We are seeing global momentum for new regulations for smart, connected products that will protect families from cyberhackers. Legislation is imminent in the United Kingdom, and it is based on European standards that are increasingly serving as a model for the world.
Attention is currently focused on consumer goods, from coffee makers and fitness trackers to thermostats and alarms. Regulators are identifying gaps and holes that put people at risk. But many of the same problems apply to the world of industry. Even if makers of devices for business use are regulated differently, they will soon be facing legislation as well.
We need to get ahead of this. With sensors increasingly connected to the internet, it is no longer sufficient to make a product, lock it down tightly, and then not touch it for 10 years. If you are designing connected products now and not considering compliance with security regulations, you face obsolescence or possible financial penalties.
Last month, Bsquare joined more than 100 companies large and small to sign a global statement on cybersecurity for consumer products. Organized by the World Economic Forum, the statement calls on manufacturers to adopt five capabilities as a baseline for what consumers can expect from a device: (1) No universal default passwords; (2) Implementing a vulnerability disclosure policy; (3) Keeping software updated; (4) Securely communicating; and (5) Ensuring that personal data is secure.
I was eager for us to endorse these capabilities, even though most of our customers are currently in the B2B space, because I believe they are entirely reasonable and the minimum any IoT company should be willing to sign up for.
This champions five of the 13 standards for consumer IoT put forth in 2020 by the European Telecommunications Standards Institute (ETSI) as EN 303 645. The ETSI list is excellent in my view. Unlike what we typically see with industry standards, they are focused on outcomes and results, are written in clear, jargon-free language, and are available free of charge.
The United Kingdom is among the first to introduce national legislation requiring three of the ETSI provisions – no default passwords, implementing a vulnerability disclosure policy, and keeping software updated. Several other countries are also working on recommendations and regulations.
As obvious as these requirements seem to be, companies don’t seem to have a good handle on what is coming. I recently attended a seminar by David Rogers, CEO of specialist security company Copper Horse, and polling of the attendees revealed that nearly two-thirds thought that industry is “not at all” addressing security issues in consumer IoT. In terms of preparing their own companies, 11% had done nothing and 68% had done “a bit but we know we need to do a lot more.”
In some areas, software suppliers to B2B device makers may already be a step ahead. According to the IoT Security Foundation, more than 70% of IoT firms supporting connected devices for business have a vulnerability security policy in place, compared to 21% of consumer product manufacturers. If someone finds a security problem in a product, there’s a procedure posted on the website that offers a businesslike way of fixing it before it is publicly shared in a coordinated way.
Some things may be a little more challenging in the realm of purpose-built devices in business, such as the ban on default passwords – an initial username/password combination like “admin/admin” inserted identically into every product and that doesn’t have to be changed. Unattended devices like digital signs often automatically login as a default user with a fixed password. Easier to manufacture and administer, but very unfortunate if someone cracks the password – they now know the password for all the devices. More complications arise when McDonald’s buys a network of self-service kiosks, for example, than when a family buys a baby monitor. But we need to take this on.
This isn’t just a box-ticking exercise. Companies that start now and factor in this inevitable demand for security from the design stage will have a competitive edge. And of course, it’s the right thing to do for our customers.