Avoiding the worst IoT scenarios

The Internet of Things (IoT) is here. With it comes some pretty cool sci-fi sounding applications, along with the more humdrum talk of connected toasters and thermostats. But the rapid pace of change also packs some hefty security and privacy risks, which could lead to serious reputational and liability issues for manufacturers. Compromised IoT devices have even been used to attack the underlying infrastructure of the internet. Informed action from a range of different stakeholders and standards development organisations is needed if we want to prevent the worst scenarios from becoming a reality.

Wait, we’re an internet company now?

Light bulb manufacturers used to produce light bulbs. Today they’ve become Internet companies and most don’t even realise it yet. This shift has introduced a whole host of new requirements in terms of privacy, security and technical interoperability that need to be met quickly. Unfortunately, many companies haven’t yet woken up to the fact that these are even things they need to be thinking about.

This shift introduces massive new liability risks for manufacturers. Imagine an internet-enabled thermostat that relies on a connection with the manufacturer’s network to operate. If a network outage coincides with severe low temperatures – suddenly there could be a lot of people stuck in the cold. Many IoT manufacturers appear to be sleepwalking into a crisis here. And legislation is quickly catching up, with the European Commission currently drafting new cybersecurity requirements and the recent reform of EU data protection rules.

Internet companies have different business models than manufacturers. What does it mean to sell a product that will need security patches for its entire lifetime? Software as a service may work for many technology companies, but it remains to be seen whether a subscription model can be applied to home appliances. And if a company goes bankrupt or a product line is no longer supported – what happens to the millions of increasingly vulnerable devices that could remain online for decades? To the average user, a web-enabled CCTV camera that’s part of a giant botnet looks and mostly acts the same as one that is not.

The ISPs, content providers, large academic and enterprise networks at the core of the internet have a long-established tradition of cooperation on areas affecting the digital commons. This is driven by the demand for interoperability that is needed to make the Internet work. The requirement that networks peer to exchange packets has over time created a myriad of both formal and informal interpersonal networks that in many ways mirror the physical infrastructure. Network operators know one another personally and interact as part of a community to share ideas and experiences. This dynamic is lacking between IoT manufacturers who are typically in direct competition and working in isolation from one another.

Will standards keep pace?

Shared standards will no doubt prove to be an important part of any solution. However, there are a few issues here as well. The broad scope of the IoT industry results in a complex landscape of different standards development organisations (SDOs). Where a number of different areas intersect, such as smart cities or networked cars, cooperation between different SDOs can prove to be a challenge. SDOs are used to drawing on their expertise and authority for a specific field – suddenly they’re faced with externalities that require expertise in fields ranging from ICT security to privacy and Internet Protocol-based communications. Similar issues are faced on the regulation side. When an IoT smart meter is developed that communicates over the Internet – is it the electrical regulator or the telecommunications regulator that is responsible?

Meanwhile, driven by demand and a need to quickly enter these emerging markets, manufacturers and service providers can’t afford to wait for standardisation efforts to catch-up. Instead, they are often choosing to develop their own proprietary solutions. In this context, building-in security and privacy costs time and money. Solutions that are developed are often not well tested and can present significant risks to the IoT devices and their users.

What does an IoT solution look like?

There are no silver bullets here, and probably there will never be a point where we can say that all of the issues with IoT have been “solved”. There will always be issues that need to be addressed. If there is a solution, it will likely come in the form of a process and a mode of working that allows the IoT industry to quickly adapt and address the many different concerns of customers, regulators and other stakeholders in a timely fashion. Here it may be instructive to look at how the traditional Internet community has worked over the years.

Through necessity, the internet industry has developed novel approaches to setting standards and addressing stakeholder concerns. This has resulted in the so-called “multistakeholder model” that is built on openness, transparency, and participation from all stakeholders. There is also a kind of flexibility inherent in this model. While a perfect solution may be elusive, there is usually a compromise that can be found. “We believe in rough consensus and running code,” states one infamous Internet Engineering Task Force document, which underscores the fact that many Internet standards were developed “on the go” with consensus decisions based on the results of working prototypes.

When there is a security incident, there is an expectation that it will be followed by appropriate and transparent disclosure. This is key not only to maintaining trust but also to safeguard other network operators who may share the vulnerability. No doubt there are similar approaches to the responsible disclosure of security and safety incidents in the airline industry, for example, and these working examples could be applied to parts of the IoT landscape, where small design mistakes or manufacturing errors can have serious and far-reaching consequences. All of this is in stark contrast to today’s reality, where attempting to reveal a security vulnerability to IoT manufacturers will often generate legal threats.

Finally, in as much as the IoT is about things that are connected to the Internet – many of the associated issues may not be quite as novel as they first appear. There are established, open communities that have been working on network and ICT security, privacy, network abuse and related issues for decades, including RIPE, the IETF, IEEE and W3C. These communities have developed a base of standards, documentation and knowledge that will help developers who are working at the intersection of these issues. They also welcome the unique perspective of people working in the IoT field to inform their policy and standards development discussions.

Written by Marco Hogewoning, External Relations Officer – Technical Advisor, RIPE NCC