K
Kathleen Martin
Guest
More than 100 tech and cybersecurity entities are calling for governments and industry to move towards universal standards for baseline security when it comes to Internet of Things devices.
In a letter released Thursday, 104 different organizations – ranging from private companies like Google, Microsoft and Deloitte to non-profits like Consumer Reports, the Center for Internet Security, and the Cyber Threat Alliance – said there is a “global consensus” forming around the need for IoT security standards that must be addressed through a mix of government regulation and voluntary private sector action.
In particular, the groups highlight five security capabilities that all connected devices should share, including regular software updates, no default passwords, a vulnerability disclosure policy for the product for manufacturer, data security and secure communications, that should be universal. These five capabilities are already in more than 100 security and privacy standards around the world, and further adoption could help dramatically reshape the notoriously shoddy and largely unregulated IoT security landscape.
“While all stakeholders – manufacturers, distributors, vendors, regulators, even consumers themselves – have respective roles to play in the safe development, deployment and use of IoT products, device security requires manufacturers and vendors who place devices on the market to adhere to best practices to ensure products are designed with security in mind,” the group writes. “With connected devices today having supply chains that reach around the world, establishing a recognized global baseline for consumer IoT security is a critical step toward a more resilient and trusted digital future.”
One of the most challenging aspects of regulating this area is that “IoT” is essentially a catch-all term for a wide range of products and devices, many of which have different levels of technological maturity and sophistication. The software powering a smart fridge or Alexa device is exponentially more complex and trickier to secure than a low-grade light or power sensor, yet all can and are regularly captured under the current definition.
That makes it difficult to develop standards that would be relevant to the security problems posed by products and systems on the higher end of the scale while still being practical for manufacturers at the lower end. Even defining what an IoT device is and what it is not can be difficult. The groups acknowledge that this will not be a smooth or easy process, and pledge to continue working through international bodies like the World Economic Forum to develop additional guidance and throw their consensus support behind emerging standards.
Continue reading: https://www.scmagazine.com/analysis/iot/more-than-100-tech-companies-cyber-organizations-rally-around-5-baseline-security-standards-for-iot-devices
In a letter released Thursday, 104 different organizations – ranging from private companies like Google, Microsoft and Deloitte to non-profits like Consumer Reports, the Center for Internet Security, and the Cyber Threat Alliance – said there is a “global consensus” forming around the need for IoT security standards that must be addressed through a mix of government regulation and voluntary private sector action.
In particular, the groups highlight five security capabilities that all connected devices should share, including regular software updates, no default passwords, a vulnerability disclosure policy for the product for manufacturer, data security and secure communications, that should be universal. These five capabilities are already in more than 100 security and privacy standards around the world, and further adoption could help dramatically reshape the notoriously shoddy and largely unregulated IoT security landscape.
“While all stakeholders – manufacturers, distributors, vendors, regulators, even consumers themselves – have respective roles to play in the safe development, deployment and use of IoT products, device security requires manufacturers and vendors who place devices on the market to adhere to best practices to ensure products are designed with security in mind,” the group writes. “With connected devices today having supply chains that reach around the world, establishing a recognized global baseline for consumer IoT security is a critical step toward a more resilient and trusted digital future.”
One of the most challenging aspects of regulating this area is that “IoT” is essentially a catch-all term for a wide range of products and devices, many of which have different levels of technological maturity and sophistication. The software powering a smart fridge or Alexa device is exponentially more complex and trickier to secure than a low-grade light or power sensor, yet all can and are regularly captured under the current definition.
That makes it difficult to develop standards that would be relevant to the security problems posed by products and systems on the higher end of the scale while still being practical for manufacturers at the lower end. Even defining what an IoT device is and what it is not can be difficult. The groups acknowledge that this will not be a smooth or easy process, and pledge to continue working through international bodies like the World Economic Forum to develop additional guidance and throw their consensus support behind emerging standards.
Continue reading: https://www.scmagazine.com/analysis/iot/more-than-100-tech-companies-cyber-organizations-rally-around-5-baseline-security-standards-for-iot-devices
