The future of IoT requires a cybersecurity standard

Explosion of IoT

Gartner estimated that we will have 21 billion IoT devices by 2020. Some estimates suggest it could be more than double that at 50 billion IoT devices. Regardless of which estimate is more accurate — or if you just split the difference and assume the number is around 35 billion — it’s a staggering number of devices. That’s about five connected IoT devices for every single one of the 7 billion-plus people on planet Earth.

IoT devices will continue to skyrocket exponentially in terms of both volume and diversity — especially as 5G networks become mainstream. Wireless network speeds 50 to 100 times faster than 4G LTE networks will result in 5G networks becoming a primary network that competes with or replaces Wi-Fi networks for many businesses and consumers.

Every one of those devices expands the overall attack surface and provides an opportunity for hackers to exploit vulnerabilities, compromise network resources, or steal or expose sensitive information. Unfortunately, the vast majority of devices that are created will focus on performance and/or cost at the expense of security — or simply ignore the issue of cybersecurity altogether.

Challenges of IoT security

By definition, each IoT device is connected to a network in some way. It runs some sort of operating system — no matter how rudimentary — and most contain some sort of sensor and an ability to collect and transmit data. The fact that these devices are capable of executing code means they are also capable of being hacked and compromised.

It is crucial to encourage those designing and developing IoT devices to shift security left. Cybersecurity should be woven into the supply chain and development process rather than tacked on as a post-deployment afterthought.

The need for IoT cybersecurity standards

The proliferation of IoT devices — particularly low-cost IoT devices — lowers the bar for deploying IoT anywhere and everywhere, but organizations need to consider security implications as well. The overwhelming volume of devices make it virtually impossible for a company or consumer to be able to effectively assess the security controls on their own to make an informed purchasing decision.

Businesses and consumers need to be able to easily identify IoT devices that meet minimum acceptable security standards. A standard for certifying the cybersecurity of IoT devices accomplishes both goals — providing an incentive for developers and manufacturers to strive for and providing customers with a simple way to determine which devices are secure.

Establishing IoT cybersecurity standards

Thankfully, there are IoT cybersecurity standards being developed, such as the CTIA Cybersecurity Certification Program for Cellular Connected Internet of Things Devices. CTIA represents the U.S. wireless communications industry and its members include a cross-section of wireless providers, equipment manufacturers, app developers and content creators.

The CTIA IoT cybersecurity standard strives to raise the bar on the minimum acceptable security design for IoT devices. CTIA is implementing the standard using a tiered approach, with a set of minimum criteria defined to achieve each level. At a minimum, IoT devices must have password management, access controls, an ability to install software updates and a patch management process to achieve Level 1 certification. For Level 2 certification, devices must also include things like multifactor authentication, remote deactivation and the ability to uniquely identify itself. Level 3 — the highest level defined for the IoT cybersecurity standard — adds encryption of data at rest and evidence of tampering, among other things.

Giving the IoT cybersecurity standard some teeth

Creating an IoT cybersecurity standard is a great start, but standards only have value if they are adopted and enforced. With broad enough consensus, a standard becomes self-perpetuating. As businesses and consumers accept and expect devices to pass a given standard, companies must adhere to the standard or their products will not be purchased.

It takes time to achieve momentum like that, though. In the meantime, there must be some means of enforcing the standard on a smaller scale or placing some consequences on organizations that ignore the standard. The wireless industry is an excellent starting point because many IoT devices are designed to connect to wireless carrier networks. As 5G networks roll out and become mainstream, it will essentially be a requirement.

In order for a device to attach to a carrier network, it must pass PTCRB certification — a framework established in 1997 by leading wireless operators to ensure compliance with global industry standards for wireless cellular devices. The CTIA Cybersecurity Certification Program for Cellular Connected Internet of Things Devices is offered as an additional voluntary certification. A few carriers require CTIA certification for devices connecting to their networks, which will hopefully drive broader adoption and enforcement eventually throughout the industry.

The future of IoT cybersecurity

Developing and enforcing an IoT cybersecurity standard will not magically make everything secure overnight. There are millions of devices already on the market and already connected to networks around the world that did not have to meet any IoT cybersecurity standards and there are no plans to just disable them all or kick them all off of the internet.

Better security will come through continued efforts. Influencing developers and device manufacturers to move security left in the process and implement secure design and cybersecurity best practices by default is a step in the right direction. Ultimately, though, security is a moving target and ensuring better security for IoT devices will be an ongoing mission that will require focus and cooperation.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.