IoT cybersecurity needs to be improved

Manufacturers and government officials recognize the need for improved cybersecurity for Internet of Things (IoT) devices, but more work needs to be done.
By John Grimm, Thales e-Security January 18, 2018

Manufacturers and government officials recognize the need for improved cybersecurity for Internet of Things (IoT) devices, but more work needs to be done. Courtesy: Industrial Internet Consortium/Thales e-SecurityThe U.S. technology and manufacturing industries are in serious need of increased rigor for Internet of Things (IoT) device security.

Thankfully, the U.S. Senate is starting to pay attention in the form of the recently introduced Internet of Things Cybersecurity Improvement Act. These proposed regulations could help reduce poor security practices and influence manufacturers to implement proper security from the start.

The legislation targets vendors to the federal government, which a great place to start. According to the 2017 Thales Data Threat Report, Federal Edition, IoT adoption within the federal government is strong. The report found 75% of federal agencies have begun to use IoT technology. The results also revealed 65% of federal agencies have experienced a data breach at some point.

Beyond the federal government, the IoT touches consumers who use wearable electronics, families buying state-of-the-art appliances, businesses using internet-connected equipment, cities installing connected parking meters, and many others.

Manufacturers need to provide trustworthy assurance that devices the federal government, local jurisdictions, consumers and businesses purchase are authentic and run only software legitimately loaded by the manufacturer. And any device that runs software needs the ability to be updated in case vulnerabilities or other security issues are found.

Some IoT devices don’t provide a way to update software, and many more don’t offer a secure mechanism to do so. As an example, code signing with properly protected private signing keys helps ensure the authenticity and integrity of those updates, which is important to prevent the introduction of malware in the software-update process.

Rigorous testing of devices is also an important step in ensuring proper security. In today’s environment, leading organizations are inviting the public to test their defenses, and rewarding those that find issues accordingly. This approach makes sense as threats become increasingly sophisticated, and the number and type of devices increase.

While the IoT is still nascent, developing strong standards for secure and interoperable IoT ecosystems now will be key in securing the IoT of the future.

John Grimm, senior director of IoT security strategy, Thales e-Security. This article originally appeared on the Industrial Internet Consortium’s (IIC) blog. The IIC is a CFE Media content partner. Edited by Chris Vavra, production editor, Control Engineering, cvavra@cfemedia.com.