The State of IoT Security Standards and Regulations
New security measures are being introduced to protect our online lives. As more and more IoT devices come to market, we're exploring if these new cybersecurity baseline requirements can help win people's trust and protect our privacy and safety.
As the Internet of Things (IoT) has evolved, so too has our approach to security. A decade ago, product developers were focused on seizing the opportunities that connectivity offered instead of slowing down progress by building in complex security at the start of a project. As a result, basic security principles were often ignored during the design phase or implemented as an afterthought, leaving customers' devices and data vulnerable to hackers. In the years since then, some of these weaknesses in security have been exploited. Connected cameras, fish tanks, and smart locks have all been hacked, sometimes with serious and far-reaching consequences. The incidents have been reported in mainstream media, which has brought cybersecurity to people’s attention. It has also worried governments and standards organizations, who all realize the potential of the technology to deliver significant economic and social benefits but are concerned about having billions of easily hackable devices that may adversely affect citizens' lives, including implications to privacy and safety.
They see a bigger picture too. In an increasingly connected world, a vulnerability in one device can bring down an entire system. For instance, a smart yet insecure CCTV camera can be recruited into a botnet of thousands of similar devices that not only affects the homeowner's or a business's privacy but also gives attackers a weapon. Why does that matter so much? In 2016, millions of IoT products were used to bring down the internet infrastructure and affected hugely popular websites in the USA and Europe in a distributed denial of service (DDoS) attack. At first glance, DDoS may not seem like a big deal, but the reality is that DDoS doesn't just take our favorite websites offline, it can also stop businesses from functioning and impact our critical infrastructure and services - the direct and indirect effects can be huge. As more individuals and organizations embrace the IoT, the same approach could be used to target hospitals or the companies that run our critical infrastructure and they could, for example, disrupt our healthcare system or our utility suppliers.
When asked where the liability would lie in a compromised device, 89% of respondents selected the chip, system software, or device, highlight the core components critical to IoT security.