The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.
As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.
As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.
Market Forces vs. IoT Vendors
So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.
By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.
So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.
There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.
IoT Cost Points
So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:
1. Qualified development personnel are hard to come by for IoT. You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.
2. Hardware and software costs can range from small to huge sums of money. The more complex the device and service, the higher the cost.
3. What is the connection model? Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.
4. You must design a product UI! If you intend to win on the merits of your product, a smooth user experience is a must.
5. What about security? Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.
Best IoT Security Development Steps
While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?
Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.
However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.
It's Time to Step Up
What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.
Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.