New Report on IoT Security

The Atlantic Council has published a report on securing the Internet of Things: “Security in the Billions: Toward a Multinational Strategy to Better Secure the IoT Ecosystem.” The report examines the regulatory approaches taken by four countries—the US, the UK, Australia, and Singapore—to secure home, medical, and networking/telecommunications devices. The report recommends that regulators should 1) enforce minimum security standards for manufacturers of IoT devices, 2) incentivize higher levels of security through public contracting, and 3) try to align IoT standards internationally (for example, international guidance on handling connected devices that stop receiving security updates).

This report looks to existing security initiatives as much as possible—both to leverage existing work and to avoid counterproductively suggesting an entirely new approach to IoT security—while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. It walks through the current state of risk in the ecosystem, analyzes challenges with the current policy model, and describes a synthesized IoT security framework. The report then lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting a baseline of minimally acceptable security (or “Tier 1”), incentivizing above the baseline (or “Tier 2” and above), and pursuing international alignment on standards and implementation across the entire IoT product lifecycle (from design to sunsetting). It also includes implementation guidance for the United States, Australia, UK, and Singapore, providing a clearer roadmap for countries to operationalize the recommendations in their specific jurisdictions—and push towards a stronger, more cohesive multinational approach to securing the IoT worldwide.

Note: One of the authors of this report was a student of mine at Harvard Kennedy School, and did this work with the Atlantic Council under my supervision.

Tags: , , ,

Posted on September 27, 2022 at 6:15 AM16 Comments

Comments

mark September 27, 2022 11:47 AM

And are they going to require, by law, manufacturers to update security on everything sold just to sell it in the US?

Of course not.

No, I don’t have any IoT (or, as the lady wrote, the “Internet of Gratuitously Connected Insecure Things”, or IJIT).

iAPX September 27, 2022 3:34 PM

The funny thing is that they don’t define IoT, and Wikipedia’s definition didn’t help either as my keyboard or the NVME Storage Unit on my computer are thus IoT, as well as my monitor or my fridge.

I see this initiative as too little, too late.
If considering only Wifi/Ethernet TCP/IP devices, nobody seems to understand what they really are: 24/7 connected servers.

Routers being the best example of 24/7 servers, ubiquitous, with usually outdated software (and no updates offered!), while directly connected to the Internet.
I urge everyone to take a look at routersecurity.org (this is not an Ad!)

The current state of security for IoT is a catastrophe.
I don’t see that changing in mid-term, except by becoming a bigger catastrophe.

Ted September 27, 2022 6:05 PM

@iAPX

I think they do actually try to define what is considered in-scope for the report. Check out pages 5 and 34.

They appear to look to the definitions in ETSI’s EN 303 645 and NIST’s SP 1800-16C.

As Bruce mentioned, the report has a focus on: smart homes, networking and telecommunications gear, and consumer health products.

With regards to your concern about routers, Singapore has taken an interesting approach to securing them.

For example, while the CLS is voluntary for most products, new internet routers sold in Singapore must meet the security requirements for the Level 1 label.

CLS stands for Cybersecurity Labelling Scheme.

I haven’t looked at all the graphics in the report yet. Do they help shine a light on any of your concerns?

ResearcherZero September 27, 2022 6:55 PM

More cohesion and coordination to regulatory approaches would be of great benefit. It’s surely a better approach than the many costly reports delivered to government ending up in a dusty backroom, with few of the recommendations being implemented. It may also begin to address the number of unfilled positions and slow the rate at which people quit those positions.

Security Sam September 27, 2022 8:01 PM

The internet’s fickle security
Is both a curse and a blessing
Providing some with job security
While keeping the rest guessing.

Clive Robinson September 27, 2022 11:54 PM

@ Bruce, ALL,

As you may remember I’ve been going on about “embedded systems” security since long before IoT was coined as an expression.

This report nice as it is, is a decade late at least, and deficient in many ways.

It’s why I’ve talked of “Regulatory Frameworks” not “NIST Competitions” for years. Whilst many IoT devices are only expected to have an 8month service half life, other systems such as network appliances will have 5year life times, industrial control systems upto 25years and the likes of “services meters” upto 50years.

Oh as for medical implants, how long a life do you want on those?

Remember back in 2007 former Vice President Dick Cheney on serious security advice, when he could not put off having a pace maker fitted had the doctors disable the wireless interface [1]. Whilst people joke about “break dancing by ICD” the simple fact is Medtronic who make the majority of implanted medical electronics still do not take security seriously if at all.

So consider a mid 40’s male or younger in the West getting told “you need…” by their doctors. Currently they would statistically be looking at around a further half centure of life expectancy… What do we say to them about the “non-security” of such devices?

The software industry talks about a “Tsunami of technical debt” before even talking about vulnarabilits, let alone security. If you think about it being “In my body!!!” it’s not scary it’s beyond frightening.

Which is why I’ve, kept on mebtioning it for well over a decade, and will keep on mentioning it probably untill I drop dead… Because I don’t see the “medical electronics industry” even taking it remotely seriously, and they should, as should the regulators, who are very definately “looking the other way” currently based on near covert lobbying from the manufacturers.

[1] Story on Dick Cheney’s finally revealing what had been “known/speculated” for some preceading time (2000ish) to him actually having it fitted,

https://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434

Ted September 28, 2022 1:31 AM

@Clive

This report nice as it is, is a decade late at least, and deficient in many ways.

Honestly, I found the report to be exceedingly contemporaneous and anchored by up-to-date developments and recommendations.

You might be pleased to know that it gives us a look at where the UK’s PSTI legislation sits at the moment. And it offers helpful suggestions for next steps. See Appendix 1.

Clive Robinson September 28, 2022 6:06 AM

@ Ted,

By “a decade late” I mean not that there is anything wrong with the report but we should have been saying it atleast a decade ago if not longer. Which is actually a reflection on the lack of performance by regulators and legislators.

But is that realy supprising when you consider the IT industry has been quite deliberately doing just about everything it can to be insecure by “best practice”. And where that thinking has spread into those who use the products without real complaint you realise just how backwards and down hill for the last fourty years things have been.

As for things missing have a look at the EU legaslitive framwork for “puting on the market” of consumer products especially electrical safety (LVD) and telecoms (RT&TE) and how it uses a framwork of standards that do not go through the oh so terminaly slow legaslitive process to be cast in stone. Whilst there is room for improvment it does work in an area with twice the US population with more “cultures” than a normal person could name. Now have a look at the FDA, FCC and similar for industry and the environment work in the US and ask questions about how their regulatory systems work or more correctly fail.

But the real danger is in long term embeded systems. I doubt any device most consumers think of as an IoT device is going to be in use for a decade, let alone five. But that is just not true of medical devices that get put in you, or those millions of utility meters that people who are quite frankly mad want to build “Smart Grids” with[1].

Then there are the industrial control systems and those that control infrastructure.

For fun use the first atom bomb as a measure of energy then start looking at various petro chem plants and what goes through them on an hourly, weekly, yearly, basis. Likewise other chemical plants in terms of chemical weapons equivalents.

There are people out there we know, actively thinking about how to actually turn those equivalents into reality…

The older an ICT device is the more vulnarabilities there are known for it, it’s a consequence of one of Schneier’s laws that attacks do not suffer from entropy. That is they never get less effective…

If effective attacks are being found in months of a new product comming to market and others that can be traced back a quater of a century are also being found, what does that tell you?

What does that in turn tell you about embedded devices that may be in use for half a century?

Have a think then post what you might think are the answers and how you might go about mitigating them.

I’m not asking you out of spite or anything like that, I actually would like every reader of this blog to do it. Because I think we should all be taking about it and the louder the better, because if we don’t “Who else will?”.

[1] The hidden agenda behind Smart meters is not for you to use less energy or spread the load to reduce what you pay. Anyone who believes that is quite frankly an idiot. The idea is for corporates to effectively “own your home” and you with it.

Ask anyone who lives down the West side of the US with it’s very peculiar water laws to understand what Smart Grids will become, and worse what in turn it will mean for you the individual. If some corporates have their way you will be taxed on evey unit of energy you generate and use from “green tech” like solar and wind… You will pay pay pay and they will fail fail fail on their duties but will profit profit profit as people in Texas discovered and will no doubt discover again in the near future.

Ted September 28, 2022 9:39 AM

@Clive

Very much to your point, the report discussed the lack of development pertaining to the maintenance phase – and particularly the sunsetting phase – of the IoT lifecycle.

Interestingly, Australia has considered adding an “expiry date label” on products. It would theoretically tell consumers how long the product would receive updates. The report suggests additional studies around this.

As to the length of time it’s taken to address some of these concerns, I thought the UK hit a home run with its cost-benefit analysis report.

In the UK, DCMS published cost-benefit analysis in parallel with the filing of the PSTI Bill. This report represents one of the more admirable efforts to quantify this risk and the potential benefits of intervention.

This latest IoT report suggests additional metrics to measure the impact of interventions. Suffice it to say, it will take time to collect more data.

On a side note, I thought Recommendation 2 was interesting. Governments could address IoT quality issues at the point-of-sale (say at Amazon) rather than trying to wrangle with manufacturers.

In this vein, in its Examples of Prohibited Listings in the Electronics category, Amazon should explicitly prohibit smart home products that fail to meet the Tier 1 requirements.

Clive Robinson September 28, 2022 12:14 PM

@ Mark, ALL,

Re : Market Forces on FMCE

“And are they going to require, by law, manufacturers to update security on everything sold just to sell it in the US?”

They don’t need to, we already have a good idea what will happen from the US legislation requiring for “health and safety” reasons GPS to be fitted to mobile phones.

The FMCE phone manufacturers rather than have seperate production lines, just stuck GPS in their world model lines to save inventory costs.

Similar legislation with a “Health & Safety” excuse will very probably have the same effect on major FMCE manufacturers.

Also if Amazon say as they have done about two way radios from China, that too will cause the FMCE manufacturers to change.

So I know which way I would bet my $0.02…

John Tillotson September 28, 2022 12:25 PM

And we have the recent SEC imposition of a 35 million dollar fine for Morgan Stanley after they were caught discarding hard disks with sensitive customer data on them. The 35 million dollar fine is likely less than the CEOs bonus for the year. It’s at most a rounding error in their profits, made up in a few hours or a couple of days.

As long as the consequences of bad security are inconsequential, then the effort going into security will remain inconsequential.

https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/

Naveed September 30, 2022 2:54 AM

As per my limited knowledge, bringing IoT in your place of work comes under the definition of Shadow IT. I recently submitted an assignment related to Shadow IT in an course titled Applied Information Security at the National University of Computer and Emerging Sciences, Pakistan. I would be happy to share some of the foundational knowledge, facts and figures here.

According to Forcepoint.com [1], “Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval”. E.g. BYOD, use of cloud services like Dropbox, Google Drive, One Drive etc.
Gartner [2] predicts that one-third of successful attacks experienced by enterprises will be on their shadow IT resources.
A recent study from EMC [3] suggests that data loss and downtime cost a total of $1.7 trillion each year due to shadow IT security breaches.

How to avoid Shadow IT?
According to techtarget.com [4], IT shadow can be avoided using following;
1. Management perspective
Diligence and awareness are two important management attributes
2. HR and Legal department perspective
Defining penalties for employees who conduct shadow IT activities;
3. IT Team Perspective
Considering deploying shadow IT detection tools.

References:
[1]. https://www.forcepoint.com/cyber-edu/shadow-it, Date of access: 14th Sep, 2022.
[2]. https://www.gartner.com/smarterwithgartner/protect-your-organization-from-cyber-and-ransomware-attacks/, Date of access: 14th Sep, 2022.
[3]. https://track.g2.com/resources/shadow-it-statistics, Date of access: 14th Sep. 2022.
[4]. https://www.techtarget.com/searchcio/tip/6-dangers-of-shadow-IT-and-how-to-avoid-them,
Date of Access: 14th Sep, 2022

lurker October 2, 2022 3:18 PM

@Naveed
track(dot)g2:
“Approximately $34 billion in yearly licensing waste is generated each year between the US and UK.”

Somebody is claiming that as a saving; somebody else is using it for a tax deduction.

SpaceLifeForm October 2, 2022 6:41 PM

@ John Tillotson

The scuttlebutt is that Credit Suisse, Duetsche Bank, and HSBC are all in major trouble. Ranking in that order.

But it may very well be that it is Morgan Stanley.

They are all in trouble.

The US FED is having a closed meeting tomorrow. Someone is begging for a bailout.

We are at a tipping point. It may be best to just let a bank fail. To teach the fascists a lesson. No more bailouts.

Chris October 15, 2022 4:49 AM

I was one of the group consulted by the ACSC on securing Australian IoT.

It was an absolute scam – they had NO BUDGET (I specifically), engaged in excessive “verballing” (I was the most annoying participant, constantly pointing out the misinformation they were peddling – much to the annoyance of everyone), the laptop doin the presentation had a windows security warning over all slides because updates were disabled and it was out of date, and everyone who turned up was “general public” (I was the only programmer, and only security professional in the entire audience).

We had sessions with whiteboards and post-it notes and so forth, which all yelled the expected parroted responses (we were verballed), and my proposed solution was totally ignorred.

There’s no way to secure IoT using rules, because the folk shipping the products do not and cannot follow those.

The only way to properly secure IoT, is for someone to hire smart embedded coders to fix the total screwup that is the IoT development ecosystem personally, and give away all that work for free.

If you’ve never flashed an ESP32 with a wifi script – you have no possible way to understand just how bad everything is. Garbage insecure libs for the devices. Unsigned everything for the code that flashes them. Insecure public repos and toolchains by unknown/anonymous authors behind everything. Pirated unsigned drivers for the USB and other adapters to drive them. EVERYTHING is a security nightmare. Stupid ideas like “advice” have no hope of making any difference.

“IoT” comes from Chinese back rooms trying to ship inexpensive products (or Kickstarter startups, or similar). They all understand how to download anything that makes their stuff work. There’s 0.0% chance they’ll give a rats arse about “Policy”!

Riccardo Bernardini October 22, 2022 3:13 AM

I would also the requirement: enforce minimum software correctness standards, although this should be implied by suggestion 1 “enforce minimum security standards” since a bug can undermine any security protocol you decide to adopt.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.