Where Should The Responsibility Lie When Securing IoT Devices?

In the good old days, the only devices connected to your network and WiFi were your laptop or home computer and your mobile phone. Everything else was offline. Yet, now it seems like we can’t move for the abundance of connected, or as they are dubbed ‘Smart’, devices including everything from your TV, washing machine, fridge, doorbell and even the odd connected toilet. Run out of milk? No need to worry – your fridge has already sent a message to your Amazon grocery account, ordered it for you and it’ll be delivered by a drone before you’ve even had time to realise that you’ll need it for your morning coffee.

While two groups of people on opposite ends of the spectrum – the technophobes and the security-conscious among us – may recoil in slight horror at having everything interlinked like this, there are many people that are obsessed with having the latest technology in their homes and pride themselves on having the newest shiny gadget hooked up to their network. But, how are these connected IoT devices being secured? And who should have the responsibility for maintaining that security throughout its lifecycle? Is that even possible – or will these smart devices suddenly become dumb pretty quick?

Where does security come in?

As a rule, in the development of any new software there will be a stage where the developer needs to give some consideration to the security and privacy controls of the software and subsequent device. However, this is often one small, if not critical, piece of the puzzle in the supply chain of an IoT device and has been known to be overlooked or rushed through in favour of another element, such as a more exciting feature or in the quest to get the product to market to beat the competition.

Earlier this year, to try and help set some standards and combat the well-documented gaps in the supply chain that have led to these cyber security gaps developing, the European Union Agency for Cybersecurity (ENISA) released its Guidelines for Securing the IoT – Secure Supply Chain for IoT. The aim of these guidelines was to set out a series of recommendations that would span the entire IoT supply chain to help keep organisations protected from vulnerabilities that can arise when building connected products.

These guidelines laid out some key recommendations including ensuring that a culture of ‘Security by Design’ is adopted at all stages of the development process, therefore ensuring that any potential security issues are caught early in the development and rectified before making their way too far down the chain. It also proposed that cyber security expertise should be integrated across all departments of the business. After all, if there was someone not only in the early development stage, but also the wider engineering, management or even marketing stage that had some cyber security knowledge, then that too would help spot any flaws early on.

This all sounds great and is an ethos that we can get behind. But what happens when all of this has been done and the device enters the consumer’s home, how then is security maintained?

Don’t let the security expire

Once a device is in the home, this unfortunately is where the security could suffer. After all, if you think about it, how many times since bringing a smart device into your home have you updated its security or received security patches, like you would on your laptop? The answer is often never.

This is because the way the device is delivered, is often how it stays. And in the world of cyber security, we know that this could ultimately mean that very quickly a device could be deemed insecure. For example, a vulnerability could be exposed that means suddenly your doorbell with a hidden camera that you envisioned would only be used by yourself to see who is outside your house, could easily be used by a hacker to turn the tables, as they suddenly start watching you and using that connection to quickly pivot to other points within your network.

Who is responsible?

There should be a greater onus on manufacturers to ensure that they place these devices under greater scrutiny from the beginning and provide longer term security support, so that they don’t reach their end of life within a matter of months. While this may mean that the development of the device takes longer, and subsequently affect the price of the product, it could offer them a stronger competitive advantage in the market as consumers become a little more security savvy.

There have also been calls for the manufacturers to be more transparent in the security their devices possess so that consumers have a more informed choice. Whether this should be some sort of ‘CE’ checkmark equivalent or even labelling devices in a similar way to food nutrition labels as suggested by some professors at Carnegie Mellon University in the US, is up for debate. But, by and large, there is a consensus that more should and could be done to secure IoT devices, and how this plays out moving forwards will be one to watch.