Securing IoT: Whose responsibility is it?

There's no shortage of opinions on where to place the blame for IoT security events. However, as IEEE member Kayne McGladrey explains, the onus is on both manufacturers and consumers.

Securing IoT has been a hot topic since day one -- and for good reason. Adding internet connectivity to anything inevitably increases the number of threats it can face, and the sheer number of IoT devices an enterprise uses widens its potential attack surface. Add in the IoT devices your employees use on a daily basis and it can be a recipe for disaster.

The best way for individuals and enterprises to ensure that future generations of IoT devices are safe is to demand and only purchase IoT devices that are secured by default and have security built in.

Key attributes of securing IoT devices include:

  • encryption of data in motion;
  • push software updates;
  • no default usernames or passwords enabled, or forcing end users to change default passwords on first use; and
  • central monitoring and compliance auditing of devices.

Enterprises and consumers alike are rewarding vendors that produce low-cost, insecure devices, such as $20 IP-based security cameras. It'd be easier for everyone if those consumers instead sent $20 to threat actors who will inevitably compromise those devices, as this would only be a $20 problem.

However, when threat actors conscript thousands of insecure IP-based security cameras into a botnet that can knock major brands off the internet -- such as what happened with the Mirai botnet attacks in the fall of 2016, it potentially becomes a multimillion-dollar problem that affects major markets and international relations.

In the enterprise space, the ability to push software updates to an inventory of devices is key to securing IoT. Organizations cannot secure what they cannot see, so having deployed devices report into a monitoring framework is essential. It's similarly essential to see which devices have received regular software updates, to isolate those that have not and to see which IoT devices are no longer reporting data due to theft, power loss or physical damage.

Have a question for one of our experts? Submit it now. All questions are anonymous.

Dig Deeper on Internet of things security