There May Be a Chance for More Secure IoT, After All

With the internet of things market predicted to grow to trillions of dollars and tens of billions of devices in less than five years, security can no longer be ignored. The damage smart things have caused to businesses, vulnerability disclosures and the large scale attack that happened last year show that security is increasingly taking the spotlight.

Both the private and public sectors have heard the message and have started to take action for a baseline security standard in IoT. These efforts have escalated lately, particularly in the wake of the Mirai attacks in October 2016, due to the active threat of malicious connected things to the social and economic environments.

In the United States, the National Telecommunications and Information Administration (NTIA), is working to finalize a document with recommendations that manufacturers can communicate to the consumer “about IoT devices’ capability to receive security updates.” Being a multi-stakeholder, public-private initiative, the working group collaborates with other parties to release perfectly unambiguous content. The possibility of updating the firmware of a connected thing to a more secure version is often neglected by vendors and consumers, who often recognize its benefits only after disaster strikes.

The National Institute of Standards and Technology (NIST) in the US launched its cybersecurity program for IoT; the purpose is to create and apply standards and guidelines to improve cybersecurity in the world of connected devices. NIST’s contribution includes research and documentation on technologies and practices for stronger IoT defenses (cloud security, blockchain, supply chain risk management, encryption.

In Europe, the ENISA (European Union Agency for Network and Information Security) collaborates with governing bodies, industry stakeholders and academia to define standards and certificates of trust attesting to certain security implementations in connected devices. The private sector also calls attention to the need to implement a new law to regulate security and privacy by design in the IoT, along with liability.

Governmental commitment to raising the bar for safer connected objects is notable, but a quicker way to achieve it is foreshadowing. Private companies have started to pay more for security bugs in IoT. A report from bug bounty service Bugcrowd shows that the average price for valid submissions has increased from $451 last year, to $742.

HackerOne, another bug bounty service, revealed in a similar report last month that the number of IoT and smart home programs has increased, possibly suggesting that more companies are interested in addressing the security problem in connected things. Supporting this supposition is a recent analysis from job meta-search platform Joblift indicating a monthly 21% demand increase in IoT positions with a security focus; the data was pulled from the UK job market since June 2016.

Vulnerabilities in smart devices will continue to be discovered and reported, but government initiatives combined with industry players determined to deliver safer products will create a less hazardous connected world.

Image credit: geralt