05 Mar 2020

The development of IoT technology is undoubtedly seen as a benefit to society, with individuals and businesses becoming more connected, increasing the opportunities for innovation. However, many IoT devices lack basic security features, meaning they are vulnerable to improper access and exploitation. In today's interconnected world, virtually all individuals and companies are potential targets for cyber-attacks.

The purpose of this article is to provide an insight into the key challenges for the cyber security industry in combatting the risk of harm caused by IoT devices, with security and regulation playing catch up in light of the rapid development of technology.

Key challenges

  • Increase in the use of IoT technology: By 2025 it is predicted that there will be an estimated 75 billion internet connected devices globally [1] and in the UK it is estimated that smart devices in households could increase by 50%, from 10 to 15 devices per household during 2020 [2] .
  • Increase in IOT data collection : We have seen business models adapt to maximise their collection of and use of data, seeking to use IoT technology as a means to do so and gain a competitive advantage. This increases the magnitude of harm when an IoT device is compromised.
  • Increase in cyber-attacks: The volume of cyber-attacks on UK businesses have increased by over 240%, with IoT devices and file sharing services being the most frequently targeted applications. [3]
  • Hacking success: A power grid, smart home devices and connected vehicles have all been hacked. There is a genuine concern that this hacking could be replicated on a wider scale, for example, hacking multiple devices to cause power failure issues.

2020 - the year regulation catches up?

While the GDPR requires a privacy by design approach, there has been a global lack of guidance and regulation in this area. In addition, legal analysis indicates that the EU's regulatory regime is too complex, in comparison with other regions. [4] The overall result is a lack of legal certainty, coupled with higher compliance costs, meaning companies in the EU are naturally at a disadvantage from an innovation and IoT technology development perspective. This however seems to be changing, as governments and regulators look to combat these key challenges globally.

  • UK: Regulatory proposals for consumer IoT security consultation and Code of Practice for consumer IoT security . The code of practice sets out clear guidelines that must be complied with and includes an obligation to encrypt security-sensitive data, including remote management and control. The standard of encryption should be " appropriate to the properties of the technology and usage", meaning there is no one size fits all approach.
  • UK, US, Canada, Australia and New Zealand: Statement of intent , which acknowledges that compromised devices could have serious consequences for individuals, our economies and national security.
  • UK and Singapore: Joint Statement on cooperation , aimed at promoting user security "by default" and setting clear good practice principles. These principles include ensuring universal default passwords are not used and working towards a position and process where researchers can report security vulnerabilities.
  • Europe: Draft European Standard , the draft standard, if adopted, will require manufacturers to provide a public point of contact as part of a vulnerability disclosure policy so that security researchers are able to report issues. Manufacturers will in turn be required to act on any disclosed vulnerabilities in a " timely manner".
  • California: IoT Device Security Act , which demands that companies building connected products ensure these are implemented with "reasonable security features". The definition of "reasonable" is elusive, but it is clear the new law takes into consideration the device's functionality and the type of data being collected, when determining whether the security features are reasonable.
  • Globally: Self-regulation , there has been an increase in self-regulation in 2020, with companies joining initiatives in an attempt to show customers that they are implementing the necessary measures to ensure data is held securely.

Globally there is a clear recognition that more needs to be done to ensure the security of data processed by IoT devices. Interestingly, one consistent message from the recent regulatory developments is that manufacturers should provide a clear framework through which researchers can submit any shortfalls in the security of their IoT devices. Arguably, this could be seen as an encouragement / green light to ethical hacking.

A tension has always existed between sharing vulnerabilities and learnings for the greater good on the one hand and managing liabilities and reputational harm on the other, but the law appears to be going in favour of collective protection. This poses good and bad news. For consumers, this leads to greater transparency. For manufacturers, it could expose sensitive know-how to the market. For everyone else, like insurers and regulators, it starts to create an accepted benchmark against which IoT risk can be assessed.