Security in IoT development and deployment has sometimes, I think we can all admit, been an afterthought. It has been neglected, ignored, and what’s worse — treated as irrelevant, all too frequently as the industry developed. It’s the worst-kept secret in IoT. This is, thankfully, changing across the industry. Security (and privacy) are becoming early design and strategy choices in new products and solutions, and although this isn’t universal yet, it is moving in the right direction.
Industrial IoT (IIoT) companies have historically been more forward-thinking about securing hardware, software, and networks. However, recent research indicates that IIoT infrastructure is still behind the bad actors and unprepared for the simple human errors that cause most security breaches.
It’s not all bad, of course. As I said above, things in IoT security are getting better. Thanks to responding to and patching after the many breaches and data thefts (both reported and unreported) that consistently and unfairly paint IoT as the bad guy in the coming cyberpunk dystopia, IoT is learning. Recent improvements in security procedure and practice are also happening thanks to the tireless efforts of groups like the Trusted Computing Group (TCG) and the IoT Security Foundation (IoTSF), along with their allies and advocates in key security leadership positions.
I recently read an article in the EE Times that reported how a study from the IoTSF showed that nearly 80 percent of companies are not disclosing known vulnerabilities to their users and customers. They are “failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed,” the study said.
For crying out loud. 80 percent?
Folks. We need to remember we’re all on the same side here. Anyone can be one unlucky break away from being the next breach, and that’s a scary prospect. So, here’s some help: the best way to prevent that breach is to keep your users informed, so they can work with you to patch vulnerabilities.
Refusing to disclose or (what’s worse) actively hiding known security vulnerabilities from the user base is at best an attempt to limit liability (spoiler: it won’t). If manufacturers and suppliers can’t (or won’t) secure devices in the manufacturing process (they should and can; Kudelski IoT and many others do it all the time), they should collaborate with their users in making networks and systems secure.
Most of the offenders are consumer companies, but some work in industrial and enterprise IoT, which is not cool. No one is going to make this kind of disclosure mandatory. However, the users should be sure to get a disclosure list from any manufacturer or supplier they work with and testing reports along with every device – at a minimum.
We’re on the same team, my friends, and if we’re going to stay ahead of the bad guys, we need to work together and share information.