British Telecom (BT) recently announced it is assembling an in-house security force to protect its customers. We have also seen recent moves by government agencies around the world to enhance the security of IoT devices connected to public networks. The time is fast approaching for service providers to implement far greater security measures. [1]
With more than a billion IoT devices currently “online” around the world, this will undoubtedly be a collective effort, involving device manufacturers, standards bodies, other parties in the supply chain and end users themselves.
The large volume of IoT-based attacks can be attributed to several factors. For one, there is a general lack of security in the IoT ecosystem, particularly for consumers or micro-businesses who may not be aware of the risk those devices pose. Additionally, there is great diversity in OEMs and operating systems in the IoT ecosystem, which can often lead to a fragmented approach to security updates (if they are done at all).
This situation is compounded by the rise of peer-to-peer communications between IoT devices. This type of communication between end-user and server is designed to eliminate latency and give greater control to the end user, but it also adds yet another communications “path” to track and monitor.
It is clear that IoT security poses a great challenge for regulators, device manufacturers and end-users. It will be close to impossible to expect IoT device manufacturers to understand and implement the different security requirements and regulations in each country. Even if they did, how would government agencies enforce regulations given the huge number of IoT vendors, device types and models?
This growing level of concern has caught the attention of government bodies such as a division of the U.S. Department of Commerce known as NIST, or the “National Institute for Standards and Technology.” Recognizing that standard appliances and smaller devices such as lights and thermostats are increasingly likely to be Wi-Fi connected, NIST publishes a compendium of IoT guidance documents to define these IoT security and privacy considerations and provide general guidance on how to secure IoT devices.
The principal issue recognized by NIST and similar agencies around the world is that regulating IoT devices differs greatly from network level gateway security. For instance, IoT devices have low CPU and memory, which prohibits the addition of a security layer. Further, manufacturers of these relatively inexpensive devices do not wish to add to their “overhead” by hiring the requisite security expertise.
Time for the Service Provider Community to Take Action
As noted by Katherine Gronberg, the Head of Government Services at Night Dragon, an investment platform focused on cybersecurity, security, and privacy risk: “If left unaddressed, the problem of insecure IoT in homes will only get worse. We can easily anticipate a future in which compromised IoT devices will result in physical, destructive impacts. What if hackers could hold your home hostage by locking up your smart devices in exchange for ransom payment? Or, worse, what if they could threaten destruction of your home by compromising your networked fire sprinklers? Would you pay these criminals to avoid this catastrophe? Would your insurance company cover your payment?”
Service providers can participate in the security efforts emerging around the world by enacting procedures to identify and monitor IoT devices connected to routers of their residential and SMB customers – and this can be achieved in a totally “anonymous” and confidential manner.
Device intelligence across the network can be achieved with cloud-based and machine-learning techniques known as device fingerprinting and device behavior anomaly detection. Service providers can enable these services via non-intrusive software downloads and the cloud-based processing of all data collected ensures customer privacy.
The conclusion is that IoT security needs to be implemented at the network level (router-based) and government regulators should work closely with the ISPs to implement such measures and solutions. This would benefit end-users, who will be less exposed to personal data leaks and privacy violation through exploitation of vulnerabilities in IoT devices. It will also benefit the service provider, who will be able to ensure service continuity, enhance its brand reputation and reduce customer support costs.
A good example of the “ecosystem” taking action on this issue is seen in efforts such as the Council to Secure the Digital Economy (CSDE), which is a collaborative effort involving leading telecoms equipment manufacturers, service providers, device manufacturers and the major U.S. telecoms industry organizations, such as TIA, ATIS, CTIA and USTA. Such efforts would include an education component as well – to help customers take pro-active measures themselves.
A specific example of a service provider taking action can be found in one of the world’s leading telecoms companies, Bezeq, who in 2021 alone detected and prevented more than 690 million Phishing & DDoS attacks. Not only did they keep their subscriber base safe, but this move also significantly improved their market positioning and grew their ARPU.
ISPs will need to assume responsibility for secure connectivity, and it’s becoming clear that governments are also beginning to acknowledge the true importance of cyber security and prevention of digital attacks originating in gateways and IoTs.
- https://www.timesofisrael.com/seeing-hack-attacks-on-the-rise-israel-order-telecoms-to-erect-cyber-iron-dome/
- https://www.twobirds.com/en/insights/2022/uk/government-consults-on-stronger-legal-duties-for-providers-of-public-telecoms-services
- https://www.zdnet.com/article/singapore-begins-licensing-cybersecurity-vendors/
- https://www.zdnet.com/article/brazil-creates-cyberattack-response-network/
- https://www.gov.br/anatel/pt-br/assuntos/seguranca-cibernetica
- https://csrc.nist.gov/publications/detail/nistir/8228/final