Ian Castle, CTO, ECSC
Ian Castle, CTO, ECSC

It's no secret that the IoT will reset the way companies go about their business. By 2020 it is projected that offices, factories and businesses will play host to 11.2 billion connected devices. By way of comparison, it will take the human race until 2100 to reach that same number, a stark reminder of the pace at which devices have

outnumbered people.


The potential of this development is well known. It could create an exponential increase in the ways that businesses and consumers, goods and services, logistics and manufacturers can connect. It conjures up scenarios such as radical new possibilities in areas like healthcare.


With the excitement around the benefits of the IoT, its potential dangers have received less attention. An area of rapid change, there is uncertainty over the security risks that might emerge as connected devices increase in importance. Even more importantly there is as yet no settled playbook for how to combat IoT security risks.


When thinking about IoT security, it is worth considering the parallels with SCADA industrial control systems. You can think of SCADA control systems being like the IoT only within defined networks rather than operated from the cloud.


The SCADA systems are themselves memorable for several major security incident, most notably Iranian nuclear power stations and US hydroelectric plants. The risks underlying SCADA systems are the same for the IoT, only this time each device presents an internet-facing access point for would-be hackers.


The scale and reach of the IoT into our everyday and business lives will be orders of magnitude larger than SCADA systems ever attained.


Given the potential dangers it is remarkable how lightly IoT devices are regulated. In fact, when you consider the regulations covering every other aspect of these devices - electrical, safety, fitness for purpose, etc. – there is a jarring gap in the regulation of security standards for these devices.


Part of this regulatory vacuum is the natural result of a rapidly evolving sector. But there is a bigger problem resulting from the way we currently think about the standards themselves.


Due to their nature IoT devices end up gathering valuable personal and business information. Despite this, data protection laws as they stand currently fail to cover the devices or indeed the sites to which your information is relayed. As a result, the burden of data security will tend to fall on the end-user.


Most of the standards we have in place to ensure the quality and safety of the products we use everyday are structured to ensure fitness for purpose; in effect to make sure that products perform their intended functions. But when it comes to data security a device may well continue to function perfectly even after it has been breached.


For example, a connected security camera presents an access point for hackers. But because a breach will not materially affect the functionality of the device, current regulatory standards are blind to the dangers therein.


With the security burden falling on the end-user, it is no trivial thing to guard against IoT attacks. There are two principal challenges.


Firstly, at a bottom-up level, the day-to- day management of the devices will often fall to individuals without security expertise. Simple mistakes will often be made simply because the end-user is not qualified to protect the device's security.


Secondly, from a top-down perspective, IoT devices will lead to a parabolic increase in the complexity of a business's IT system. Consider that passwords, firmware uploads, new version upgrades, etc will be multiplied across each individual device.


The danger here is that the additional complexity leads to cut corners and blind spots in a company's security system.


The basic building blocks of information security are: inventory, secure configuration and patching. Once you have a large collection of ‘things' these become very hard to do. Especially when the devices belong to employees and are brought into the workplace. Again device suppliers will not cover this liability.


The IoT has the potential to radically change our working and he lives. But as with driverless cars, a new paradigm is accompanied by an urgent need for a new legal framework to ensure the safety of end-users, whether they be businesses or consumers.


Contributed by Ian Castle, CTO, ECSC