Cisco security chief backs government IoT regulation


Governments should implement a set of legally-enforceable minimum standards for new internet of things (IoT) devices to allay businesses’ fears around the technology, Cisco’s security leader has claimed.

A swathe of IoT devices that are unsecure by default are on the market and are giving security teams and CISOs a “headache” about how to deal with them, according to the networking firm’s VP for global security sales, John Maynard.

Given the prospect of an exponentially rising attack surface, the authorities should produce a set of minimum standards that device makers must adhere to, he told delegates at this year's Cisco Live in Barcelona. The alternative scenario is security teams using systems to secure each individual IoT device as they are connected to their network. This is partially why the promise of IoT hasn’t been fulfilled.

“Frankly, the job of a CISO is extremely challenging right now because IoT, in its multiple form factors, is just expanding the attack surface for the security professional beyond levels that it's ever been,” Maynard said.

“You're connecting operational technology to the network. You're connecting numerous devices that could communicate with different parts of the organisation. We need to get a handle on it.”

He argued that the vast majority of connected devices that can be added to organisations’ networks are insecure by design, although that shouldn’t put a total block to all such devices from being connected. The result, however, is that security professionals now have the added task of having to secure reams of unsecure endpoints.

“You either solve it with at a device level, and you regulate and from a governmental perspective and standards perspective – secure by design – which is what it should be,” he continued.

“Or you say, 'I need to be able to monitor what is connected to my infrastructure, I need to be able to segment my network so if a connected device is doing something abnormal, I can detect it and then I can quarantine it and just restrict the access'.”

“I do believe there needs to be minimum standards of what security should look like in IoT devices, but it’s extremely complicated because you’re looking at cars, you’re looking at refrigerators, toasters, anything.”

Authorities across the world have cottoned onto the fact that many IoT devices are not build with security in mind, with the UK government, for example, last year opening a consultation on introducing new IoT security laws.

This week, the Department for Digital, Culture, Media and Sport (DCMS) introduced plans that could see device makers have to comply with a set of security requirements when manufacturing IoT devices.

These measures include shipping connected devices with unique passwords that cannot be reset to any universal factory settings, as well as a point of contact that can be used in order to report any vulnerabilities discovered.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.