Growing Regulation of IoT Security

Hopefully, 2018 will mark the start of a new era in Internet of Things security regulation, in which governments, consumers and enterprise customers will begin demanding protection from device manufacturers.
By Ofer Amitai
Dec 23, 2017

While regulations governing Internet of Things (IoT) security features are beginning to be drafted, there is still not enough demand from the consumer side to warrant manufacturers' investments in security features. This begs a major question in 2018 of whether governments, in similar fashion to the United States and the European Union, will begin issuing security regulations on IoT device manufacturers that protect consumers and companies from digital—and even physical—risk.

Therefore, together with GDPR and other compliance regulations, we are likely to see more governments and industry authorities, such as the National Institute of Standards and Technology (NIST), stepping up in 2018 to enforce privacy, safety and security regulations on IoT manufacturers. This may also result in an increase in the price of IoT devices—which, up until this point, have been relatively low, as manufacturers struggle to carry out reverse compliance initiatives that come into effect.

The IoT—devices and sensors that connect, transmit and store information on the internet—is one of the major technology trends of the last decade. With Gartner predicting that IoT technology will be in 95 percent of electronics for new product designs by 2020, it's time to come to terms with the fact that the IoT is becoming an integral part of our digital and daily lives.

As with many innovative technologies, the benefits arising from the IoT are myriad—namely, increased efficiency, productivity and data-processing capabilities—but progress comes at a price, and in the case of the IoT, that means security. As the documented cases of IoT security vulnerabilities stack up, ranging from distributed denial-of-service (DDoS) and ransomware attacks to attacks on personal safety (demonstrated with the car wash hack at Black Hat 2017), the conversation around the IoT is shifting toward security concerns—namely, regulations for device manufacturers.

Slow and Steady Wins the Race
While it may seem simple enough to issue regulations requiring increased security for IoT devices, the current industry landscape indicates differently. To encourage IoT adoption early on, most major device manufacturers did not limit the use cases for their devices, developing devices that run on open and easily accessible platforms, use default access credentials, and operate on simple central processing units (CPUs). The result is that IoT devices are widely adopted as the next breakthrough technology in the smart home, office and factory, and carry a reasonable price point (in most cases), but are inherently insecure due to their fragile and usually simplistic computing structure.

The interesting bit is that although the term "Internet of Things" was coined in 1999, the first mentions of regulations only began appearing in 2016, some 17 years later. The London-based GSMA, a global trade body that represents the interests of mobile network operators, released a document in February 2016 that outlined IoT security guidelines and assessment, seeking to "promote best practice for the secure design, development and deployment of IoT services, and providing a mechanism to evaluate security measures." However, the document suggests more than it obligates, and as many IoT manufacturers have expressed, unless they feel pressure from the market, the responsibility for IoT security will fall on consumers, businesses and governments.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations