Ross Anderson, professor of security engineering at the University of Cambridge
Ross Anderson, professor of security engineering at the University of Cambridge

The European Union should become the de facto world regulator for the security of the Internet of Things, according to one of the speakers at the IoT Security Foundation conference in London today.

Ross Anderson, professor of security engineering at the University of Cambridge, argued that the European Union should set the pace for IoT security because it is the largest government in the world that cares about the issue.

He said that whereas the United States has shown leadership in setting standards for autonomous vehicles, when it came to IoT, such as medical devices, it had shown little interest in regulating the industry.

He drew a parallel with development of privacy software which organisations like Google undertake in Germany because it has the strictest rules around this and if you can make it work in Germany, it will work anywhere.

The growth in autonomous cars will drive greater interest in IoT security, he said. Toyota says that by 2019 all of its cars will come equipped with all the sensors they need to drive autonomously. The actual functionality would then be rolled out through automated updates, in much the same way that Tesla cars do now.

Prof Anderson said that within 10 years, all new cars will depend on a monthly software patch. The US, as the leading consumer of automobiles in the world, will have a great influence on how this is rolled out.

However, in the world of medical devices, there is a crying need for action to be taken to standardise the software and the hardware.

He said that when you go into the hospital, you can be dependent on 40 to 50 computers running monitors and therapeutic devices. But many of these devices are completely nonstandard, so that on one machine you press “1” to increase the quantity of drugs being pushed through a drug pump while on another device it's “5”.

Is it any wonder that 2000 people a year die in the UK from mistakes involving medical devices?

“We have known for 20 years the need to upgrade the Internet of Things for security but now it's moving up the agenda, front and centre,” he said.

Unfortunately, safety regulators are behind the curve. For instance, he pointed out that automobile safety testers still go through a regime of crashing cars into barriers and video recording crash test dummies.

Although that process works on a product that has a three-year development cycle and 10 year lifecycle, it's not adequate for an industry where the adversary can discover a flaw today and use it to target a million devices tomorrow.

There are dozens of regulators at the EU level and hundreds in the member states that are addressing these issues.

However, the EU could do more by updating the product liability directive, require vendors to certify for their CE marks that their products are secure by default and update the NIS Directive.

And the EU or individual states need to bear in mind that cyber-security is not all about counter-terrorism. We need an agency staffed by security experts who are working on behalf of consumers, not focused on national security, he said.