I was recently asked if increased legislation could help improve IoT security, and how it will affect the IT department. Here’s my response:
Legislation can absolutely help IoT security by ensuring that manufacturers follow common core principles, strategies and infrastructure. The Cybersecurity Improvement Act of 2017 is an example of how legislation can compel manufacturers to address fundamental security vulnerabilities that might be inherent in IoT devices. The good thing about legislation and standards (such as ISO, PCI, NIST) is that they encourage organizations to address the same issues in a fundamentally consistent way. These standards help individual groups, like the IT department, because it identifies ahead of time the types of risk, vulnerabilities and skills they need to look for and cultivate.
An important concept to keep in mind is that this legislation doesn’t have to solve all the problems right away. Like the IoT industry itself, which is growing fast but is still in its infancy, these new guidelines and laws can change and become more mature as time goes on to reflect the evolution of our understanding of what is truly important in the IoT space.
Eventually there have to be agreed upon standards, where any IoT device is tested by third-party services against a common set of security vulnerabilities just like Underwriters Laboratories does for consumer products.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.