Development around the Internet of Things (IoT) is moving at a fast and furious pace, which is great for innovation in the smart home, smart city, and smart thing business. But it can also deal a double blow to cyber security. Hasty development, coupled with ever-more ubiquitous connected things, is a bad combination. Carelessly “secured” systems will face more cyber threats than ever before.
“The cybersecurity risk is greater each day,” says Neil Lakomiak, director of business development and innovation for UL, the 124-year-old testing and certification lab. “The more connected devices connected to the internet and connected to a broader network, the greater the attack vector in general for everything. Each time you connect a device to a network and the internet, you now have another way to compromise that overall system.It’s another entry point for a bad actor to do bad things. That is the real risk. That’s the real concern.”
Product manufacturers, software developers and smart-home integrators will have to take extra care in their IoT deployments, even while the rest of world moves carelessly ahead at cyber speeds.
Any one supplier can build every security provision into their own solutions, but you can never be sure if interconnected systems meet your exacting standards. There's no logo to look for, no rigorous test to pass. And even if there were, any product that received a clean bill of health yesterday, could be infected with a virus tomorrow.
Who is to blame if that virus spreads to every single IoT bulb, SmartTV, security system and mobile phone on the network and beyond?
Legally, we don't know for sure right now, but if you touched it, you could be liable for spreading it.
- Cyber hacking is going to get much worse as the Internet of Things (IoT) expands.
- Manufacturers, integrators and end users all share in liability when a hack occurs.
- Litigation against manufacturers that do not secure their products from hacks is coming.
- FCC is poised to call on government regulations for design of IoT equipment and networks unless the private sector acts.
Lakomiak says the issue of accountability for cyber-hacking incidents is unclear right now.
“Liability is a continuum,” he says. “Who’s negligent? Who’s liable for certain incidents? We will certainly see more individuals held accountable for not addressing cybersecurity. Liability will certainly start at the manufacturer in the sense of what are they doing from a software development standpoint to make sure the products they’re selling to the marketplace are hardened, and they’ve taken into consideration design security as part of their product development.”
He continues, “There’s also accountability on the part of an integrator that is taking multiple connected products and then providing a solution to their customers. The end user, of course, has a responsibility to make sure they’re updating passwords, not accepting files or emails that might have suspicious-looking information in them, or making sure that they’re not plugging USB thumb drives into their system that they found in a desk drawer somewhere. All of those could lead to vulnerabilities. That’s why I say it’s a shared responsibility.”
He thinks manufacturers could be the first to fall if they're sloppy on cybersecurity, but their liability wouldn't excuse an installer who fails to follow best practices.
Integrators will face tough choices when balancing system-wide performance with cybersecurity concerns: Every device added to a home system brings a new vulnerability with it.
“It’s like medication, right? There are always side effects to medication,” Lakomiak says. Do those side effects pale in comparison to the benefits that you receive from the medication? I think you have a similar scenario here in you can’t eliminate the risk. There’s no system with zero cyber-security risk, but you can do lots of things to help mitigate it and handle it,” he says.
FCC Warns of Regulations
Meanwhile, the FCC is advocating for cyber accountability and if the manufacturing community does not establish its own safeguards, then regulations are on the horizon.
“The FCC is calling for manufacturers of products or services that deploy software and have some kind of network connection to consider designing security into the product from the very beginning,” says Lakomiak. “It’s difficult after you have a product deployed and launched on the market to go back and address security issues.”
He warns, “This is a signal to the marketplace that people are starting to take this much more seriously. I think it’s also a signal that the private sector has an opportunity to act. If perhaps they fail to do so, then we could potentially see legislation. We could see different governmental organizations coming out with regulations around cyber security. Most people would like to avoid that and they would prefer more of public-private solutions to this. I think it’s a call to action without any specific mandate at the moment.”
Right now, UL does not have a specific guidance for integrators or manufacturers around network security.
“We have been developing specific standards to evaluate the cyber posture of specific products. That was a starting point for us,” admits Lakomiak. “I expect in the future we will be looking at the broader topology of an overall network. We chose our starting point to be looking at individual products and systems.”
But in terms of network security Lakomiak volunteers that firewall updates are vital.
“There are some misconceptions about firewalls that if I deploy one and I have everything behind that, then I’m safe. Well, even firewalls can be hacked. Firewall software should be updated from time to time, but you should also deploy intrusion detection tools that would allow you to understand if somebody’s trying to compromise your network. That would be another key element of protecting your overall network,” he says.
UL does offer cybersecurity certifications for individual products, but not systems or networks, so there's no guarantee how a certified device might fare in a hostile cyber-envrionment.
“There’s a spectrum of services that we’re currently offering around cybersecurity. It ranges from advisory services to training, testing and certification. If somebody is able to meet all the requirements in our UL 2900 series of standards, then they would be eligible for a certification,” says Lakomiak.
- Access Control, User Authentication, User Authorization
- Remote Communication
- Software/firmware updates
Vulnerabilities & Exploits
- Known Vulnerability Testing
- Malware Testing
- Malformed Input Testing (Fuzz Testing)
- Structured Penetration Testing (Hacking)
- Software Weakness Analysis
- Static Source Code Analysis
- Static Binary and Byte Code Analysis
“Today it isn’t a mark. Our thought process was the certification will have a limited shelf life because software needs to be re-evaluated. If you’ve got a physical mark on the product, it creates an issue for that type of environment,” he says.
Security Equipment Vulnerabilities
It might seem obvious that DIY products like surveillance cameras are more vulnerable than their professionally installed counterparts. But that's not necessarily the case.
“In general, cameras are susceptible … but any connected product is going to have the same susceptibility, Lakomiak explains. “It’s really a function of what are the manufacturers doing to make it harder for someone to compromise their product? If you have a device that has default passwords and it doesn’t force you to change it, you really need to change it.”
Manufacturers can do their part by designing a user interface that forces end users or professional installesr to change the default password before they can actually deploy the device. Integrators need to look out for their clients by helping them understand when and how to make their software upgrades and software patches.
As advocates for their clients, integrators also should be asking vendors about cybersecurity measures implemented in their solutions.
Ironically, as we bombard the network with more devices meant to protect the digital ecosystem, we unintentionally introduce more vulnerabilities. There might be something to be sald for old analog surveillance systems that didn't touch the network.
And even if you don't go that far, there's a lesson to be learned from even contemplating such a thing: Life-safety and security systems should be isolated from other connected ecosystems to mitigate damage in the event of a digital attack.