By : Erik van der Horst - CEO - SIL Products
published : 20-11-2017
In the last few weeks I visited several meetings about Internet of Things (IoT) security. Meetings on the use of standards and a call for standards.
The new term “IoT” implies that it is something new. In fact there is not much new. Most technologies are existing. We just see many products coming from new players with limited experience in the field. This seems to generate a feeling that we are moving in a new world, without regulations. The press seems to be picking this up and enhances this novelty feeling.
Let us cool this feeling a bit down. IoT is:
- Hardware with,
- Embedded software to control the device and/or,
- Server based software to control or program the device and/or
- An external application for programming /controlling the software.
Safety and security of these products are all covered in existing standards. To just some up some examples, ISO2700x series for security, EN60730 series for automatic controls, EN60950 for IT based connections and its update EN62368. The working group looking at the possible new IoT standard also realizes this and is now first analyzing possible gaps, instead of diving into a new standard.
Operating System updates that cause the requirement for driver updates are not new either. Some updates, may change the function or performance of the hardware. Therefore a firmware update should always be followed by an analysis if the hardware should be retested to its standards too. Again, old news (although some companies may forget to do this).
But the botnets and other “hacks”?!
If you look into the various attacks on IoT devices, all related to devices where the user did not change the factory login/password settings. Is that really a hack? Fact is that this is common sense and not a reason for more legislation. Happened ones, won’t happen again. Factories just have to make sure consumers must change the password and login name, preferably together with a minimal password length and character set.
The larger part of the industry is experienced and professional. “IoT” devices have been operating at a minimal risk for end-user for many years already. Discussions with Internet security experts, usually boil down to the making sure the front door is locked well. Both the physical door as well as the virtual (modems and routers). Of course, some products can be improved and made more user-friendly in this aspect, but this can be done without expensive consultants.
Another topic that is hot, but (European) regulation is so strong, that this has been completely covered.
IoT has been around us for years and making up a new name does not change the product. Security and safety have been regulated in standards and the industry is up-to-date. Regarding securing their own personal networks, we may have relied a little bit too much on the responsibility of the end users. Some improvements here are necessary, but all in all it seems we do a good job.
About the author
17 years’ experience in standardization and risk consulting, product testing, product development and purchasing consumer electronics. Working for retailers with extreme requirements, like Lidl and Aldi. Our products are found in 29 countries. In 2015 we sold 42.000 WiFi sockets with App, with now 25.000 users. Currently we are developing a full smart home (domotica) system, where security also is a major topic.