We have no shortage of existential threats to the telecommunications industry and its customers. One that is high on the list is the prospect of the Internet of Things (IoT) being compromised. The fear is that elements are being rushed out quickly before security technology is baked in. The Mirai and related IoT-driven botnets are proof that these fears are not unreasonable.
A gap between mass deployment and effective security solutions for the IoT would create a landscape in which millions of vulnerable sensors and endpoints are deployed with little chance to fix them. The Federal Communications Commission (FCC) is trying to close the barn gate before all the horses get out.
Ronald Quirk, the head of the Connected Devices and Internet of Things Practice at Marashlian & Donahue, writes that the FCC is putting the bulk of the responsibility on vendors and manufacturers of IoT equipment, which is a bit different from the norm. In many cases, he writes, the FCC has leaned more heavily on carriers and service providers.
The FCC points to a reality that is difficult to deal with: The sheer number of IoT endpoints and the need that they be as inexpensive as possible makes it unlikely that vendors will voluntarily go the extra security mile. For that reason, the FCC may change its equipment certification rules to enforce a higher level of security from the vendor and manufacturing communities.
The big wildcard, of course, is whether new FCC Chairman Ajit Pai agrees that such intervention is necessary.
The IoT emerged last year as one of the leading “attack vectors” for malware distributors. That is unlikely to change. Mike Davis, CounterTack CTO, painted a sour picture in an interview with Channel Partners Online. Many IoT systems are put online with default passwords in use. This, of course, is a recipe for disaster that the industry has tasted many times. Once a flaw is detected and a patch released, network administrators opt (or are forced) to live dangerously and not update previous versions of the firmware:
That leaves a company that is a few revisions behind with a hard choice: Upgrade older hardware and potentially cause a failure, or don’t upgrade and be insecure. Sadly, most opt to remain insecure, leading to all manner of critical infrastructure problems.
Some help is on the way. The National Telecommunications and Information Administration (NTIA) formed four working groups in October. GCN said that an update was given last week. The four are expected to report on their work between March and May.
The Existing Standards, Tools and Incentives group is putting together a report on existing standards and a research summary for internal use. The Capabilities and Expectations group is diving into ways to upgrade devices and creating a glossary of technical terms. A group known as Communicating IoT Upgradability is working on strategies to enable vendors to inform customers of upgrade procedures. Finally, the Incentives, Barriers and Adoption group is creating a taxonomy of incentives and barriers to IoT security.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.