Story image

Standards, regulation, and accountability are required to avoid IoT Armageddon

02 Nov 16

Potential security concerns regarding the deployment of an ever-increasing number of Internet of Things (IoT) devices are well documented. 

However, such concerns routinely focus on the potential vulnerabilities of individual solutions rather than recognising the implicit dangers in a global system that is only “as strong as its weakest link.

The Dyn DDOS event is a wake-up call

The recent Dyn distributed denial-of-service (DDoS) attack has caused consternation in the technical communities intimately concerned with the “plumbing” of the Internet. 

While the debate as to who, what, and why the attack took place remains the subject of detailed sleuthing, a security paradigm shift has occurred that is going to challenge governments worldwide.

The attack used a large botnet of low-grade, poorly secured Internet devices – it’s possible that your fridge, your neighbor’s router, or my TV was involved. 

As the number of devices connected to the net increases exponentially, there is a significant aggregated risk to overall network integrity from millions of low-cost, poorly-designed, never-patched, unmanaged devices coming online.

Where cost is the prime determinant of low-end, no-brand devices’ security is an afterthought, if it is even thought of at all. Products with no password, default passwords, no encryption, open insecure ports, known vulnerabilities, and an inability to patch flaws even if they are detected abound at the cheap commodity end of IoT. 

While an initial response is often “buyer beware,” unfortunately, in aggregate, these devices have the capability to wreak havoc on the wider population.

Regulation may be a dirty word, but when products have the potential to cause significant harm, society expects government to mandate standards and regulate to ensure they are adopted. 

Motor cars must be built to safety standards, and manufacturers are held responsible when they are not – as Toyota found with its faulty accelerator issues. Samsung’s recall of the Note 7 due to the potential fire hazard is similarly well known. In both cases, well-respected companies recalled their product due to consumer and government pressure.

In the IoT space, the greatest risk is generally not from the well-known products, which tend to be designed with security considered from the outset and are promptly remediated when flaws are detected. The biggest concern is with low-end generic or unbranded devices from smaller manufacturers.

Addressing the challenges posed by these products will require administrations to consider a model like electrical goods or children’s toys, where, regardless of price point, minimum standards must be maintained and local safety regulations complied with. 

Furthermore, manufacturers and their local distributors are held liable for loss or damage resulting from substandard design.

Identifying what those minimum standards should be will be challenging, not least to ensure that the system isn’t gamed by vested interests to reduce competition, but the Dyn event highlights the frightening potential from continuing with an “anything goes” approach to network device connectivity.

Just as the new-model virtual businesses, such as Uber and Airbnb, are requiring governments to rapidly develop new-model regulations, pervasive IoT will necessitate legislators walking a fine line that protects the “Internet commons,” without stifling technical innovation.

Article by Al Blake, Ovum analyst

JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Cisco dominates record-high Ethernet switch & router markets
While the market is flourishing, it’s tough-going as Cisco has increased its majority share of the pie.
SAP provides partners with free access to their cloud platform
“Now that over 3,700 SAP partners have joined our cloud strategy, the free resources will help them accelerate application development."
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.
WatchGuard appoints new channel distributors in A/NZ
The appointments will enable WatchGuard to expand its regional channel reseller footprint.
Tensions on the rise after Huawei CFO arrest
“Recently our corporate CFO, Meng Wanzhou, was provisionally detained by the Canadian authorities on behalf of the United States of America."
Why the future of IT infrastructure is always on and always available
As more organisations embrace digital business, infrastructure and operations leaders will need to evolve their strategies and skills to keep up.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.