Summary: The global deployment of billions of Internet of Things (IoT) devices has contributed to an explosion in data processing and the connectivity of humans, buildings, vehicles, and physical machines to the global internet. Cybersecurity threats to personal information, business networks, national infrastructure, and the internet have all been magnified because of this increased dependency and connectivity. The Atlantic Council issued a report which looks at existing security initiatives in the US, UK, Australia, and Singapore while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity.

The global deployment of billions of Internet of Things (IoT) devices has contributed to an explosion in data processing and the connectivity of humans, buildings, vehicles, and physical machines to the global internet. Each year, more Internet of Things (IoT) items are introduced, indicating that IoT goods form a considerable proportion of all internet-connected devices. IoT Analytics believes that IoT products surpassed traditional internet-connected devices in 2019 and forecasts that by 2025, the ratio will be approximately 3:1.

Cybersecurity threats to personal information, business networks, national infrastructure, and the internet have all been magnified because of this increased dependency and connectivity. The report illustrates how securing IoT gadgets is essential because they permeate more and more areas of daily life. Poorly secured devices, such as those with simple passwords or with known and unfixed security weaknesses, might allow attackers to get footholds in corporate or otherwise sensitive environments, allowing them to steal data or create disruption.

Considering these cyber threats, many governmental and industry frameworks for IoT security have been developed, with specific attention paid to various stages of the product life cycle, including but not limited to device design, development, sale and setup, maintenance, and decommissioning. On the bright side, several nations and industry entities have recognized a single standard, European Norm (EN) 303 645, from the European Telecommunication Standards Institute (ETSI), as a consensus approach, showing how some baseline security recommendations can help promote genuine, coordinated change.

The Atlantic Council issued a report which looks at existing security initiatives in the US, UK, Australia, and Singapore while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. The report describes a synthesized IoT security architecture and goes over the current risk in the ecosystem, as well as the difficulties with the current regulatory approach. The report then provides nine recommendations for government and industry actors to improve IoT security, divided into three groups:

  • Establishing a minimum level of acceptable security (“Tier 1”)
  • Providing incentives to go above and beyond the baseline (“Tier 2” and above)
  • Seeking international alignment on standards and implementation throughout the entire IoT product lifecycle

IoT security challenges

The authors of the Atlantic Council report, Patrick Mitchell, Liv Rowley, and Justin Sherman, summarize the existing IoT security challenges in four domains: state, industry, private sector, and consumer.

It’s clear that there are significant problems with the way governments are currently approaching the security of IoT devices. The United States, Singapore, Australia, the United Kingdom, and many other nations are all affected since the industry has not invested sufficiently in IoT security, necessitating action from governments. While some countries are taking the initiative to ensure the safety of IoT, others appear content to defer to the private sector (or not act at all). For instance, Australia has proposed an IoT security framework, but it has taken a long time to publish any actual recommendations.

Labeling, certification, minimum standards, and best practices are just some of the IoT security mechanisms adopted by industry groups. However, different sectors have different norms in this regard. For example, when it comes to regulations, embedded IoT healthcare devices have much stricter standards than smart speakers. In total, these endeavors constitute a considerable amount of work and the culmination of many years of effort by members of the security community. However, there is still space for improvement in terms of how cohesively security activities are tied to specific stages of the product lifecycle.

Private sector initiatives to improve IoT security are hampered by, among other things, unclear objectives and policy goals, inconsistent processes, and regulatory requirements across jurisdictions, and overlapping certification schemes.

Consumers, however, must contend with a dearth of reliable information about which items to buy, the resulting poor security, and the far-reaching consequences of IoT instability.

A synthesized IoT security framework

The paper proposes a unified framework that incorporates the preexisting security rules, standards, and guidelines of all four jurisdictions of relevance (the United States, the United Kingdom, Australia, and Singapore).

First and foremost, the framework intends to emphasize the benefits and drawbacks of various policy options to eliminate fragmentation. Companies that operate in multiple jurisdictions that have varying IoT security regimes may face higher product development and legal compliance costs, reduced incentives to invest in security, and the possibility of having to locally adapt their IoT offerings to compete on the global market.

Report

These financial concerns are resolved when fragmentation is lessened. As a bonus, it gives businesses and people more control over the security of their IoT products by providing a more streamlined set of tradeoffs and information. Finally, lessening the amount of disjointed information makes it easier for policymakers to work together on an international level and to protect all aspects of the domestic IoT security landscape.

The second purpose of the framework is to integrate technical and process guidance more properly into cybersecurity policy. Higher-level IoT security goals can be operationalized by the private sector, particularly by enterprises with little cybersecurity knowledge and capacity, with the support of government policy that integrates technological and process elements. The government’s own IoT security measures could also benefit from this framework.

Considerations for a better IoT future

When discussing what the future of IoT could be, one opinion is “a world in which every IoT ecosystem stakeholder’s choices and actions contribute to the overall security of IoT where consumers and benefactors are simply secured by default.”

Report

When assessing any proposal for the future of IoT, the Atlantic Council report suggests the following considerations:

  • Do away with the most obvious security flaws in consumer IoT products, making it more difficult and sophisticated for attackers to break into them.
  • To ease manufacturer adoption, it is important to work toward harmonization across jurisdictions and eliminate unnecessary divergence and duplication.
  • Improve the financial incentives for manufacturers to go above and beyond the required minimum of security measures.
  • Raise consumers’ consciousness of the dangers posed by unsafe items and stimulate their interest in security as a practical and approachable purchasing factor.
  • Offer a short-term, tangible effect on user security outcomes while retaining the ability to integrate new controls via consensus methods as technology advances.

The authors suggest a multitiered IoT device labeling and certification framework with basic, simply comprehensible labels for consumers to drive the aforementioned results and closer alignment in policy across these four states.

Recommendations for securing the IoT ecosystem

Finally, the authors of the Atlantic Council report suggest nine recommendations, grouped by the proposed tiers of the IoT security framework.

Tier 1 recommendations

  1. Governments should implement regulatory measures to enforce a mandatory baseline on manufacturers selling in their markets
  2. Governments should follow the “reversing the cascade” philosophy, where instead of trying to influence manufacturers based abroad, governments put pressure on domestic suppliers and retailers—who may, in turn, put their own pressure on manufacturers to improve security

Tier 2 recommendations

  1. Governments should support the creation of a voluntary, higher tier of security requirements, indicated via labeling programs in their markets
  2. Governments should include Tier 2 requirements as part of government procurement contracts
  3. In the short term, governments should reach agreements to mutually recognize each other’s labels
  4. Over the longer term, governments should compare the results of their national labeling programs and move towards a single global model for communicating the security characteristics of an IoT product

Pursue international alignment recommendations

  1. Governments should pursue outcomes-based approaches to consumer IoT security rooted in agreed-upon basic security principles and maintain similar definitions for products considered “in-scope”
  2. Governments and industry should review and, if necessary, update their respective tiers of standards every two years
  3. Governments should develop additional guidance around the sunsetting phase of the IoT product lifecycle

Concluding thoughts

The lack of proper security for consumer IoT goods is just one of many complex new technological concerns that call for worldwide collaboration between public and private sector actors. The impact on customers is significant, and the hazards grow as the number of connected devices does, from botnets that threaten internet infrastructure to universal default passwords that allow hackers to compromise user privacy.

When compared to more conventional appliances, which wear down and quit performing on their schedules, “computers fail differently.” Everything is great up until the day a vulnerability is found, at which point all products based on that model will need to be patched. More and more things will eventually become computers, and thus more and more things will fail in the same predictable ways that computers do. There must be adjustments made to global systems, norms, and standards to account for this new reality.

Do you want to discuss this topic with one of our experts? Please visit our Contact Us page to request more information or connect with a Subject Matter Expert (SME).