IoT Security Plan Emphasizes Full Disclosure
Compliance with security standards and a growing list of state and national regulations aimed at protecting consumers is an imperative for Internet of Things equipment vendors.
With that in mind, a U.K.-based industry group has released what it says is the first crack at a global standard for consumer IoT cybersecurity aimed at device manufacturers and distributors using emerging IoT platforms. The spec includes an IoT “vulnerability disclosure platform” dubbed Vulnerable Things that sets forth protocols for reporting security gaps as IoT deployments expand.
Early roll outs have been plagued by consumer devices that often rely on default factory security settings easily breached by hackers.
The new security procedures are aimed at helping IoT device manufacturers report and coordinate the widest possible disclosure of vulnerabilities. It also establishes a framework making it easier for security researchers to report vulnerabilities to IoT manufacturers. The current ad hoc approach often relies on individual security vendors reporting on exploits.
“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement,” said John Moor, managing director of the IoT Security Foundation.
“Industry must do more to protect their customers and their own businesses,” Moor added. "We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform.”
The IoT security initiative is currently in its pilot phase, with seed funding provided by the U.K. government. Access to Vulnerable Things platform is free through Jan. 31, 2021. After that, a small annual fee may be introduced.
The U.K. effort dovetails with similar IoT security initiatives launched in California and Oregon as well as Australia, Finland and Singapore. Some have published codes of best practices and product labeling formats while preparing legislation that would align IoT security efforts.
Most proposals include a mechanism for gathering vulnerability reports. Without a coordinated vulnerability disclosure scheme, the security of consumer IoT products diminishes over time and the risk of attack or abuse increases, the industry group warned.
“We want everyone to have confidence that the internet-connected products they are buying have stronger security and are working on legislation in this field to help make this a reality,” said Matt Warman, the U.K.’s digital infrastructure minister.