On Wednesday 7th March 2018, The Department of Digital, Culture, Media and Sports (DCMS) is launching a Security by Design report to address the growing issue surrounding IOT (Internet of Things Devices). This report is the result of many months of hard work and something that we, at NquiringMinds, are proud to have been part of.
IOT security is an issue that desperately needs attention. In a former life as CTO of OMTP I led a number of initiatives focusing on securing mobile devices. This work spanned 5+ years, 100s of security professionals, involved all the major mobile network operators, all the major handset vendors, all major chip-set vendors, and had executive. level sponsorship across the global ecosystem, and yet despite its many successes, the problem is still not entirely fixed.
IOT security is not only going to be a lot harder to solve, and the potential impact of insecure devices could be much higher.
So what are the key challenges?
Who owns the problem?
The mobile device security problem has in implicit problem owner. Every time something goes wrong, a mobile network operator, is going to get an customer support call. It doesn’t really matter who’s fault it was, from the perspective of the average consumer: “I bought the phone from you, therefore if it goes wrong you have to fix it.” Love them or hate them, the mobile network operators do fulfil a valuable function here from the perspective of security. The fact they are carrying an implicit liability (cost of handling support calls) means they have both the incentive (cash) and ability (control of the supply and retail chain) to do something about it.
As it stands at the moment its hard to see who is going to fulfil this role for IOT. Who has the incentive and the ability to put pressure on the IOT ecosystem to sort out the security problems? IOT is emergent, incredibly diverse and one of most exciting things about it is the value chains have not yet solidified: meaning scope for both technical and business innovation. But all this excitement comes at a cost.
Connectedness and consequence
IOT by its nature is incredibly connected. Mobile phones are also connected, but largely just to each other. An IOT device could be connected to almost anything. The end device itself, say a thermometer/ heat sensor, could be incredibly innocuous: what harm could you possibly do with that? Why do I have to secure something that just tells me how warm it is?
Well its all a question of what you use it for. If you’re using it to display how hot it is on a wall, then maybe not. But if you’re using it to control something, like a nuclear reactor, then maybe it becomes a lot more important. Any fans of the latest series of Mr Robot (Netflix series), have witnessed, in a fictional reality, civilisation being almost destroyed by a hacked thermostat. Maybe this is a little on the sensational side, but the scenario is not as farfetched as you might think.
The fundamental challenge here, is at point of deployment you don’t necessarily know what system a sensor is going to be used for, and what it’s going to be connected to. How possibly can you ensure your security is “good enough”?
The dangers of cheap
Consumer IOT devices, if they are going to succeed, need to be cheap. A lot of the anticipated business models for IOT, will not work unless the capital investment required is very low. But on the other hand, security costs. Whether this is security of physical devices, or the security investment needed in system design cost, there is a clear counter pressure. There is no simple solution to this most basic of commercial tensions.
What can be done?
Yet despite all these risks, IOT will continue to roll out. And so, it should. Security is not a binary condition, it is always a measure of risk vs reward.
But bearing in mind the issues above, government intervention is going to be essential until the market stabilises and the necessary commercial incentives are in place for the industry to police and secure itself.
This is why the work of DCMS is so important. It’s only a first step to be sure. So much more needs to be done for the economic opportunity of IOT to come to fruition. But this first step will help move the industry forward, and we are putting in place the first simple layers of protection that make sure the consumer has the confidence to actually go out and buy these things.
The full report is available at: www.gov.uk/government/publications/secure-by-design