TranslateProject/sources/talk/20200211 Who should lead the push for IoT security.md
DarkSun 1939486112 选题: 20200211 Who should lead the push for IoT security?
sources/talk/20200211 Who should lead the push for IoT security.md
2020-02-12 01:12:47 +08:00

6.3 KiB
Raw Blame History

Who should lead the push for IoT security?

Industry groups and governmental agencies have been taking a stab at rules to improve the security of the internet of things, but so far theres nothing comprehensive. Thinkstock

The ease with which internet of things devices can be compromised, coupled with the potentially extreme consequences of breaches, have prompted action from legislatures and regulators, but what group is best to decide?

Both the makers of IoT devices and governments are aware of the security issues, but so far they havent come up with standardized ways to address them.

[Get regularly scheduled insights by signing up for Network World newsletters.]

“The challenge of this market is that its moving so fast that no regulation is going to be able to keep pace with the devices that are being connected,” said Forrester vice president and research director Merritt Maxim. “Regulations that are definitive are easy to enforce and helpful, but theyll quickly become outdated.”

The latest such effort by a governmental body is a proposed regulation in the U.K. that would impose three major mandates on IoT device manufacturers that would address key security concerns:

  • device passwords would have to be unique, and resetting them to factory defaults would be prohibited
  • device makers would have to offer a public point of contact for the disclosure of vulnerabilities
  • device makers would have to “explicitly state the minimum length of time for which the device will receive security updates”

This proposal is patterned after a California law that took effect last month. Both sets of rules would likely have a global impact on the manufacture of IoT devices, even though theyre being imposed on limited jurisdictions. Thats because its expensive for device makers to create separate versions of their products.

IoT-specific regulations arent the only ones that can have an impact on the marketplace. Depending on the type of information a given device handles, it could be subject to the growing list of data-privacy laws being implemented around the world, most notably Europes General Data Protection Regulation, as well as industry-specific regulations in the U.S. and elsewhere.

The U.S. Food and Drug Administration, noted Maxim, has been particularly active in trying to address device-security flaws. For example, last year it issued security warnings about 11 vulnerabilities that could compromise medical IoT devices that had been discovered by IoT security vendor Armis. In other cases it issued fines against healthcare providers.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

But theres a broader issue with devising definitive regulation for IoT devices in general, as opposed to prescriptive ones that simply urge manufacturers to adopt best practices, he said.

Particular companies might have integrated security frameworks covering their vertically integrated products such as an industrial IoT company providing security across factory floor sensors but that kind of security is incomplete in the multi-vendor world of IoT.

Perhaps the closest thing to a general IoT-security standard is currently being worked on by Underwriters Laboratories (UL), the security-testing non-profit best known for its century-old certification program for electrical equipment. ULs IoT Security Rating Program offers a five-tier system for ranking the security of connected devices bronze, silver, gold, platinum and diamond.

Bronze certification means that the device has addressed the most glaring security flaws, similar to those outlined in the recent U.K. and California legislations. The higher ratings include capabilities like ongoing security maintenance, improved access control and known threat testing.

While government regulation and voluntary industry improvements can help keep future IoT systems safe, neither addresses two key issues in the IoT security puzzle the millions of insecure devices that have already been deployed, and user apathy around making their systems as safe as possible, according to Maxim.

“Requiring a non-default passwords is good, but that doesnt stop users from setting insecure passwords,” he warned. “The challenge is, do customers care? Are they willing to pay extra for products with that certification?”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.


via: https://www.networkworld.com/article/3526490/who-should-lead-the-push-for-iot-security.html

作者:Jon Gold 选题:lujun9972 译者:译者ID 校对:校对者ID

本文由 LCTT 原创编译,Linux中国 荣誉推出