As disruptive technologies such as 5G launch, the number of connected devices is poised to increase dramatically. Indeed, Intel predicts that a remarkable 200 billion connected devices could be operating by 2020. But this sharp rise in connected devices creates more opportunities for hackers, and cyber-attacks are becoming increasingly sophisticated. A growing number of attacks are now developed with the express aim of compromising IoT functionality, according to the ENISA Threat Landscape Report. Last year malware was identified that was designed to compromise industrial safety systems, which could have devastating consequences. All of this makes security of the IoT an urgent matter. But while it is crucial to ensure secure IoT devices and services, it is also important that we maintain the high level of innovation the IoT has generated thus far to guarantee further development and growth.
Security – an afterthought
IoT security is often overlooked in the development of connected devices, either because the manufacturer lacks the technical expertise or is facing commercial pressure to get products into market quickly. These factors, combined with a landscape of rapidly-emerging standards and technologies, has introduced a new set of risks. One of the most devasting cyber-attacks that originated from IoT devices was the Mirai botnet attack of 2016. The incident saw huge numbers of devices infected with malware that attacked core Internet infrastructure. Approximately 24,000 devices were targeted, with the University of California putting the cost of the incident at $300,000. Alas, Mirai has not been an isolated incident. This year a new variant of the botnet was detected, which targets enterprise networks and has the potential to infect an even wider set of Internet-connected devices. As the IoT ecosystem grows, so does the threat. This is the challenge that industry faces moving forward.
The options to deal with the journey ahead are varied. Regulation of the IoT has been touted as one route to developing a secure and robust network. There are benefits to this approach, such as the provision of more effective protection for consumers. However, while regulation is often said to create a level playing field, smaller companies may find compliance more of an obstacle than their larger competitors. Care also needs to be taken that regulation does not stand in the way of innovation and is able to keep pace with the rate of development in the IoT. Establishing a centralised regulatory body for something as diverse as the IoT, affecting everything from cars to thermostats, would be a challenge as it would need to bring together an equally broad set of competencies. It is also important that any regulatory interventions are coordinated at a global level, which might be easier with a targeted focus on particular areas of interest. A sectoral approach, in which existing industry regulators team up with industry and security experts, could be a more worthwhile exercise. After all, the Internet was built on collaboration and this approach could be hugely beneficial to the development of IoT security standards. By working together to self-regulate the IoT, stakeholders could develop a more flexible, successful and secure IoT network. Voluntary IoT standards allow innovation and competition to thrive – but also support the development of products with security in mind.
The self-regulation revolution
This voluntary self-regulation for IoT security is already occurring, with the Department for Digital, Culture, Media & Sport (DCMS) in the UK establishing a Code of Practice for direct collaboration with a range of manufacturers, retailers and the National Cyber Security Centre in 2018. Moreover, in 2019 a group of the UK’s leading universities launched a new National Centre of Excellence for IoT Systems Cybersecurity, which will draw academics and industry experts together to create a secure and trustworthy IoT infrastructure. These efforts are to be commended, as they enable stakeholders to work together to share experiences and best practice around IoT security while competing on product features. The fruits of these labours will be IoT products that are safer for consumers to use.
There is still some way to go before IoT security is seriously addressed. But encouragement can be taken from these types of initiatives. They represent the first tentative steps towards establishing a set of voluntary IoT security standards that the market so desperately needs. Alongside these projects, it’s important that the mindset changes too. Companies obviously need to consider their commercial pressures and objectives – but all parties need to recognise that they are operating in the same ecosystem, which needs to be protected. And a unique ecosystem like the IoT will require unique ways of working together.