For all of the potential benefits touted by industry pundits about the Internet of Things (IoT) and what it will mean for end-users in terms of future capabilities they could reap from their security systems, there remain significant concerns about the ability to secure these devices and systems from malicious actors. Following the distributed denial of service (DDoS) attacks that were launched against domain service provider Dyn and the website of cybersecurity journalist Brian Krebs last year as part of the Mirai botnet, it was revealed that many of the devices used in the attack were actually unsecured surveillance cameras and DVRs, which reinforced the role that security equipment manufacturers, installers and even end-users have to play in protecting these systems from hackers.
The fact remains, however, that there is still a lot of uncertainty amongst all of these parties about just how much responsibility they share in the equation. But while many continue to pass the buck and the blame, the federal government has decided to take it upon itself to hold the industry and manufacturers, in particular, accountable for implementing better cybersecurity measures in their products.
Last January, the Federal Trade Commission filed a lawsuit against D-Link and its U.S. subsidiary alleging the company used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers. A judge has since dismissed three of the agency’s six complaints against the company but it shows the government’s wherewithal to take enforcement actions against what it sees as lax attitudes towards cybersecurity.
On top of the FTC’s enforcement actions, the Federal Communications Commission published a whitepaper earlier this year urging IoT equipment suppliers to incorporate “security by design” practices into their manufacturing process in order to build cybersecurity into their products before taking them to market. Although the government has only just begun to dip its toes in this relatively uncharted realm of IoT device security, the security industry cannot wait for regulators to issue a compliance checklist but rather need to be proactive in locking down these crucial life safety technologies – be it for commercial or residential applications.
One organization that is working to help manufacturers bolster their cybersecurity measures is Underwriters Laboratories (UL), whose seal has long been the gold standard in product safety testing. According Neil Lakomiak, director of business development and innovation at UL, the attitudes of many of the life safety and security manufacturers they work with initiating cybersecurity runs the gamut from those that have invested heavily in protecting their devices against cyber intrusions – some even purchasing small cybersecurity firms to embed the technology into their products – to those who are doing very little.
“I think as we see more and more of these stories about breaches and more and more people being held accountable, as well as the FTC, FCC, other government organizations and even states attorneys generals being outspoken about cybersecurity, you’re going to see people start to take more action, take it more seriously and begin to invest in it,” he says. “It’s quite an investment to make to be sure your products are hardened because it is not something that you do and everything is ok, but it is something you have to constantly invest in because the threats change on a daily basis.”
Lakomiak says that UL decided to get involved in cybersecurity issues several years ago at the request of their customers and due to the fact that it is a growing risk across all consumer and commercial product sectors. “We kind of are in the risk business; we help mitigate and understand safety performance reliability risk and I think cyber is an emerging risk that is growing and we felt we had a responsibility as part of fulfilling our mission to begin to address that,” he explains. “We’ve begun to develop standards in earnest and offer services around them and we are in it for the long-haul.”
For companies that are just beginning to make the necessary investment to harden their products, Lakomiak recommends that they have subject matter experts on staff to help guide them on the steps that need to be taken and also start to look at industry standards that are already out there and available that they can incorporate into their product development process. He says it is also a good idea to consider hiring ethical hackers to see what kind of feedback they provide as to what areas they may need to improve in their products.
“That can help you understand the security posture of your product and the different ways a bad actor might compromise it so that you can fix it,” he says. “Having multiple sets of eyes look at and evaluate the security of your product is a good thing. There is no silver bullet or cure-all to any of this and it’s just a function of making it harder for someone to compromise your product so they move on to someone else’s or just give up.”
Despite some of the finger-pointing that has gone on within the industry with regards to who’s to blame for lax cybersecurity of surveillance cameras and other security products, Lakomiak says there really is a shared responsibility for everyone to address the problem.
“From a manufacturer’s perspective, you’ve got to ask the questions: are they doing the things you would expect them to do to harden their devices and make them difficult to compromise and hack? I think there is a lot of room for improvement on the manufacturing side, such as not allowing users to install their product if they don’t change the default password. That should become a very common coding practice,” Lakomiak explains. “On the user side, are they changing the default password? Do they know to do that and are they doing it or they (taking shortcuts) to get it installed for convenience? Are they updating their software? Integrators should also be looking out for their end-user customers by asking a lot of questions of the vendors about cybersecurity from the standpoint of what are they doing to address cyber risks and using that as vetting tool to determine what products they are going to install. Everybody in the value chain needs to elevate their cyber posture.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
