The Mirai botnet put Internet of Things (IoT) security – or the lack thereof – directly into the spotlight. It’s an issue that I foresee as a top 2017 cybersecurity prediction. We are already starting to see more news coming out about the IoT’s security concerns, such as this warning from ZDNet that the IoT is making hospitals more vulnerable to potential hackers.
We know that the best approach to IoT security is to develop devices with security baked in. However, that isn’t going to happen overnight, if at all, as there are still many developers who are more concerned about getting their products to market quickly and hope that security will magically follow. So we must look to other entities and generate more conversation about why IoT security is important and where it should be centered.
I already mentioned how the devices used for medical care are putting hospitals at risk, but how is that affecting patient privacy? Stephen Wu addressed HIPAA compliance concerns and IoT in a new book. In an interview with GovInfoSecurity, Wu said medical facilities have to think twice about adopting emerging technologies, adding:
We have an ever-increasing power of computers that are creating a world of disruptive technologies. And one of the challenges is trying to navigate the world of these disruptive technologies - and at the same time, try to comply with regulations that were written in 2003 [the HIPAA Security Rule].
Over on Capitol Hill, the Subcommittee on Commerce, Manufacturing, and Trade discussed cybersecurity and cyberattacks. Their discussion included the security risks involving the IoT. According to Health IT Security:
Subcommittee on Communications and Technology Chairman Greg P. Walden stated that a concerted effort is needed “to improve not only device security, but also coordinate network security and improve the relationship between industry and security researchers.”
“We’re all in this together and industry, government, researchers, and consumers will need to take responsibility for securing the Internet of Things,” Walden noted.
Finally, the Broadband Internet Technical Advisory Group (BITAG) released a report concerning the technical aspects of IoT security and privacy. The BITAG report discussed some of the issues surrounding IoT security, including lack of IoT supply chain experience with security and privacy, lack of incentives to develop and deploy updates after the initial sale, lack of secure over-the-network software updates, and devices with malware inserted during the manufacturing process.
It’s a start, but security experts want BITAG, and I’d assume other groups, to go further. As Mike Ahmadi, CISSP, Global Director, Critical Systems Security, Synopsys Software Integrity Group, told me in an email comment:
While I certainly applaud efforts to set guidelines for addressing security in IoT devices, I remain concerned by a complete lack of baseline verification and validation of cybersecurity. The mere presence of guidelines does not mean practices are followed. In industries where safety is a concern, validation and verification standards exist and must be followed, with some requiring certification.
As I said, it’s a start, but clearly, we have a long way to go.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba