The EU has floated a new idea to boost the security of Internet of Things (IoT) products – get manufacturers to stick labels on them telling buyers how secure they are.
It sounds simple enough. Products such as fridges, washing machines and ovens are already sold in the EU with mandatory energy efficiency ratings, so why not something similar for security?
In comments made at a weekend press conference, EU deputy commissioner for digital economy and society, Thibault Kleiner, spelled out some of the organization’s worries about the state of IoT.
Ever greater numbers of products were being sold with an IoT connectivity as a standard feature, he said.
That’s really a problem in the Internet of Things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification.
The EU is also worried about data privacy as IoT devices gather information of the sort that could put consumers at risk from data breaches or snooping.
It’s not about data as something you monetize, it’s about dignity, something that’s personal to an individual.
Form an orderly committee
Despite there being at least five billion devices in service with IoT capability – Gartner reckons that this is expanding by 5.5 million new devices every day – security standards are only just emerging. Meanwhile, default security is often weak.
A warning of the potential for trouble came with the recent record-breaking DDoS attack on cybersecurity blogger Brian Krebs. The ‘Mirai’ botnet that generated this huge wave of traffic came from an army of poorly-secured network cameras, digital video recorders (DVRs), routers and printers.
The Commission believes that labels guaranteeing adherence to basic security standards would encourage manufacturers to work together more closely in the spirit of common interest.
The EU is in the process of introducing the General Data Protection Regulation (GDPR), a major privacy overhaul that all large firms will have to comply with, including firms that want to use and build IoT devices.
However, getting to a situation where products are sold with labels that promise an agreed level of security seems some way off.
One hurdle is simply the diversity of products that are IoT-enabled, including motor cars, TVs, smart watches, home thermostats, smart meters, lighting systems, and home security. The IoT is suddenly everything and that will slow down the creation of common privacy and security standards.
The EU is doing its best to speed up development, investing €192 million in IoT research as part of its Horizon 2020 programme.
Unfortunately, IoT devices need better security now, not years from now when the EU has agreed what the labels should look like – and mean.
What consumers and businesses will think about having another label to peel off shiny new IoT products when pulling them out of the box remains an unknown.
Will they have faith in them? Or will they end up feeling disappointed should securing IoT devices from real-world threats turn out to be more complex than the label suggests?
Anonymous
If you’re going to do that, you might as well just mandate security standards, like “Device will not function until administrator password is set.”
Mike Egenlauf
Yes, I never understood why you can’t use an IPAD until you setup all your info, pick a password etc, but I can put a new internet router at home in with no questions and all default settings. /boggle
Bryan
Marketing collaborates with impatience:
IT is a utility, not a service. Most non-IT people see pop culture’s laughable tech representations like Swordfish and Arrow–and expect to turn the faucet and have IT come out whenever they want.
Thanks to marketing (not just Apple, but they’re a huge offender) everyone buying an iPad knows it’s nifty as a gadget and will gladly give it their info for later mass dispersal–yet when something as mundane as a router doesn’t “Just Work,” then it’s Just Broken, and they go buy something else.
No manufacturer wants their stuff returned because it wasn’t convenient, so it Just Works…right out of the box. New computers and handhelds are the only (mild) exceptions I can think of. They want that 5-star review to say “…and it was so EZ 2 set up 2 LOL!!!!1oneone”
Thomas Hedberg
The current market situation is a complete failure. I don’t see any alternative to legislation to establish some kind of minimum standard and hopefully create a situation where secure is an enabler.
Colin Bird
I would simply like to turn the clocks back to 1980 before we had all these electronic items! Life was much simpler then with very few worries about privacy or security! People did not walk around head down looking at their phone and bumping into others without apologizing! You talked verbally to your friends while looking at them. You backed up your car while looking over your shoulder, not at the little picture on your dash. In other words, we were much more aware of what we were doing and what was going on around us, and crimes were nowhere near as costly as today!
Matt Parkes
Hear hear Colin, I agree, however as we cannot turn the clocks back what we need is an all encapsulating IoT security standard along the lines of the PCI/PA DSS, ie: labels as stated but we seem to be implying here that the EU commission will simply design a rating system, create a few labels for devices and get the manufacturer to stick them on, without any kind of testing or auditing of the device, the problem as you say is that we need this yesterday not in 10yrs time.
Sam
As and when my electricity supplier decides to ‘upgrade’ me to a smart meter, I shall refuse to accept installation unless they guarantee to underwrite any liabilities that might arise from any security failings of it….looking forward to that argument, lol!
Bryan
late to the party, found this page linked from today’s GDPR article
/2016/12/29/your-new-years-resolution-get-ready-for-gdpr
As and when my electricity supplier decides to ‘upgrade’ me to a smart meter, I shall refuse to accept installation unless…
May you have better luck than I had with Black Heart Energy a few years ago–but since the meter is typically their property I doubt you’ll have a choice.
We all see brief power interruption from time to time, so when I get home to a flashing oven light, I grumble and reset it–and that’s it. If my PC has rebooted that’s cause for alarm, because the outage outlasted my UPS. But still when I call the most they tell me is yes, the power was down today. If I press for detail they’ll say it was for about [X] minutes. With no competition in my area there’s little hope for a change of heart (har). My choice is use BHE or get off the grid.
My point? I had no idea my meter would change. No Black Hills Energy rep contacted me in advance or after it was simply replaced. No chance to unplug sensitive electronics or power down bigger stuff like PCs. Had I been home, I’d at least have had a chance to hear a field tech’s perspective…after noticing my power dropped for no reason. I read local news about the upgraded meters and checked mine…yep, wow–new meter. I didn’t even know how long it had been there.
Exemplary customer service, FTW. Hope you have better luck.
Naugahyde
Yes, a rating system that provides the user a false sense of security. The energy use of a device does not deviate significantly over the course of its lifetime. However, security does. Think RC4, SSL, etc. Last thing I want is my parents buying into “label security” because the thingamabob has an A+ rating. Will they guarantee that the security level does not change, that the encryption will not be broken?
How is this security level identified? Self-approval process? Energy consumption can easily be tested at home. Security level, not so much. Perhaps it will be like FIPS where you need a third party to test and approve for the low, low price of $100k.