The announcement of a new standard for Internet of Things (IoT) security by the ETSI technical committee in June 2020 was very much welcome in the infosec industry. ETSI EN 303 645 puts in place a security baseline for internet-connected products, and lays out 13 provisions outlining the steps manufacturers can take to secure devices and ensure compliance. Alan Grau, vice president of IoT and embedded solutions, Sectigo reports.
The new regulation follows a growing trend of lawmakers and regulators waking up to the urgent issue of cyber security in the Internet of Things. Following on from California’s SB-327, which went into effect at the start of 2020, and Australia’s 2019 “Draft Code of Practice: Securing the Internet of Things for Consumers” framework, it became clear that governments and international bodies were starting to tackle the challenge head on.
When the UK announced its new IoT framework in January 2020, the move furthered the argument that IoT security had been insufficient for years, and regulators were ready to amend that.
However, the question remains: are these legislations and standards doing enough to address security for IoT devices?
The role of legislation in securing the IoT
For many years, devices would operate in closed, proprietary networks, secured with a defensible perimeter. With the advent of the internet, these systems became increasingly linked to one another via TCP/IP. The benefits of this have been much discussed, with IoT devices a central piece of consumers’ lives as well as enterprises’ networks. And their growth remains unstoppable: analyst house IDC predicts that by 2025, there will be 41.6 billion connected IoT devices in use.
However, legislative consensus has not been able to keep up with this growth. As the market has expanded, new vendors and manufacturers have often undercut competitors in pricing, to create a popular and accessible go-to market offering. Cutting costs can get solutions to market quickly, but far too few are investing enough time and organisational focus to incorporate appropriate levels of authentication and security.
In the absence of an effective IoT legislative framework, manufacturers have spent decades churning out devices with little to no in-built security, with often only static credentials as a barrier for cyber criminals. Unless security becomes mandated, manufacturers will continue to cut corners at the expense of safety. Only legislation and thorough governance can ensure IoT security is implemented by design, at the point of manufacture, and throughout the device lifecycle.
The small strides towards security
On one hand it is great to see progressive steps made to secure IoT devices. On the other, it is clear that there are still more changes to be made, and a wider consensus needs to be reached.
Looking at the US for example, SB-327 laid out a clear framework for manufacturers to use next-generation security and authentication tools. It was an important step, and one designed to target botnets that had revealed serious inadequacies in prior security practices. Unfortunately, it was an isolated legislation, specific to the state of California and non-binding nationally.
Looking through the lens of ETSI EN 303 645, a similar conclusion can be reached. This is a result of collaboration between figures in the industry, academics and governments and yet the new standard is not enforceable and legally binding.
Whilst it does present a single target for manufacturers and IoT stakeholders to move towards, there will still be some in the industry who tend to implement lax security processes, because it is cheaper and often simply because they can, without being held to account.
It is important to create forward-thinking standards that address the challenge of security across the IoT, but this needs to be supplemented with a legislative agenda, one that ensures manufacturers abide by a cyber security framework when creating devices.
Why built-in is best
It is clear that governments and industry bodies need to be more active in creating an IoT security consensus, but there is some discussion on what the best practices are for securing these devices. Something that is now commonly known is the importance of in-built security and PKI authentication at the point of manufacture. With increasingly convoluted supply chains, the emphasis is on the OEM to ensure that the device is secure the moment that it is created.
To authenticate and encrypt the device, PKI needs to be in-built so that it cannot be tampered with further along the supply chain by malicious actors. Only if the chipset is authenticated and protected by certificates from the foundry stage of manufacture, will it remain secure across the device lifecycle.
Global supply chains – time for global standards?
IoT is bringing unparalleled connectivity between devices, people and enterprises, but it is also bringing risks to home and business networks. The industry’s enormous growth has complicated the manufacturing process, so that now devices are created across supply chains of huge complexity and across international borders.
To tackle this problematic challenge, it is time for legislatures to work together, to create a global consensus that protects devices at every stage of their lifecycle. Only in this way will supply chains and end products remain secure, and risks to property, life and data security will be kept at bay.
The author is Alan Grau, vice president of IoT and Embedded Solutions, Sectigo.