IoT Device Manufacturers- The pervasive impact of Internet of Things (IoT) devices on our lives is greater than that of traditional IT devices. There are several unknowns in IoT security, and it raises concerns for customers who are looking to incorporate IoT devices in their existing infrastructure. Fortunately, security by design can resolve some of the major root causes of the underlying vulnerabilities in these connected devices.
Building the case
Among IoT device customers such as organizations, educational institutions and government agencies, there is a lack of industry measures to help to mitigate cybersecurity risks. It doesn’t help that the methods used to secure conventional IT devices are oftentimes incompatible with those for securing IoT devices. With the emergence of new technological capabilities, IoT devices thus add a new layer upon which customers must apply new security controls or alter their existing controls in order to mitigate risks.
The problem is that not all customers are aware of how to alter the existing security controls in their current IT processes to accommodate IoT. Without proper security controls, these devices are highly vulnerable. Their compromise could lead to wide-scale attacks such as distributed denial-of-serve (DDoS) attacks against the organization’s services.
In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls.
A manufacturer can’t succeed in implementing cybersecurity controls without maintaining clear communication with the customer. The customer needs to understand how to use these cybersecurity features so that they can tailor them according to their specific needs. With that said, the manufacturer needs to share information regarding device cybersecurity features, device transparency, software and firmware update transparency, support and lifespan expectations and decommissioning.