Is Your Vendor Hiding Security Problems From You?

Security in IoT development and deployment has sometimes, I think we can all admit, been an afterthought. It has been neglected, ignored, and what’s worse — treated as irrelevant, all too frequently as the industry developed. It’s the worst-kept secret in IoT. This is, thankfully, changing across the industry. Security (and privacy) are becoming early design and strategy choices in new products and solutions, and although this isn’t universal yet, it is moving in the right direction. 

Industrial IoT (IIoT) companies have historically been more forward-thinking about securing hardware, software, and networks. However, recent research indicates that IIoT infrastructure is still behind the bad actors and unprepared for the simple human errors that cause most security breaches.

It’s not all bad, of course. As I said above, things in IoT security are getting better. Thanks to responding to and patching after the many breaches and data thefts (both reported and unreported) that consistently and unfairly paint IoT as the bad guy in the coming cyberpunk dystopia, IoT is learning. Recent improvements in security procedure and practice are also happening thanks to the tireless efforts of groups like the Trusted Computing Group (TCG) and the IoT Security Foundation (IoTSF), along with their allies and advocates in key security leadership positions.

But.

I recently read an article in the EE Times that reported how a study from the IoTSF showed that nearly 80 percent of companies are not disclosing known vulnerabilities to their users and customers. They are “failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed,” the study said. 

For crying out loud. 80 percent? 

Folks. We need to remember we’re all on the same side here. Anyone can be one unlucky break away from being the next breach, and that’s a scary prospect. So, here’s some help: the best way to prevent that breach is to keep your users informed, so they can work with you to patch vulnerabilities. 

Refusing to disclose or (what’s worse) actively hiding known security vulnerabilities from the user base is at best an attempt to limit liability (spoiler: it won’t). If manufacturers and suppliers can’t (or won’t) secure devices in the manufacturing process (they should and can; Kudelski IoT and many others do it all the time), they should collaborate with their users in making networks and systems secure. 

Most of the offenders are consumer companies, but some work in industrial and enterprise IoT, which is not cool. No one is going to make this kind of disclosure mandatory. However, the users should be sure to get a disclosure list from any manufacturer or supplier they work with and testing reports along with every device – at a minimum. 

We’re on the same team, my friends, and if we’re going to stay ahead of the bad guys, we need to work together and share information. 

Be well. 

Ken Briodagh

Ken Briodagh is founder and Chief Storyteller of Briodagh Content Consulting. He loves all forms of storytelling, from live events to content marketing strategy that creates brand loyal fans. He’s particularly interested in the transformative potential of stories in marketing. Ken has been leading industries and brands through story for more than a decade, creating millions in value and growth. He's also a poet, pretend potentate, & partial alliterist. He lives in Connecticut with his family, two cats, a turtle, and a dog. The dog misses him when he's away.

Read Previous

Industry 4.0 and the Importance of Thinking Holistically

Read Next

Augmented (Digital) Intelligence— People, the Missing Dimension in Digital Transformation of Water