetable for implementation is not yet clear but it is likely to have a knock-on influence on IoT and OT products for the business sector too. That’s because some of the platforms used by consumer and business products are similar, as are some of the vulnerabilities they suffer. Many manufacturers have improved their OT, medical and IoT security design but it’s still not easy to know which meet the highest standards of good practice. It’s also possible consumer and SME smart products are finding their way into even larger companies, for example, LED lightbulbs, IoT smoke alarms, and some printer-scanners.
But even assuming everyone agrees on a set of standards, fixing devices will not be enough to patch IoT/OT on its own. The first reason is the obvious one that there’s still a lot of insecure IoT and OT is still out there. A lot of this won’t be ripped out for years, if at all. A second and perhaps bigger problem is the traditional assumption that a device and its communication can ever be secure. As Britain’s NCSC alludes to in its Secure Design Principles guide, security is now as much about the security of the network devices are connected to, the provenance of its updating mechanisms, and the supply chain and chain of trust that went into its making.
Securing those for large numbers of often highly proprietary networks is a huge undertaking the industry is only now starting to think about. To reduce this to a simple formulation, you might say that the data that transits IoT networks represents the ultimate IoT security challenge, something which depends on the entire infrastructure supporting devices and not simply the devices themselves.
Advice for IoT Buyers
On the face of it, Secure by Design is good news for SMEs going forward because the rules offer a baseline that weeds out weak products. Meanwhile, the issue of smartphone end of life should also be made clearer before acquiring these devices, something that’s often shrouded in some mystery right now. Another response might be simply to avoid using consumer-level products altogether.
More urgently, the same rules should be used to assess any of these products currently in use, including older smartphones. As is so often the case in cybersecurity today, it’s the legacy products that cause the biggest problems. Managing that risk is not going to be easy. A second area where Secure by Design can’t help businesses is understanding the risk present in the communications design, data storage and chain of trust that comes with any IoT or OT product, including ones designed specifically for business or industrial use.
Conclusion
Today, cybersecurity is gradually adjusting to the idea that the best form of defence is knowledge. You can’t stop all cyberattacks but what matters is knowing they have happened, which allows you to try to understand their scope, origin, and mitigations. From this point of view, constructing a giant mesh of unmanaged devices that do their job in an automated way was always asking for trouble.
There is no easy answer to this today but organisations large and small should at least perform a risk assessment on every IoT device they add to their network. The forthcoming regulation of consumer IoT outlined in Secure by Design at least offers a place to start.
