The IoT Chronicles Part 3: Security Regulation
There’s no denying the transformative power of the IoT (whether or not you’ve read this IoT Chronicles blog series.) Practically every object imaginable today has a smart or connected equivalent: the smart home, connected car, smart city … the list goes on. As we move forward, the IoT will continue to have a powerful effect on the world as we know it, including a tangible return for businesses that are currently investing at a rapid pace. Gartner’s Chief of Research Daryl Plummer, for instance, predicts that the IoT will save consumers and businesses $1 trillion by 2020.
At the same time, however, we also can’t deny that there are certain areas of the IoT that require strengthening. If you read part 2 of this series, then you know where I’m going with this … security. As I mentioned in part 1, we here at Avaya define the IoT as simply having an open scope. In other words, virtually anything can be considered part of the IoT, and so anything is possible. So much uncharted territory, however, also becomes a new frontier for security threats and attacks. In fact, Gartner predicts that by 2020—the same year expected to top trillions in cost savings—more than 25% of identified attacks in enterprises will involve IoT devices.
A concept as groundbreaking as the IoT doesn’t come without certain legal and regulatory implications that must be properly addressed. This leaves us with two important questions: what IoT products should be regulated and, more importantly, who should be regulating them?
To Regulate or Not to Regulate, That is the Question
Let’s tackle the first of these two questions: which IoT products should be regulated to minimize security risks? The short answer is there’s no definitive answer. Instead, we must use our judgment based on the nature of the product or device in question. While every IoT product generates and shares data, we know that there are varying levels of sensitivity among these different sets of data.
For instance, consider Samsung’s “Family Hub” smart refrigerator. The product has a Wi-Fi-enabled touchscreen that lets families manage their groceries and sync up their schedules, as well as built-in cameras that snap and send photos of what’s in their fridges so they can see what’s running low. This product certainly generates and stores its fair share of data; however, should a family’s fridge be regulated? That is, should someone be controlling the data that the product generates, stores and shares? You may think not—however, just consider last year security researchers proved a way to hack the “Family Hub” fridge to steal users’ Gmail account information, despite the object implementing SSL. The successful man-in-the-middle attack proves that any connected object can be strategically used for criminal purposes.
It all comes down to what information could be exposed when we choose not to regulate (or implement the necessary level of security for) an IoT product. Do we really need to know that a family is running low on milk? No, but we do need to know if that family’s Gmail credentials are vulnerable to theft. Now, imagine if someone were to discover such a security loophole in the smart grid? It just goes to show that every IoT object must be regulated to some degree, and these degrees will vary. Even when it comes down to two IoT products that should be regulated—say, a smart grid and a smart vehicle—each product must be regulated differently. As I have mentioned throughout this series, following status quo protocols or implementing a one-size-fits-all strategy is not suitable. While I do believe the IoT must be regulated, applying the same regulatory policy nationwide would look a lot like trying to boil an ocean.
Ultimately, what it comes down to is this: we must define and implement regulatory best practices depending on the IoT product or device at hand. Each product will have a different set of security requirements, and so each will need to be regulated differently. Certain products will require higher or lower levels of encryption, for instance, while others complete segmentation. How a product is regulated—that is, if it’s even regulated at all—will depend on its unique security requirements.
Now for the second (and more debatable) question: who should be regulating IoT security? Specifically, should the government step in?
Self-Regulation vs. Government Regulation
If you follow the IoT in the news, then you’re likely aware of the massive debate going on as to whether the government should have a hand in security regulations. If not, allow me to provide a brief recap: In a November 16, 2016 hearing—prompted by the October 21, 2016 DDoS attack on Dyn—cyber security experts discussed the hard work that lies ahead for the IoT and debated the level of involvement that government entities should have in helping promote and create security standards.
Some experts advised the government to mandate IoT security measures before vulnerabilities cause unthinkable damage. Meanwhile, other experts believed that industries should have a chance to regulate themselves, saying that government should step in only if those efforts prove ineffective.
Overall, the experts claimed that the IoT poses “a real [catastrophic] risk to life and property.” This may be true (as there’s no piece of technology today that doesn’t pose some sort of risk), but does this mean the government should start standardizing security or applying industry pressures? Would these “standards” infringe on the privacy of users? Would these industry pressures adversely affect the vertical-specific nature of the IoT? I’d say so, and I’m not alone in my thinking.
Travis LeBlanc, the FCC’s chief of the Bureau of Enforcement, similarly agrees that prohibiting industries from self-regulation is a dangerous move. In fact, during a November 1, 2016 discussion on IoT security, he stressed that overregulation right now, at such an early stage, would “constrain the innovation of the future in ways that no legislator ever intended.”
When it comes to government regulation, what’s considered acceptable and unacceptable drastically differs based on the person being asked. I myself am of firm belief that standardizing IoT security will be nothing short of disastrous. Every industry’s relationship to the IoT—from opportunities for innovation to security requirements—is unique and must be tackled differently. As of right now, self-regulation remains a responsibility that industry leaders should take very seriously.
While there’s no one-size-fits-all approach to securing the IoT, there’s one thing organizations within virtually every industry should be doing: making sure the network traffic between their IoT devices is truly isolated so that unauthorized users can’t see or access it. Machine-to-machine IoT communications need to have session authentication. The way in which we communicate is changing. We used to start with human-to-human, but that’s been pushed down to third- and fourth-level communications. Now it looks like this: machine-to-machine, machine-to-AI, machine-to-human, followed by human-to-human. If this doesn’t call for something uniquely different to tackle security, what does?
Isolation of services is something that can be achieved with an end-to-end segmentation solution, which allows businesses to create stealth, extensible hyper-segments that span their entire network. If you’re not exactly sure what this is all about, you can check out a three-part blog series I recently wrote that breaks down everything for you.
We’re not done yet: In the upcoming final part of this series, I’ll explore the future of the IoT and share my top trends and predictions for 2017. Stay tuned.