Surviving the IoT Cyberattack Pandemic

Assess your risks, secure your firmware and comply with the ever-changing regulatory landscape.
By Ronald E. Quirk and Terry Dunlap

The Federal Communications Commission
The FCC is seeking comment from all interested stakeholders concerning the best methods to ensure the security of the IoT infrastructure. While the FCC is seeking comment on a wide range of cybersecurity questions, it is fundamentally concerned with the roles and responsibilities each stakeholder should have. It is likely that the comments submitting in the proceeding will result in new cybersecurity rules for IoT providers. Comments are due by Apr. 24, 2017, and reply comments are due by May 23, 2017.

The most important questions for IoT device manufacturers and vendors include:
• What methodologies should be used to protect devices connected to 5G networks?
• Is current SIM technology robust enough to ensure security in the future?
• Are there any non-SIM methods that should be considered for high-volume, low-cost 5G devices?
• What mechanisms are most effective at mitigating DDoS attacks?
• Are additional standards needed to mitigate DDoS attacks?
• Should service or device providers be required to implement patch management as part of their security risk management plans in the 5G environment?
• Which 5G elements can be successfully maintained through patch management?
• How can 5G service providers and equipment manufacturers ensure that critical software updates are installed on their devices in a timely fashion?
• How do IoT devices place 5G networks at risk?
• What roles should equipment providers, Internet service providers and manufacturers play—either by themselves or in coordination—to mitigate the risks?
• What, if any, reporting requirements should be imposed?
• What are the costs of adding security features to 5G network hardware, firmware, software and applications?

Endure and Thrive in the IoT Security Tsunami
The IoT cyberattack pandemic is bad, and until IoT providers impose sufficient security measures in their devices, it will only get worse. The importance of IoT suppliers evaluating and securing the firmware in their devices cannot be overstated. Failure to do so leaves suppliers vulnerable to FTC Act violations and, soon, FCC rule violations.

Manufacturers are well-advised to understand and follow the FTC's guidelines. An experienced cybersecurity consultant can work with you to effectively implement these best practices in your company.

IoT suppliers should also remain aware and informed of the ever-changing IoT regulatory landscape. A good cybersecurity attorney can assist you with risk assessment and management, as well as ensuring compliance with the latest rules and policies.

IoT providers are strongly urged to participate in the current FCC comment proceeding. In addition to helping shape the rules, it is important to ensure that regulatory responsibility is fairly distributed. A lot of stakeholders with competing interests will be submitting comments, and they will naturally seek to ensure that compliance responsibility is shifted to others. Moreover, submitting comments will help you get your company's name recognized as an important player in the IoT industry

The IoT security tsunami is real. IoT providers must understand the specific risks to their companies and work diligently to mitigate them. IoT companies that ignore the cybersecurity threats do so at their extreme peril.

IoT attorney Ronald E. Quirk is the head of the Internet of Things & Connected Devices Practice Group at Marashlian & Donahue PLLC, The CommLaw Group, where he focuses his practice on the serving the comprehensive needs of the burgeoning and complex Internet of Things industry, including contracts and commercial law, privacy amd cybersecurity, spectrum access, equipment authorization, tax, regulatory compliance planning and more. His career has spanned more than 20 years, including several years at AMLAW 100 firms and the FCC. He can be reached at or (703) 714-1305.

Terry Dunlap is the founder and CEO of Tactical Network Solutions (TNS), in Columbia, Maryland. Clients come to TNS to leverage the Centrifuge IoT security platform, which audits compiled embedded firmware images for vulnerabilities. They also seek "white hat" security training, firmware evaluations and consulting on IoT firmware exploitation, hardware hacking and exploiting real-time operating systems. The staff includes former National Security Agency experts skilled in the IoT, embedded firmware reverse-engineering and security. Formerly, Terry worked as a global network vulnerability analyst for the NSA. He can be reached at or (443) 276-6990.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations