For Internet of Things Security, the Devil Is in the Details
When reading up on Internet of Things security, it can seem like the more you study the subject, the less you understand it. For one thing, the term “IoT security” is so thorny and marketing-driven that Gartner analysts are convinced it will die in a few years — possibly to be replaced by “next generation” or “cyberphysical” security technology products and services by 2021 in their estimation.
When sorting through surveys related to the subject of IoT security, Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance (OTA) says he sees results all over the map. “I try to follow as many those surveys as I can. They do seem to vary considerably,” Wilbur said. “I’m not sure if it is who they’re asking, or how they’re asking the questions exactly.
Apparently, consumers of IoT devices have conflicting views on the subject. “When you ask most consumers if they are worried about security and privacy, they’ll likely say yes,” he said. “But when you ask a consumer if they would pay X amount more for an IoT product that has better security and privacy, the answer’s often ‘no.’ So I interpret that as: ‘I have a high concern, but it hasn’t crossed the threshold of dollars for me yet.’”
For industries adopting IoT within their environment, employees have a wide-ranging set of opinions. “The impression I get is that companies have varying levels of how seriously they’re taking IoT security and how they’re using IoT in their own realm,” Wilbur said. For some organizations, IoT refers to connected devices on a factory floor. For others, it means bringing connected consumer devices in the big door.
But while opinions on Internet of Things Security vary enormously depending on context, the fundamental approaches of how to secure Internet of Things devices is gradually clarifying. “Most of the ground rules are similar whether its access control from a password standpoint or how vulnerability is defined from a connected device standpoint,” Wilbur said. “The problem is IoT kind of creeps in under the radar in many ways. It comes in via a non-IT legacy way, right? Whether it is in the industrial side, where you’re kind of merging IT and OT, or whether you have the consumer stuff coming into play, I think that’s where it all gets muddled.”
But while IoT standards are coalescing, there is still considerable variability when it comes to the specific implementation strategies and elements various standards and frameworks recommend for Internet of Things security. “We are undertaking a research project to go compare a lot of these frameworks, and some of the certification initiatives related to IoT security. We plan on coming up with a heat map on how they compare,” Wilbur said. “We think that’ll be very valuable information — to look at government efforts, industry efforts, other industry alliance efforts to see where this is all headed and where the common threads are.”
Wilbur acknowledges that the implementation of basic security principles can sometimes be slowed by a sort of analysis paralysis when trying to determine how to best execute a broad strategy such as using strong passwords or encryption in transit at rest. “When you go one level down like that, manufacturers ask: ‘What does this mean?’” Wilbur said. “In our case, it can vary. How you approach encryption can vary depending on your device and its connectivity, storage or whatever.”
“For the most part, what I’ve seen is that you kind of go by the common denominator,” Wilbur said. “This is true of adopting lots of standards, whether it’s interoperability, security or anything really. If you have one password standard recommending eight characters and another says 12, if you go by the 12, you have the eight covered. In some cases, if you just pick the more stringent standard, then you’ve covered the other ones.”
A similar problem of uncertainty applies to, say, industrial companies looking to deploy connected machinery or consumers hoping to find a secure smart device such as a video doorbell. “If you want to compare how one connected doorbell compares to another from a security perspective, you probably can’t find the answers yourself,” Wilbur said. “And so we’re advocating that consumer testing organizations start to factor that into their recommendations. Consumer Reports’ digital standard is starting to do that. We are advocating that manufacturers bubble some of this up. Is this product software updateable? How long will you update it? Tell me what you do security-wise. We are encouraging manufacturers to make it a differentiator, but if that information is hard to find, you can’t make an informed choice.”