The Evolution of IoT Device Security and Privacy

As the world starts to look beyond the COVID-pandemic and a “return to business normal”, whatever that may entail, one thing that is certain is that businesses will continue to accelerate towards digital transformation. At the heart of many organisations push towards large scale digitisation will be a continued acceleration to the deployment of Internet of Things (IoT) devices. With ever-increasing connectivity and volume of devices, we are fast approaching a world that will have between 70-80 billion IoT devices by 2025.

Whilst this growth brings numerous benefits across several business sectors and wider society, it will also inevitably change the way people carry out everyday tasks and potentially transform the world.  Undoubtedly IoT will play an important part in individual lives as well as corporate initiatives going forward and whilst having the latest smart phone controlling a smart home is undoubtedly fashionable, smart lighting can actually reduce overall energy consumption and lower consumer and industrial electric bills and carbon footprints and is therefore much more than a technological gimmick.

Technological advancements in the automotive sector will allow connected and increasingly smart vehicles to create a hyper-connected smart city where vehicles can connect to and “speak” to smart city infrastructures to create an entirely new operational ecosystem for the driver and town planner, as they plan how to move from point A to point B.

Indeed, at its fullest extent the ecosystem of connected smart cities will naturally evolve into connected healthcare. As Internet of Medical Things (IoMT) evolves to remove the constraints of hospital and medical capacity through the creation of elasticity in the medical system, connected healthcare devices will provide society a deeper and fuller point of view of their own health, or lack thereof, than ever before.

However, as is the case in many areas of societal progress, there are trade-offs. With all of these benefits comes risk, as the increase in connected devices gives hackers and cyber criminals more entry points, and to the majority of society, the trade-off or risk to privacy is the greatest concern.

Over the past 2-3 years, there have been numerous reports of hacking groups attacking critical infrastructure, including a power grid in a region of western Ukraine, and hospitals in both Europe and the US, not to mention water plants in Israel amongst others. Unfortunately, these attacks are likely to only represent the beginning, as hackers seek to exploit the ever-increasing connectivity between connected business and connected consumers. As a result, the average consumer is becoming ever more concerned about their privacy, and whilst increasing regulation has sought to address this, placing a fundamental expectation of security and privacy by design into IoT device manufacturing and operations is critical.

So, what issues are businesses, society and consumers concerned about in relation to IoT device security and privacy as we move towards a truly connected world?

The first key issue to address is public perception and public confidence. Whilst technological advancement will inevitably continue unabated, this needs to be the first problem addressed. Regulatory statutes such as EU GDPR, SB 327, and SB 734 represent major steps forward, however there remains a long way to go to address consumer concern. In 2015, Icontrol’s “State of the Smart Home Study” found that 44% of all Americans were "very concerned" about the possibility of their information getting stolen from their smart home, and 27% were "somewhat concerned." With that level of worry, consumers would hesitate to purchase connected devices.  Whilst progress has been made, it is unlikely that these figures will have drastically changed today, and if anything, the key trend is that security and privacy has become a fundamental buying consideration for many consumers and businesses that remains unresolved.

The reason for this continued reticence is that so many IoT devices remain vulnerable to hacking as researchers have been able, with relative ease to hack into devices readily available on the market, with relatively simple tools and limited time and energy.  This is often because these devices have been manufactured with simple consumer connectivity and usability at the forefront of development – enshrining the principle of security by design.

Security by design, an often used, but not so often understood phrase describes a methodology that ensures IoT security, and indeed privacy, is a crucial objective at all stages of product creation and deployment. It addresses the challenge that, in many historic hardware deployments and instances of IoT design, security considerations were often included late in the design and prototyping phase. By prioritizing speed to market or other design considerations, security requirements can end up being added on. This approach has led to serious security breaches in the past, as IoT device security cannot be easily retrofitted.

The response can be summarised into 3 key steps required to establish a successful IoT device security and privacy strategy:

• Security by design approach at the beginning of IoT projects
• Trusted devices IDs and credentials embedded during manufacturing
• Lock IDs and credentials in secure hardware containers

However, this drive for consumer usability has inevitably left devices open to exploitation by hacker’s intent in breaching business ecosystems which are now extended to the devices installed in people’s homes. The question is, who is liable for any resultant security and privacy breaches, the manufacturer, or the consumer?  My guidance to manufacturers is that “caveat emptor” – buyer beware – is unlikely to be acceptable for legal consideration when such an event is tested in the courts through a somewhat inevitable future class action law suit for a global privacy breach as so few companies themselves are confident that they have sufficiently robust defences to secure all IoT devices against hackers.

The challenge for manufacturing organisations has been the large-scale proliferation of, and demand for IoT devices, which is largely being driven by end-user organisations seeking new data analytics advantages. IoT devices enable organisations and consumers to collect and aggregate data and the sheer amount of data that can be generated is staggering.  For example, a relatively small town of 10,000 connected homes is likely to be able to generate more than 150m discrete data points every day, creates more entry points for hackers and often leaves sensitive information vulnerable.

These data volumes are created as consumers seek to leverage the simplicity of IoT, and in the very early days of IoT deployment companies have sought to collect user data willingly offered by consumers to make business decisions.  As an example, insurance companies might gather data about your driving habits through a connected car or personal fitness trackers, enticing consumers to offer these data insights through incentives, rewards or often discounts for the services.  However, at the point of purchase, did the consumer consider why there was such a willingness to offer such incentives?

Thankfully consumer awareness is changing and as individuals become ever more aware of their personal and family security and privacy, the need for manufacturers and big business to provide sufficient protection of consumer privacy will become greater. However regulatory influence remains in relative infancy and it is therefore likely that IoT device security and privacy will remain a concern of individual consumers, businesses, and society for several years to come.

Mark Brown joined BSI on 1 February 2021 in the role of Global Managing Director of the Consulting Services, Cybersecurity and Information Resilience business and has more than 25 years of expertise in cybersecurity, data privacy and business resilience. He has previously held global leadership roles across industry and professional services, including tenures as Global CISO at SABMiller plc, and Global CIO/CTO at Spectris plc, as well as leadership roles as a Senior Partner at Wipro Ltd., and was also a Partner at Ernst & Young (EY) LLP.

Mark brings a wealth of knowledge including extensive proficiency on the Internet of Things (IoT) and the expanding cybersecurity marketplace as organizations grapple with digital transformation and addressing new technology that brings new business opportunities and risks.

Mark is internationally recognized as a leading authority on information resilience with a focus on cybersecurity and data privacy, presenting a focus on the way IT can enable business strategies and currently chair’s techUK’s Industry 4.0 Cyber Security committee advising the UK Government on how businesses can be incentivized to safely adopt new technologies at minimal risk.  Mark is also an elected member of techUK’s Connected Home Group and Medical Device Innovation Consortium’s (MDIC) 5G Enabled Medical Devices working group.

www.bsigroup.com