Bizarrely, it’s the accelerated growth in the IoT space that is raising the spectre of greater security problems. The commercial pressures that manufacturers are under have sparked a race to be first-to-market with new IoT products. Of deep concern is that manufacturers often overlook security when developing new devices. This is typical because they may lack institutional experience around working with connected devices or might not be able to afford the extra time or budget to build-in adequate security. From a security perspective, the implications of this can be dire.
This somewhat ad-hoc approach to security, along with a lack of any defined IoT security standards, has resulted in damaging cybersecurity events, such as the Mirai Botnet incident in October 2016. This crippling attack saw enormous blocks of IoT devices infected with malware, which were then used to attack core Internet infrastructure. Mirai was a stark reminder of how serious cyber-attacks on vulnerable IoT devices can be. Alongside a lack of widely-adopted IoT security standards, there is the huge question of who is responsible for the security of these connected devices.
Most IoT devices are designed to remain active for years, perhaps even decades. Can we really expect consumers to ensure their devices are kept patched and up to date? Unlike a home PC, connected devices generally lack a user interface, so even the question of how to notify customers about updates remains a challenge.
In the past, if a product met standards and the terms of its guarantee, it ceased to be the responsibility of the manufacturer. But IoT devices are different, as they are linked to the Internet, meaning the vendor must continue to provide security updates. It’s also not yet clear who is ultimately responsible for making sure an individual device is updated, or what happens when an IoT manufacturer goes out of business and is unable to support their product. This is not a clear-cut situation.
Pros & cons of regulation
It is heartening to see the UK government take steps towards making the IoT a safer space for everyone concerned. In March, the Department for Digital, Culture, Media and Sport (DCMS) announced a new IoT Code of Practice, focused on driving up the overall security of the IoT ecosystem. These measures will help to ensure that all stakeholders, including manufacturers, take security seriously. Laying out clearer roles and responsibilities for manufacturers and others operating in this space will help businesses to better understand their own role in protecting the end user.