Time for vendors to get off the fence with IoT security

At the end of January, the National Cyber Security Council (NCSC) announced it would establish a £70 million fund to 'design out' cyber threats, and conversely, 'design in' security for IT systems and hardware. It's thought the fund could subsidise research into improving security using AI or integrated security chips.

It's a bold move by the government, and provides a vital incentive for manufacturers to create new ways of ensuring their products are 'secure by design'. The truth is, however, that all over the world, vendors must step up and take more responsibility for the security of their products in the field. Crucially, they must help integrators and resellers ensure devices are properly installed, managed and regularly updated throughout their lifespans.

That said, while government interventions are welcome, the fact that they are deemed to be necessary is a sad reflection on the state of the technology industry in general. We have to get our act together - and fast.

Too many high-profile security breaches are related to zero-day flaws in Internet of Things (IoT) equipment and application software. Last year, hackers made headlines when they breached a database in a Las Vegas casino by gaining entry to the network via a thermostat.

Botnets made up of compromised IoT devices are growing in size, and becoming more dangerous. Some of this growth is down to new techniques for attacking devices, but much of this is also down to known vulnerabilities remaining unpatched. This is despite the wealth of information out there, and a multitude of well-publicised botnet incidents. Based on the evidence, things will get worse before they get better.

The next step is to re-define cybersecurity processes

The most important thing for technology vendors to do is to embrace the principles of security-by-design. It's not enough to bundle off-the-shelf components with off-the-shelf operating systems: full risk assessments for any new IoT product must be done at the very start of the design process. Developers must mitigate any threats, and a clear programme of support should be devised to ensure new firmware can be delivered to protect against emerging vulnerabilities.

Right now, there's still too much emphasis on how quickly a product can hit the market, and not enough on the long-term welfare and protection of customers and their assets. As vendors, we must also improve our communication with the rest of the channel, and the way that we provide education and awareness around weaknesses created during the installation process. We can design securely, but are we doing enough to ensure that equipment is properly configured? Have we empowered the channel with the right tools to test and verify that the addition of IoT devices connected to a network hasn't created an unexpected vulnerability somewhere else?

Mitigating human nature

We also have a role to play in end-user education, and helping organisations develop a culture of cyber security through staff training and awareness programmes. After all, no matter how secure we make our equipment, human nature will always be a weakness.

That means equipment doesn't just need protecting at the time of installation. What happens, for instance, when the network is expanded further down the line, or when new users are onboarded? Are we providing the right materials to ensure that future expansions are properly configured too, and that the correct levels of threat monitoring are in place?

A recent report by Swiss cybersecurity firm Gemalto suggests 58% of UK businesses would be unable to detect an IoT-related security breach. The onus is therefore on vendors to help slash that number. None of this is easy, and the government's efforts are a welcome recognition that vendors can't achieve full security-by-design by themselves. The IoT ecosphere is too big, and too important, not to make us all reliant on partners in one respect or another.

Steve Kenny is industry liaison for architecture and engineering at Axis Communications