Security, security, security
The Internet of Things (IoT) is on everyone’s lips as its offering seems to encompass just that – everyone and everything(s). But as its ubiquity grows, security is increasingly going to be a topic of conversation. And so it should be: security is essential not only to protect both digital and physical assets, but also to ensure that end-users feel comfortable using devices and platforms that sharing their data (even when it is anonymised).
The media love a good hacking story: whether it’s an Oceans 11-esque hack of a fish tank in a Casino, Amazon’s Alexa being hacked to emit an unprompted sinister laugh, or even high in the sky simulations of how the entirety of New York could be brought down by hackers. Quite frankly it all feels very Mr. Robot. And suspicion is growing.
As of June 2018, there is no industry standard for security when it comes to IoT devices and platforms. Of course, there are individual trade bodies such as the LoRa Alliance who have their own certification. However, without a widely accepted (or enforced) standard it is not surprising that the ad hoc nature of security in IoT is a hot topic in industry and media.
A number of other groups are working with industry stakeholders to form certifications and tick marks not tethered to isolated protocols. For instance, in May 2018 the British Standards Institution launched their Kitemark for IoT Devices to ensure that consumers were able to identify the security of IoT products. Although this is a good start in bringing together a currently disparate industry, this Kitemark appears to be more focused on consumers, and less so industrial IoT applications. Another project is the Open Internet of Things Certification Mark spearheaded by the Internet of Things London community. Currently, in the drafting stage, this does speak more to industrial applications but with a specific focus on data access and use (as per GDPR compliance). There’s already a lot of great work driven by industry to formalize the communication of security in IoT devices, which may inform industry standards, but it may be a while before there are governing laws put in place.
So, what can be done in the meantime? In FinTech where there are more regulations in place, penetration testing is used to check the security through a controlled simulation of a hack. By conducting these stress tests, developers and engineers are able to identify flaws in design that can be remedied before the product hits the shelves. As these types of tests become more readily available and proved in their own right, they can be integrated into the cycle of product development – futureproofing products from when this type of security testing becomes necessary to achieve tick mark certification, or to meet legal requirements (when that day arrives).
Another factor to consider is that the security landscape is continually changing. More consumer data is being captured than ever before, and hackers worldwide – state sponsored or otherwise – are known to look for methods of compromising these new networks. The need for security testing to be adaptive and flexible is key to combating these emerging risks, and the downside of failure – both in terms of the bottom line and the public perception of this technology – could be large.
The widespread adoption of IoT may still be in an embryonic stage, but in the meantime start-ups and tech giants alike need to keep in mind that security is integral to the success of this technology, and continue working to develop regulations and industry best practice. In order to fulfil its potential, customers must be reassured both of the opportunities for IoT to support their digital transformation, and that their data is in safe hands.