The industry experts still struggle to understand who to blame for the IoT security problem – end-users using the device, manufacturers creating them, or governments not issuing required legislation to enforce the security measures.
IoT technologies are now beginning to offer a plethora of opportunities, benefits, and challenges. Organizations across industries and sizes are collecting real-time data to control and monitor their surroundings to power smart cities, factories, buildings, homes, and campuses. These opportunities, however, can be enjoyed only if the devices are appropriately deployed, secured, and configured. Unfortunately, with something as powerful, new, and ubiquitous as IoT, the significant risks to safety, security and privacy are all too real to expect.
The challenges of securing IoT are multiplying, as its risks increase – is connected devices are even being used as the gateway for hacking systems. Then there is the risk of connected but cheap, poorly designed not well configured, rushed-to-market devices sold with too much capability and no security. They put enterprises, industrial organizations, and governments at huge risk.
This brings up the question regarding whose responsibility is IoT security, anyway.
Recently, enterprises were blamed for not taking IoT security seriously in case of the full-stack Linux IP camera, limiting its capabilities. They said that it is simply unacceptable to push time to market over common-sense safety. Too many IoT devices are being developed by unskilled manufacturers without any legitimate way to manage vulnerabilities embedded in them. The more of stack manufacturers put on insecure devices, the more dangerous it becomes. Securing IoT should start with the devices themselves, but developers and manufacturers are not the only ones who are responsible.
The disregard for traditional IT controls over technology implemented in corporate systems is a growing concern. Executives are complicit with the decisions of the IT security in the way to encourage those adding devices or services to corporate networks without knowledge or interest. Likewise, the end-users need to know their role in keeping connected devices safe and sound — especially when it concerns changing default passwords and abiding by proper security hygiene.
Every security problem has multiple confusions, and the IoT security responsibility dilemma is no exception. To simplify this, there is a need to separate network or network architecture as the devices should not live on the traditional IP network freely. An IoT network should limit concerns for the impact on the public internet, lowering the likelihood of attacks on critical computing functions.
Experts suggest that in the absence of a separate IoT network, it is time for firms to develop an IoT security and device clean-up superfund. This indicates the application of a small fee to every device that would finance the management, construction, and security of an IoT-specific network cleaning up the insecure IoT devices already deployed. Those funds could enable proper configuration and upgrades.
Putting obligations on internet service provider (ISP) gateways could be another way to look at the IoT security question. While having ISPs manage such an issue may seem logical on some levels, it is critical that they decide what devices should be capable of doing this. Yet, the entire point of the open internet is not to have ISPs decide device behavior and block devices as per their discretion.
A policy-based approach to securing IoT seems to be the best option. The starting point would be to limit capabilities to functional requirements, by baselining manufacturing expectations and securing the fundamentals.
As the world goes full-fledged into mass IoT adoption, it is critical to employ stringent security measures. Predicted say incredible numbers of applications and devices will be deployed in a short period, making it impossible to clean up after threats. Security needs to be reinforced quickly, by determining policies followed by prompt actions.
If responsibilities are not identified yet, IoT will become an insurmountable security problem in the future.