IoT Security Requirements Ramping

Government and industry groups begin ramping up efforts to limit breaches.


By Haydn Povey
The security issues associated with the Internet of Things are already well known. Whether it’s bots infecting home networks, the destruction of industrial systems, or the ability to take remote control of automobiles, the horror stories are starting to mount like bodies in a bad movie.

While legislating for security is never easy, and typically has proven imperfect, there is a clear need for leadership in the marketplace. The worst offenders need to be bound by a set of minimum requirements and then prosecuted where dangerous goods are put out into the market. This leadership has, to date, been missing in the IoT domain outside of industry groups such as the IoT Security Foundation, and government has been noticeable through their absence. However, this is finally changing with the Internet of Things Cybersecurity Improvement Act of 2017, which is being introduced into the U.S. Senate by Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT)

Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements. These capabilities should be considered the new low-water mark for the industry. And although the act doesn’t limit the sale of devices to individuals, there should be a growing expectation that these outlined capabilities will become part of smart home devices, smart industry platforms, connected automobiles, and any device entering the hyper-connected domain.

These technologies exist today, but are not generally adopted due to complexity of integration and manufacturing supply chains. The IoT Security Foundation, whose membership includes a wide array of device vendors, OEMs, system integrators, plus other stakeholders, continues to address these issues through their Best Practice guides. They are focused on simplifying the addition of security, ensuring robust self-certification methodologies to achieve a TrustMark, ensuring compliance with the proposed law, and enabling organisations to approach system security with confidence

Security is no longer a nice to have. With the advent of this act, it now becomes the new “must have” for 2017.

—Haydn Povey is a member of the IoT Security Foundation executive committee.


Leave a Reply

(Note: This name will be displayed publicly)