Don’t Miss Your Chance to Enter the 2019 CE Pro BEST Product Awards
Security

Cybersecurity Liability: Who’s to Blame if One Bad IoT Device Topples the Whole Network?

The state of IoT cybersecurity: UL says smart-home integrators and manufacturers share liability when IoT systems are hacked, warns home-tech industry to implement guidelines and best practices.

Cybersecurity Liability: Who’s to Blame if One Bad IoT Device Topples the Whole Network?
Iot bulb meets network: Who is liable for a cybersecurity strike?

Jason Knott · December 12, 2017

Development around the Internet of Things (IoT) is moving at a fast and furious pace, which is great for innovation in the smart home, smart city, and smart thing business. But it can also deal a double blow to cyber security. Hasty development, coupled with ever-more ubiquitous connected things, is a bad combination. Carelessly "secured" systems will face more cyber threats than ever before.

“The cybersecurity risk is greater each day," says Neil Lakomiak, director of business development and innovation for UL, the 124-year-old testing and certification lab. "The more connected devices connected to the internet and connected to a broader network, the greater the attack vector in general for everything. Each time you connect a device to a network and the internet, you now have another way to compromise that overall system.It’s another entry point for a bad actor to do bad things. That is the real risk. That’s the real concern.”

Product manufacturers, software developers and smart-home integrators will have to take extra care in their IoT deployments, even while the rest of world moves carelessly ahead at cyber speeds.

Any one supplier can build every security provision into their own solutions, but you can never be sure if interconnected systems meet your exacting standards. There's no logo to look for,  no rigorous test to pass. And even if there were, any product that received a clean bill of health yesterday, could be infected with a virus tomorrow.

Who is to blame if that virus spreads to every single IoT bulb, SmartTV, security system and mobile phone on the network and beyond?

Legally, we don't know for sure right now, but if you touched it, you could be liable for spreading it.

UL warns:

  • Cyber hacking is going to get much worse as the Internet of Things (IoT) expands.
  • Manufacturers, integrators and end users all share in liability when a hack occurs.
  • Litigation against manufacturers that do not secure their products from hacks is coming.
  • FCC is poised to call on government regulations for design of IoT equipment and networks unless the private sector acts. 

Lakomiak says the issue of accountability for cyber-hacking incidents is unclear right now.

"Liability is a continuum," he says. "Who’s negligent? Who’s liable for certain incidents? We will certainly see more individuals held accountable for not addressing cybersecurity. Liability will certainly start at the manufacturer in the sense of what are they doing from a software development standpoint to make sure the products they’re selling to the marketplace are hardened, and they’ve taken into consideration design security as part of their product development.”

Neil Lakomiak, director of business development and innovation at UL, says the recent FCC call for manufacturers to include cybersecurity in the initial design of all products is a signal the private sector has a limited window of opportunity to act.

He continues, "There’s also accountability on the part of an integrator that is taking multiple connected products and then providing a solution to their customers.  The end user, of course, has a responsibility to make sure they’re updating passwords, not accepting files or emails that might have suspicious-looking information in them, or making sure that they’re not plugging USB thumb drives into their system that they found in a desk drawer somewhere. All of those could lead to vulnerabilities. That’s why I say it’s a shared responsibility."

He thinks manufacturers could be the first to fall if they're sloppy on cybersecurity, but their liability wouldn't excuse an installer who fails to follow best practices. 

Integrators will face tough choices when balancing system-wide performance with cybersecurity concerns: Every device added to a home system brings a new vulnerability with it.

“It’s like medication, right? There are always side effects to medication," Lakomiak says. Do those side effects pale in comparison to the benefits that you receive from the medication? I think you have a similar scenario here in you can’t eliminate the risk. There’s no system with zero cyber-security risk, but you can do lots of things to help mitigate it and handle it,” he says.

FCC Warns of Regulations

Meanwhile, the FCC is advocating for cyber accountability and if the manufacturing community does not establish its own safeguards, then regulations are on the horizon.

The FCC is calling for manufacturers of products or services that deploy software and have some kind of network connection to consider designing security into the product from the very beginning,” says Lakomiak. “It’s difficult after you have a product deployed and launched on the market to go back and address security issues.”

He warns, "This is a signal to the marketplace that people are starting to take this much more seriously. I think it’s also a signal that the private sector has an opportunity to act. If perhaps they fail to do so, then we could potentially see legislation. We could see different governmental organizations coming out with regulations around cyber security. Most people would like to avoid that and they would prefer more of public-private solutions to this. I think it’s a call to action without any specific mandate at the moment.”

Right now, UL does not have a specific guidance for integrators or manufacturers around network security. 

"There’s also accountability on the part of an integrator that is taking multiple connected products and then providing a solution to their customers." 
— Neil Lakomiak, UL

We have been developing specific standards to evaluate the cyber posture of specific products. That was a starting point for us,” admits Lakomiak. “I expect in the future we will be looking at the broader topology of an overall network. We chose our starting point to be looking at individual products and systems.”

But in terms of network security Lakomiak volunteers that firewall updates are vital.

“There are some misconceptions about firewalls that if I deploy one and I have everything behind that, then I’m safe. Well, even firewalls can be hacked. Firewall software should be updated from time to time, but you should also deploy intrusion detection tools that would allow you to understand if somebody’s trying to compromise your network. That would be another key element of protecting your overall network,” he says.

UL does offer cybersecurity certifications for individual products, but not systems or networks, so there's no guarantee how a certified device might fare in a hostile cyber-envrionment. 

There’s a spectrum of services that we’re currently offering around cybersecurity. It ranges from advisory services to training, testing and certification. If somebody is able to meet all the requirements in our UL 2900 series of standards, then they would be eligible for a certification,” says Lakomiak.

UL 2900

Risk Controls

  • Access Control, User Authentication, User Authorization
  • Remote Communication
  • Cryptography
  • Software/firmware updates

Vulnerabilities & Exploits

  • Known Vulnerability Testing
  • Malware Testing
  • Malformed Input Testing (Fuzz Testing)
  • Structured Penetration Testing (Hacking)

Software Weaknesses

  • Software Weakness Analysis
  • Static Source Code Analysis
  • Static Binary and Byte Code Analysis

“Today it isn’t a mark. Our thought process was the certification will have a limited shelf life because software needs to be re-evaluated. If you’ve got a physical mark on the product, it creates an issue for that type of environment,” he says.

Security Equipment Vulnerabilities

It might seem obvious that DIY products like surveillance cameras are more vulnerable than their professionally installed counterparts. But that's not necessarily the case.

“In general, cameras are susceptible … but any connected product is going to have the same susceptibility, Lakomiak explains. "It’s really a function of what are the manufacturers doing to make it harder for someone to compromise their product? If you have a device that has default passwords and it doesn’t force you to change it, you really need to change it."

Manufacturers can do their part by designing a user interface that forces end users or professional installesr to change the default password before they can actually deploy the device. Integrators need to look out for their clients by helping them understand when and how to make their software upgrades and software patches. 

As advocates for their clients, integrators also should be asking vendors about cybersecurity measures implemented in their solutions.

Ironically, as we bombard the network with more devices meant to protect the digital ecosystem, we unintentionally introduce more vulnerabilities. There might be something to be sald for old analog surveillance systems that didn't touch the network.

And even if you don't go that far, there's a lesson to be learned from even contemplating such a thing: Life-safety and security systems should be isolated from other connected ecosystems to mitigate damage in the event of a digital attack.



We're Looking for Your BEST Projects

Don’t miss your chance to enter to win a 2019 BEST Projects Award. We’ll be announcing winners at a special Gala event at CEDIA EXPO. We can’t wait to see what you’ve been up to this year! Enter your projects now.




  About the Author

Jason Knott is Chief Content Officer for Emerald Expositions Connected Brands. Jason has covered low-voltage electronics as an editor since 1990, serving as editor and publisher of Security Sales & Integration. He joined CE Pro in 2000 and serves as Editor-in-Chief of that brand. He served as chairman of the Security Industry Association’s Education Committee from 2000-2004 and sat on the board of that association from 1998-2002. He is also a former board member of the Alarm Industry Research and Educational Foundation. He has been a member of the CEDIA Business Working Group since 2010. Jason graduated from the University of Southern California. Have a suggestion or a topic you want to read more about? Email Jason at jason.knott@emeraldexpo.com

Follow Jason on social media:

Jason also participates in these groups:
LinkedIn · Google+

View Jason Knott's complete profile.



  Article Topics


Security · Cameras · Surveillance Systems · Business · News · Business · Cybersecurity · FCC · IoT · Regulation · UL · All Topics
CE Pro Magazine

Read More Articles Like This… With A Free Subscription

CE Pro magazine is the resource you need to keep up-to-date on the latest products, techniques, designs and business practices. Subscribe today!

Subscribe Today!

Comments

Posted by Bruno Napoli on December 12, 2017

The only way to prevent legal issues for a Home Technology Professional is to offer end users a “maintenance” contract where you will come 3 to 4 time a year on a job to:
- Check all firmware and upgrade it so you can prove that you did your due diligence
- Check if all connected devices are still supported by the manufacturer and propose a replacement
- Change all wi-fi password.
- At the end of each maintenance session, you will send an email with a recap of all what you did and all new proposal to try to reach the maximum level of security.

And if your client does NOT want any maintenance, you need to make him sign a discharge-of-responsibility if they do not want any kind of maintenance from the installer in the future.
This IoT thing is a REAL opportunity for all professional to sell service & maintenance, because now they can see the real responsibilities they have on their shoulder

Posted by Bruno Napoli on December 12, 2017

The only way to prevent legal issues for a Home Technology Professional is to offer end users a “maintenance” contract where you will come 3 to 4 time a year on a job to:
- Check all firmware and upgrade it so you can prove that you did your due diligence
- Check if all connected devices are still supported by the manufacturer and propose a replacement
- Change all wi-fi password.
- At the end of each maintenance session, you will send an email with a recap of all what you did and all new proposal to try to reach the maximum level of security.

And if your client does NOT want any maintenance, you need to make him sign a discharge-of-responsibility if they do not want any kind of maintenance from the installer in the future.
This IoT thing is a REAL opportunity for all professional to sell service & maintenance, because now they can see the real responsibilities they have on their shoulder