A Familiar Problem
This issue has already been seen with the increasing sophistication of multi-function printers (MFPs) in the workspace. Traditionally MFPs were under the responsibility of the operations department of a company, who would make sure the printers functioned reliably and that the manufacturer would repair and service the printer as needed. MFPs were not sold on the basis of security, instead the focus was on efficient low cost printing. However as MFPs have incorporated functions like wifi connectivity, email, internal storage, their own operating system and so on, they have become increasingly vulnerable to attack. The key issue is not simply that the MFP will be hacked and prevented from functioning, but that they can serve as an attack vector into a network.
Continuing the analogy, despite the known vulnerabilities associated with MFPs, printer security is rarely part of a network wide security audit, printer sys logs are rarely monitored and printers are rarely connected to security information and event management systems. This is because in most cases, the responsibility for these devices has not shifted from operations to IT security, meaning that even at the procurement stage, security is not a key consideration. The same problems applies with the way IoT devices are being developed, procured and managed, except of a far greater scale.
Another core problem is that the economics do not incentivise IoT device manufacturers to add rigorous security features. Several of the most common vulnerabilities include having discoverable administrative controls, default passwords and no capability to be patched or updated. However for the manufacturers, improving the level of security in the billions of existing products would be prohibitively expensive. Then for forthcoming products, adding in security features would increase the price to the customer and affect their competitiveness, leading to yet more insecure IoT devices. As shown by the DDoS attack against the Dyn, this situation is not just a threat to the owners of the devices, but to other organisations too, as insecure devices can be used as alternative attack vectors or to create botnets.
Rethinking IoT Security
The situation with IoT security is already dire and with the rapid growth of the technology, will only get worse. Although there have been no regulations regarding IoT security, there already exist some useful guidelines to help advise companies, such as the IoT Trust Framework. Whilst some companies have already embraced the IoT Trust Framework, the cost of improving the security of existing IoT devices, or even new IoT devices, is unlikely to happen across the board. The responsibility will largely remain on the side of the business, Government or consumer.
Sign up for CIO Asia eNewsletters.