IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cisco security chief backs government IoT regulation

Connected devices are giving CISOs a "headache", and authorities should step in to impose minimum standards

IoT

Governments should implement a set of legally-enforceable minimum standards for new internet of things (IoT) devices to allay businesses’ fears around the technology, Cisco’s security leader has claimed.

A swathe of IoT devices that are unsecure by default are on the market and are giving security teams and CISOs a “headache” about how to deal with them, according to the networking firm’s VP for global security sales, John Maynard.

Given the prospect of an exponentially rising attack surface, the authorities should produce a set of minimum standards that device makers must adhere to, he told delegates at this year's Cisco Live in Barcelona. The alternative scenario is security teams using systems to secure each individual IoT device as they are connected to their network. This is partially why the promise of IoT hasn’t been fulfilled.

“Frankly, the job of a CISO is extremely challenging right now because IoT, in its multiple form factors, is just expanding the attack surface for the security professional beyond levels that it's ever been,” Maynard said.

“You're connecting operational technology to the network. You're connecting numerous devices that could communicate with different parts of the organisation. We need to get a handle on it.”

He argued that the vast majority of connected devices that can be added to organisations’ networks are insecure by design, although that shouldn’t put a total block to all such devices from being connected. The result, however, is that security professionals now have the added task of having to secure reams of unsecure endpoints.

“You either solve it with at a device level, and you regulate and from a governmental perspective and standards perspective – secure by design – which is what it should be,” he continued. 

“Or you say, 'I need to be able to monitor what is connected to my infrastructure, I need to be able to segment my network so if a connected device is doing something abnormal, I can detect it and then I can quarantine it and just restrict the access'.”

“I do believe there needs to be minimum standards of what security should look like in IoT devices, but it’s extremely complicated because you’re looking at cars, you’re looking at refrigerators, toasters, anything.”

Authorities across the world have cottoned onto the fact that many IoT devices are not build with security in mind, with the UK government, for example, last year opening a consultation on introducing new IoT security laws.

This week, the Department for Digital, Culture, Media and Sport (DCMS) introduced plans that could see device makers have to comply with a set of security requirements when manufacturing IoT devices. 

These measures include shipping connected devices with unique passwords that cannot be reset to any universal factory settings, as well as a point of contact that can be used in order to report any vulnerabilities discovered.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023