Will Regulations Secure the IoT Wild West?

Regulations could be the only way IoT is managed securely and effectively by device makers and users alike

Securing IoT devices is like the Wild West, untamed and lawless. However, IoT is spanning far beyond the West, creating a global network of vulnerable devices and data.

As IoT proliferation sweeps across the planet, businesses and consumers are benefiting greatly from the increased connectivity. However, this connectivity is also introducing greater security risks than ever before. These risks must be properly handled by manufacturers to prevent consumers from losing confidence in these devices.

If only it were that simple. Many manufacturers that understand the security risks of their devices still refuse to allocate budget to properly develop security protections, because it is seen as a cost they can’t recoup. Without monetary incentives for device manufacturers, there is nothing to motivate them to change their practices and design and build cybersecurity protections into their products. If the businesses they sell to don’t hold them accountable and consumers continue to purchase their products without necessary security features, what can ultimately convince manufactures to change their practices? The simple answer: Regulation.

Inevitably, if nothing changes, there will be a time of reckoning. Government regulations will be enacted to protect businesses and consumers. Recently, we’ve seen emerging security standards for IoT and data privacy. California’s new IoT Cybersecurity Law will require manufacturers of connected devices to produce them with “reasonable” security features. We’ve also seen data privacy protection from the European General Data Protection Regulation (GDPR).

In addition to these regulations, more will come, unless the manufacturers begin changing their behavior and attitudes towards cybersecurity. These pending regulations will provide the necessary incentive for manufacturers to act responsibly—even if it requires a hit by the regulation stick.

Whether through the regulatory stick or an organization being compromised, device manufacturers at some point will pay for the cost of cybersecurity. Manufacturers that act responsibly and build cybersecurity into the way they develop devices will be much better off. They won’t have to deal with the headache of figuring out how to bolt cybersecurity on after manufacturing practices have been figured out, or devices have been deployed.

Regulations and IoT: The Time to Act Is Now

We are at a time when device manufacturers need to take responsibility, which in the end will be better for everyone. Rather than prospecting for gold, hackers are intercepting sensitive information and gaining access to devices that can cripple a business or harm a consumer. IoT devices are providing access to the data that has become the new goldmine.

Just as barbed wire was the new technology that ended the open plain maraudings of the Wild West, new regulations look to be the 21st century solution to ending the Wild World of IoT.

  • The United Kingdom recently announced intentions to introduce new laws requiring security to be built into IoT devices. This adds to the government’s 2018 release of the world’s first IoT code of practice. This includes guidelines for manufacturers, such as no default passwords, securing credential storage and ensuring software integrity.
  • The U.S. Congress is waiting to vote on the IoT Cybersecurity Improvement Act of 2019, which would allow the standards body, NIST, to draw up IoT regulations.
  • The Japanese government will begin enforcing IoT standards next year. They’re currently working out what those standards might include, such as mandatory device identity to prevent unauthorized access and control for over-the-air updates.
  • Recently, ETSI came up with a new “global standard” for IoT, which builds on the UK government’s IoT code of practice.

It’s clear, regulatory bodies around the world are listening to business and consumer appeals for help. Unfortunately, device manufacturers see security as a cost without much benefit to them. Therefore, they continue to develop devices that lack security best practices. These new enforceable standards will serve as the needed stick putting in place penalties for manufacturers that don’t comply. This will certainly help secure the seemingly unstoppable force that comprises the Wild World of IoT.

Mike Nelson

Avatar photo

Mike Nelson

Mike Nelson is the VP of IoT Security at DigiCert, a global leader in digital security. In this role, Nelson oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations. Nelson frequently consults with organizations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them. Nelson has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Nelson’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.

mike-nelson has 17 posts and counting.See all posts by mike-nelson