IoT developers working on addressing potential cybersecurity issues

As governments start to contemplate legal responses to Internet of Things (IoT) security flaws, companies are beginning to contemplate changing the way they handle cybersecurity.

09/17/2017


In recent months, the Internet of Things (IoT) industry has seen a significant escalation in the threat of legal action over the supply of insecure systems. Various governments and agencies have made it clear that the status quo of lax security cannot continue—and they are taking steps to combat it.

The Federal Trade Commission's (FTC's) lawsuit earlier this year against a perceived lack of security in a range of D-Link router products, which are said to have contributed to the global Mirai distributed denial of service attack last year, is still ongoing. While D-Link strongly disputes the claim and is strenuously defending the action, other government and consumer action against weak IoT security is widely expected.

In July, the FBI issued public guidance encouraging parents to report weak security in children's toys connected to the internet, after a number of incidents that had left data relating to individual children potentially vulnerable to criminals. The FBI said that if manufacturers were found to be wanting around data security, they faced legal action from the FTC.

Soon after that advisory, it became clear that authorities in the UK were also closing in on poor IoT security. Chief constable Mike Barton, who leads the National Police Chiefs Council on crime operations, warned about the dangers of IoT as more ordinary household items become connected to the internet. He urged consumers to 'do their homework' on the security of the products they buy and to make appropriate choices around purchases and usage as a result.

And more seriously as far as financial penalties are concerned, the UK Government confirmed in August its intention to fully integrate the European Commission's General Data Protection Regulation (GDPR) into UK law ahead of Brexit. This means that those companies responsible for managing personal data, including data being transferred over IoT systems and stored in IoT databases, face fines of up to £17 million or 4% of global turnover for the most serious data breaches.

A busy time

It has certainly been a busy time in the UK as far as IoT compliance is concerned, as the government also set out its demands around security for smart cars and vans. The government said it "feared" would-be hackers could target vehicles to access personal data, steal cars that use key-less entry, or even take control of them for "malicious reasons" [in other words, crash them].

New government guidance demands that engineers developing smart vehicles must toughen up cyber protection and help "design out" hacking.

Back in the US, meanwhile, a bill has been introduced in Congress that aims to block IoT devices if they can't be patched or have their password easily changed—common faults or difficulties around IoT security. The bill also calls for federal agencies to only be able to purchase non-compliant IoT devices if they get approval from the US Office of Management and Budget (OMB), and if they put in place additional security measures.

On this last initiative, Travis Smith, principal security engineer at security vendor Tripwire, says: "This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis."

But, he warned, "For this bill to be successful, there need to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time-consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model."

Legal action inevitable?

If IoT device makers don't act, legal action is almost inevitable from some quarter in the present political and media climate around the issue. How that action manifests itself will of course vary from country to country. As for the UK, Daniel West, an associate at insurance and risk law firm BLM, says: "Typically, security claims in relation to product liability are normally pursued due to a defect under the Consumer Protection Act 1987, or through breach of contract if the product does not meet satisfactory quality requirements.

"The court would then need to determine whether a lack of security in an IoT product would be classed as a defect or a lack of satisfactory quality in the product, and if so legal action will follow."

However, added West, there are also "causation issues" to consider with these types of cases. For example, if a vehicle has a locking system that is not considered sufficient to prevent a thief from stealing it, the thief is held responsible for the theft rather than the lack of security. Similarly, if damage arises as a result of an IoT device being hacked, the damage should be considered to be caused by the hacker rather than a lack of security, "limiting the potential for these claims", said West.

Leigh-Anne Galloway, cybersecurity resilience lead at security solutions firm Positive Technologies, said potential reputational damage also goes hand-in-hand with the legal threats. "The threat of a lawsuit and the possibility of reputational damage could be a serious driver of security as reputation loss also means revenue loss," she said. "The publicity and the open discussion of vulnerabilities may play a big role, too."

Galloway continued, "For example, after the Mirai attack affected Deutsche Telekom customer routers, the telecoms company said it would be reviewing its business relationship with the supplier of its Speedport routers, Arcadyan Technology, since all three flawed models came from this vendor."

Due diligence versus due care

If damage to one's reputation is not enough though, Mike Pittenger, vice president of security strategy at Black Duck Software, a specialist in open source software security for IoT systems, says security laggards risk going out of business. He said, "Businesses often talk about security due diligence. This frequently refers to an understanding of the risk posed by an action or supply chain relationship.

"Attorneys, on the other hand, discuss due care. This refers to what an entity has done to reasonably assure that no harm will come to others from their actions." He says a reasonable company, to use the due care standard, would not build and sell a car without brakes. This would not only put the driver, but pedestrians and other drivers, at risk. "A company doing this could expect to be sued to extinction," said Pittenger, and points out moves to take insecure IoT products out of the equation altogether.

As well as potential legal action, there is also now the threat of blocking insecure devices from the internet. Pittenger said: "In the US, senator Mark Warner has asked the FCC for guidance on how ISPs can respond while complying with the Open Internet Order, which prohibits denying non-harmful devices access to ISPs' networks. Blocking a manufacturer's devices [which are harmful] from networks would certainly put a damper on the company's revenue."

Insecure IoT devices are putting the internet, and those services that depend on a reliable communication channel, at risk. Soon, government bodies and customers will likely decide that enough is enough.

Antony Savvas is editor at Internet of Business. This article originally appeared hereInternet of Business is a CFE Media content partner. Edited by Chris Vavra, CFE Media, cvavra@cfemedia.com.

ONLINE extra

See additional stories about the Internet of Things (IoT) linked below.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
May 2018
Salary and Career Survey, IT and OT convergence, robotic standards and safety, secure circuit protection
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
February 2018
Focus on power systems, process safety, electrical and power systems, edge computing in the oil & gas industry
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me