The Consumer Technology Association
The Growing Need for IoT Cybersecurity
By Mike Bergman, VP, Technology and Standards, CTA
There are a few emerging technology topics that are experiencing particularly high levels of interest of late, such as 5G, artificial intelligence, IoT cybersecurity, quantum computing, and virtual reality. Of these trends, Internet of Things (IoT) cybersecurity – the security of connected devices – is perhaps the least flashy. But cybersecurity is arguably having the greatest impact on everyone, from individual consumers to global enterprises to government agencies, thanks to the growing pervasiveness of connected devices.
Doing business in a competitive market has always been a challenge, but increased connectivity introduces a new category of change and uncertainty for companies. Connected devices are now present in every industry, sector, and business. Some devices have been connected for a long time, such as ink jet printers. Others are just now getting connected, such as appliances; a washing machine that keeps track of wash cycles and re-orders detergent for you is just one example.
And some products are emerging both as new types of devices and new examples of connectivity. For example, the medical industry is finding new sensor technologies, and building them into connected consumer monitors. And yet, despite all the talk about IoT, it is still in its infancy. Consider that the brand new, 5G standard will allow for massive connectivity of “things” – but hasn’t been fully deployed yet.
With today’s 4G/LTE technology, you can connect a few thousand devices per square mile. The 5G network will be able to support millions of devices per square mile. This kind of massive, always-available connectivity comes with other technical improvements. For example, these new connections will come with easier “onboarding” of devices. Streamlining the onboarding process means cutting back on the hassle of connecting and configuring a new device. This is expected to improve consumer and corporate acceptance of new connected functions.
So, the tech industry is working hard on the cybersecurity of connected devices. In 2017, PwC surveyed 2,000 consumers to understand their perceptions of cybersecurity and privacy risks. Among the key findings, more than two-thirds of consumers believe companies are vulnerable to hacks and cyberattacks. Yet, nearly three-quarters of consumers believe businesses are best equipped to protect them.
What risks does a business take with the cybersecurity of connected devices? Adding devices to a business network may add any security weaknesses of that device to the network, and this is as true for a global enterprise as it is for a small doctor’s office. But firewalls, network segmentation, and software updates can help. The Consumer Technology Association (CTA) has produced a checklist-based system for installing and maintaining connected devices. Aimed originally at the smart home market, it is relevant for business installations, as well. The Connected Home Security System includes information about router and device installation and configuration in order to get the maximum security from existing devices.
Device manufacturers, retailers and purchasers, government and industry have been developing common agreement on a simple question: What security should a device have? Ignoring for the moment what the device actually does, how should it be secured? This is generally referred to as the baseline – a list of capabilities that is the basic minimum regardless of device type. A device should have this baseline of capabilities whether it is a smart home door lock, a wearable medical device, an enterprise security camera, or an industrial control unit.
This past February, CTA – as part of a group called the Council to Secure the Digital Economy – began convening industry stakeholders that have a voice on cybersecurity. We brought 20 groups together in a process that came to be called the C2 Consensus. C2 stands for Convene the Conveners because each stakeholder group is a convener of the technical experts with its own membership.
As a group, we came to a consensus that there needs to be one common baseline for IoT device security. The resulting C2 baseline has 13 important security capabilities, ten that can be identified on the device, and three that are exhibited by the manufacturer. For example, a connected device should protect data; it should secure access to critical functions; and it should be identifiable on a network. These are building blocks of the kind of device that hackers hate.
The C2 Consensus on IoT devices and baseline security was published in September with the support of the 20 associations, coalitions and forums. As a next step, CTA’s standards team has brought together experts from our member companies to develop a technical standard.
The technical standard will have the rigor and detail engineers need when building a product. CTA standards are voluntary; consensus industry standards and the process are accredited by the American National Standards Institute (ANSI). The benefit of having an ANSI-accredited organization such as CTA coordinate this effort is the resulting standard is an American National Standard and, as such, it has greater weight with everyone – from developers to regulators. CTA’s new document is expected to be published early next year.
This document will help retailers who are looking for ways to have discussions with manufacturers and suppliers about cybersecurity. On the one hand, retailers do not maintain the significant number of cybersecurity experts that would be needed to, individually, verify each product they stock. Such a distributed approach of each retailer verifying each product is woefully inefficient. Also, the labor market can’t really provide enough cybersecurity experts to fill the needs of all the retailers.
And yet, retailers need to understand and manage their supply chain. So, we pool the expertise in a technical standard. Retailers and manufacturers can agree on supporting such a technical standard. The retailer doesn’t need a huge team of testers and the manufacturer doesn’t need to establish in-house criteria. Each can focus on the part they do best.
Better design, installation, configuration, and onboarding will all help the IoT security picture as we transition to a 5G world. We just need consensus on technical requirements and broad use of best practices. With these steps, we’re making real progress in transforming the Internet of Things.
AT A GLANCE
WHO: The Consumer Technology Association
WHAT: A trade organization representing consumer technology companies
WHERE: Arlington, VA