Joonho Park is Executive Director of The Open Connectivity Foundation.
As anticipation for the Internet of Things has blossomed, so have misgivings and fears about its security vulnerabilities. Several high profile incidents, particularly the Mirai episode, have raised questions about the security risks posed by proliferating devices connected to the Internet. As companies and consumers continue their march into the brave new world of IoT, addressing these concerns will be essential.
Industry-wide standards and certifications are a solution with many obvious benefits; vendors and IoT experts can craft them with an eye for security and allaying customer concerns. These conclusions are backed by a survey conducted by the Open Connectivity Foundation (OCF), which shows both widespread concerns over IoT security and clear support for an industry standardization approach. Indeed, respondents viewed standards implementation and vendor cooperation as an effective way to address ease of use, interoperability and security concerns. Sixty percent of respondents indicated that they were more likely to purchase a connected device with some form of a security certification, a clear sign that standards and certifications would effectively improve customer faith in IoT security.
IoT security dramatically strode into the national spotlight last September with the arrival of Mirai. The now notorious malware finds and infects various IoT devices, assembles them into a centrally controlled botnet, and launches their traffic at targeted websites in massive DDoS attacks. Mirai’s inaugural assault was aimed at Dyn, a DNS service provider essential to the running of a multitude of different websites. The resulting downages were so widespread that a common refrain heard in news coverage was that Mirai had “broke the internet”, heralding an “IoT-pocalypse”. Subsequent reporting and analysis has continued to highlight the security vulnerabilities of IoT.
Trouble on the Horizon?
These anxieties are mainstreaming. Security concerns are considered the second highest barrier to IoT adoption, and improvements to device security the second most desired product change from IoT vendors. As connected device usage becomes universal and high profile security breaches continue to receive national coverage, these concerns could form the bedrock of a crisis in consumer confidence that would blowback on different vendors and the industry as a whole.
The development of industry standards and certifications is the most effective and relatively straightforward response to IoT security concerns. By cooperating together, vendors can establish benchmarks for connected devices; these would cover everything from infrastructure to data protocols to security features. Such standardization would ensure that connected devices would have baseline security protocols in place. Product certifications or security ratings would be the next step. Vendors could signal to customers that the devices they purchase are up to agreed upon industry standards. Adopting these initiatives would be a simple yet effective method to both tackle security shortfalls and allay consumer concerns raised by those shortfalls.
Fortunately for IoT vendors, the new is not all negative. There is a widespread desire for connected devices; some 80 percent of respondents from the OCF study said that they planned to buy a connected device within six months. Less than (8 percent) said that they currently had no connected devices. These responses are a clear sign of how pervasive IoT technology already is and how the market is set to continue its growth. However, an increase in the number of connected devices will exacerbate security problems if industry standards are not in place.
The distinct characteristics of connected devices, especially infrequent interactions from users, make them uniquely vulnerable to infection and manipulation by malicious actors. Traditional targets, such as personal PCs, are commonly interfaced with, and performance issues can tip off users that there is something wrong. In contrast, many connected devices, such as routers, sensors and cameras, are designed to operate without regular check-ins. Once attacked, they may not show any noticeable signs of infection, and will sit unrepaired or replaced. Baseline security standards are clearly a necessary measure, as vendors can’t count on user intervention to identify potential problems. Taken in conjunction with the obvious support, these technical considerations provide a compelling case for introduction of common industry standards and associate certification programs. This is one of the more effective mechanisms available to address the security vulnerabilities of our IoT future and restore confidence in the industry.
The development of IoT standards and certifications is not only desirable from a security standpoint. The most commonly cited barrier to IoT adoption is interoperability; common industry standards would make the goals of device compatibility much more realistic. As such, standards would not only be a reactive response to security worries, but a springboard to developing features that customers want. However, vendors should consider security standards and certifications to be an immediate priority necessary to plugging security holes and buttressing consumer confidence.
Opinions expressed in the article above do not necessarily reflect the opinions of Data Center Knowledge and Penton.