The image of what constitutes a “security risk” has changed a lot in the digital age, from burly men in leather jackets to hoody-wearing computer hackers. Now, the face behind a data breach might not have a face at all — and it looks a lot like a Keurig.
At the “Help! My coffee maker is trying to hurt me!” panel during the Information Systems Security Association (ISSA) International conference in Atlanta, experts weighed in on what they consider the biggest IoT security challenges:
- long product lifecycles
- simplistic perspectives on IoT risk
Existing IoT security and compliance regulations are often focused on products that hold personally identifiable information and devices that have a replacement window of three to four years, panelists said. Panel moderator and ISSA Board President Candy Alexander noted that this perspective has led both individual and corporate consumers to ignore the safety risks of implementing an IoT device.
Panelist Loren Roberts, senior security advisor at HP Inc., agreed.
“It’s not always the first device you think of. The smart refrigerator in the break room might be the way into your business,” Roberts said.
Low-priority, high-security risk IoT devices
These types of IoT devices — think refrigerator, coffee machine or printer — highlight the issue of longevity in data security, panelists said. Devices that are low-security priority can quickly become high risk when they exceed the typical three- to five-year shelf life of an IT server, said Sandy Carielli, director of security at Entrust Datacard Corp.
“The manufacturer who is patching and maintaining IoT technologies has to look out for a 20- or 30-year shelf life,” Carielli continued.
Katherine Fithen, managing principal consultant at SecureWorks Inc., noted that vendors and manufacturers would rather ignore security risks than begin to tackle “20 years’ worth of back managing” their products IoT security challenges.
Another aspect of the struggle to secure these IoT devices is the inability to apply patches and conduct maintenance on devices that are in constant use. IT security professionals are dealing with an uncharted part of the market — they can’t shut down IoT devices like cars, medical machines and pacemakers to conduct maintenance.
One solution: Start using security as a value-add or business differentiator, which would incentivize manufacturers to articulate the ROI of security management alongside cost-effectiveness in the manufacturing process, Carielli said.
Fithen noted that the differentiation will only come when consumers let go of their innate trust in IoT security measures and begin choosing products with manufacturer safety measures in mind.
“Until consumers ask for IoT security as a differentiator, it won’t be,” Fithen said.
Who should herald the IoT security revolution?
The panel of experts called for a tiered response for improvement: Start with changing customers’ perception of IoT devices, then let go of the instinctive trust in existing security measures and demand a federal change.
Roberts said that customers need to take responsibility and consider the risks and IoT security challenges that come with the devices they use.
“I’m always looking for ways to automate … but I have some criteria. If I can’t manage it, if I can’t create a password, it’s not coming into my environment. If there is a compromise, if I can’t patch it, it’s not coming into my environment,” Roberts said.
Fithen said security advocates — both corporate and legislative — need to think from the consumer perspective. Consumers usually don’t think of the risks involved and just assume that they are protected, she noted.
“Government oversight agencies have a responsibility, but we first need to hear that [people] are concerned,” Fithen said.
If risk becomes even a semi-universal concern among consumers, panelists agreed that experts must then implement product development standards to reach a unified understanding of what a secure and safe device entails, and then push to enact federal data protection regulation to enforce these standards.
ISSA’s Alexander noted that despite the constant data breaches where the majority of users were affected, customers have demanded little change. Public support for data protection and security measures usually only follows a major event such as the loss of life in automated vehicle accidents, she observed.
“[A data breach] might hurt you a little bit, the company a little bit, but does this mean that with the adoption of IoT devices it will take someone getting hurt before there are changes?” Alexander asked.