The Internet of Things (IoT) – the interconnection of devices via the internet to send and receive data – represents a dramatic shift in service-delivery across the private and public sectors.
The ability for everyday devices to be internet enabled and remotely accessed offers a means of transforming an everyday object into a sophisticated piece of technology. IoT devices are anticipated to realise new problem-solving solutions, enhanced business efficiencies and increased end-user satisfaction. This is somewhat unsurprising given predications that by 2025, between 25 billion and 50 billion devices will be internet enabled.
The breadth of application of IoT is vast to say the least – with new offerings in ways we’ve yet to conceive. IoT examples mentioned by the National Institute of Standards and Technology (NIST) include:
- Connected vehicles to prevent crashes from occurring
- Connected healthcare devices – from personal and wearable technology to hospital devices and systems
- Smart manufacturing devices to better predict maintenance needs or material demands
But as with anything internet related these days, these opportunities are also attended by cyber security risks.
The increasing need for IoT Security standards
In previous articles and blog posts, we have discussed the application of cyber-security standards to public and private organisations, in order to prevent and remediate losses following a data breach. Now, organisations currently deploying (or looking to deploy) IoT devices in their service offerings should anticipate the need to consider the application of cyber security standards to IoT devices themselves.
In our view, these IoT cyber-security developments are a necessary and welcome development. Recently, the IoT world has been rocked by reports of breaches that include:
- Hackers stealing 10 GB of data from a casino by hacking into an Internet-connected fish tank
- Baby monitors using home Wi-Fi being hacked
- IoT devices being used to attack security blogs, Krebs on Security, and internet infrastructure company, Dyn.
Australian response to IoT security fears: a voluntary or mandatory regime?
At this preliminary stage, it is yet to be determined whether IoT devices will be subject to a voluntary code, or whether a mandatory regime will be introduced in Australia.
In recognition of increased IoT device vulnerabilities, an IoT working group comprising Commonwealth officials, the Australian National University’s (ANU) National Security College and tech-sector giants, such as Amazon, Google and Microsoft, have been working on the introduction of an IoT voluntary minimum standards and consumer rating. There is some suggestion that industry standards might take the form of a cyber star rating – such as a cyber kangaroo. According to a recent cyber security ANU report, the cyber kangaroo would represent a seal of quality assurance for IoT devices, that consumers can recognise as stamp of approval for any particular device.
However, if a voluntary code (or a cyber-kangaroo), cannot be agreed, there is the possibility of the Commonwealth intervening to introduce IoT cyber security standards. Dan Tehan, the Minister Assisting the Prime Minister on Cyber Security, told Fairfax Media recently that the government is prepared to pass new laws cracking down on IoT vulnerabilities if industry fails to do so.
IoT security developments further afield
Minister Tehan has made express reference to developments in the United States with respect to mandatory IoT regimes. In the United States, certain Senators have introduced the Internet of Things Cybersecurity Improvement Bill 2017, which would block any IoT devices with known security issues from government use and require that devices have the ability to receive security and password updates.
Minister Tehan has also discussed the introduction of harmonisation with the United States and Britain with respect to IoT devices, to set an example to the rest of the world, and to cover imported devices.
Maddocks also notes that NIST, a key authority on cyber security, recently held an IoT Cybersecurity Colloquium, as well as publishing a pre-read essay, with the view to provide guidance for United States federal agencies on common IoT high-level security and privacy risks. Given NIST’s recognition in the cyber security field, Maddocks will (and readers should) pay close attention to any recommendations that follow the Colloquium for best practice guidance. It’s fair to say that NIST’s IoT approach will have some sway on other industry groups and US lawmakers. Equally, NIST’s approach is likely to influence Australia’s IoT cyber security approach.
Where to from here?
Irrespective of whether a voluntary or mandatory regime is introduced, there are steps organisations should consider taking in the interim. As with an organisation’s broader cyber security strategy, considering the security of IoT devices can be rationalised on the basis of preventing considerable business loss – such as financial loss, risks of being sued, adverse share price impacts, regulatory enforcement, damage to reputation, loss of customers or supply risks.
As such, it is prudent that organisations consider the following:
- if your organisation supplies services through IoT devices, what steps have you put in place to ensure your customers, or members of the public, are sufficiently protected?
- if your organisation supplies IoT devices, are those devices suitably secure? Are you placing your users, and yourself, at legal risk?
- if your organisation is supplied services through IoT devices, or has IoT devices on its business premises, has a proper security and privacy risk assessment been conducted? What contractual rights do you have recourse to prevent, or mitigate loss from, a data breach?