Despite its origin as a marketing buzzword, there’s no question that the uptake of network-connected devices that interface with the physical world as sensors and actuators, better known as the Internet of Things, has grown dramatically. As the uptake of IoT has increased, the number of calls for meaningful IoT regulations and laws has grown in parallel.
IoT devices have also enveloped the segment known as industrial control systems that has been a mainstay of manufacturing, power generation and delivery, water systems, and a wide variety of other industrial applications for decades. While the industries those devices supported may have been subject to a wide array of safety, environmental and sometimes cybersecurity regulations, the devices themselves were regulated indirectly, if at all. If the purchasers of those devices were in regulated industries, such as electric power delivery, healthcare or financial services, they were obligated to ensure that the devices they purchased, when combined with their own people, processes and technology, provided adequate security.
As the Internet of Things market has exploded beyond the traditional industrial control and medical device market, there has been increased interest in directly regulating the devices themselves now that technically unsavvy consumers are in the mix. For example, U.S. Sens. Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have proposed the Security and Privacy in Your Car (SPY Car) Act to address security and privacy protection in automobiles. While this and similar legislation have yet to gain much traction, it is likely that the media attention over recent cyberattacks involving IoT devices will eventually force legislative or regulatory action at the state or federal level, particularly if the cyberattack leads to death or serious injury. Consequently, it is important that the industry strives to both influence and respond to the likely changes in the legal landscape.
In a recent blog post, I discussed some the potential pitfalls that Internet of Things regulations can bring while noting that the life safety issues for many IoT devices mean that IoT regulations of some sort will likely be needed. However, the goal should be to regulate lightly where possible, and recognize that a heavy-handed approach can stifle innovation and limit options for the many small companies that simply don’t have the resources to respond to endless data calls or onerous documentation requirements. Instead, I proposed 10 common-sense steps regulators can take to protect consumers while maintaining a light touch (the full versions of which you can find in my blog post). In short, they include:
- Prioritize investigations based on victim number and impact severity
- Structuring investigations to leverage automation using industry-standard questions for cybersecurity controls
- Regulators regularly reporting on efforts made to reduce cost when responding to regulatory inquiries
- Expedited reviews by federal courts made widely available for investigative targets
- Regulators providing testing scripts and sample investigative questions on their websites to encourage more automation
- Regulators offering clear and concise safe-harbor options that impose a higher burden on regulators
- Guidance based on IoT use cases for sector-specific industries, including the necessary controls
- Regulators providing examples of breach investigations where companies were found to have behaved reasonably and no enforcement action was taken
- Regulators incorporating the supply chain into their investigations for accountability
- Regulators harmonizing their cybersecurity guidance and determinations of reasonableness across all agencies regulating similar practices
But even in the unlikely event that all these recommendations are adopted, IoT manufacturers, integrators and end-users may need to alter their practices and tighten cybersecurity and privacy controls for their products. Below are some examples of steps these groups can take to minimize scrutiny from regulators and avoid legal judgment should a cybersecurity attack occur.
Know what data you are collecting and why
For many IoT devices, their primary job is to collect data about the physical world using a variety of sensor technology. Much of this data is fairly innocuous information derived from the weather, traffic, speed, air pressure and other phenomena. However, once this data is connected to a person, the privacy advocates and associated regulatory agencies get involved.
Ultimately, data points like heart rate and electricity usage are aren’t as useful for treatment or billing purposes unless connected to a person, but that doesn’t mean that the identity of the relevant person needs to be stored on the device. Using concepts like tokenization, the device can simply report its sensor data and its serial number to a centralized data source that can be better secured. Moreover, for many device manufacturers, the fact that the device doesn’t even have the requisite fields for storing that personal data means that the responsibility for any privacy violations would reside elsewhere.
Know where your device will be used and how it can be abused
Product liability law has long held manufacturers responsible for harms arising from both legitimate uses of a product as well as the product’s foreseeable misuses. For example, a chair is meant for sitting, but a common misuse is as a makeshift stepladder. Manufacturers are expected to build that into their safety considerations.
Similarly, setup instructions for an IoT device may remind owners to change the default password on their devices but not force that change, even though it is well known that most consumers don’t change those default passwords. As Bruce Schneier notes, much of the damage arising from the recent Mirai botnet attack could have been avoided if either the manufacturer or the consumer had taken efforts to secure their devices, which in many cases meant either changing the default password or requiring such a change before activating the network interface.
Know the potential impacts of cybersecurity attacks individually and in aggregate
One of the blessings and curses of IoT is that a device becomes more useful when it is networked with many others. For example, a single sensor embedded in the road doesn’t offer much help for people wanting traffic status, but when thousands are linked together, drivers, traffic engineers and government officials can derive a wealth of knowledge.
However, the networking of thousands of homogeneous devices means that a cyberattack infiltrating one can quickly spread to others, creating harms not envisioned individually, such as the denial-of-service attacks caused by the Mirai botnet. And it’s a sure bet that regulators are going to target the biggest networks first, particularly where the damage is likely to be significant.
Build in mechanisms to automate the documentation of cybersecurity controls
Increasingly, the biggest challenges manufacturers and end-customers have with cybersecurity compliance is not in implementing the appropriate controls but in proving to auditors and regulators that those controls exist. By automating that documentation in conjunction with appropriate cybersecurity standards and IoT regulations, organizations can save a lot of money and potentially generate more sales to customers with their own compliance obligations.
Watch the supply chain
In our global economy of just-in-time manufacturing, parts can come from a different part of the world depending upon the day of the week. If we’re not careful, our end-products can wind up filled with counterfeit or manipulated components. Moreover, most software is comprised of a significant amount of third-party code coming from open-source repositories (for example, the Linux operating system or an Apache web server) or commercial libraries.
The good news is that there are lots of eyeballs to notice those vulnerabilities and hopefully get them patched quickly. The bad news is that once incorporated into an IoT’s software stack, many manufacturers don’t keep track of vulnerability alerts and patches tied to those third-party libraries. It also makes those products an easy target for regulators as often a simple scan can find those vulnerabilities. While locating malicious code in a custom-built microprocessor isn’t easy, confirming that you have the latest version of Debian Linux shouldn’t be that difficult.
Taking the above actions is no guarantee that regulators will stay off your back, but it will hopefully make the regulatory process less onerous and may reduce the likelihood of a major breach of customer information or physical harm, which is what will get a regulator’s attention.
[IoT Security Summit, co-located with Blockchain360 and Cloud Security Summit, explores how industry-wide security, privacy and trust can be established to unlock the full potential of IoT. Get your ticket now.]