Internet of Things Security by Contract?
This article suggests that the Internet of Things could be made more secure if large buyers of interconnected devices put into their procurement specs some fairly simple rules, e.g. *some* security to start with, e.g. an adjustable password, and patchability to respond to known or discovered threats.
Does this sound right to you? Do your clients insist, or even care?
No doubt large-scale one-off procurement contracts deal with security – well, I hope they do – but what about procurements on more of a mass scale?
I heard of a study over three years ago that found a huge proportion of IoT devices had either no security (the people who build them care a lot about cool connectivity but have no knowledge of or interest in security) or security flaws that had been known about, and even patched, for years, but the current version of the software was not used in the devices.
In any event, are large industrial or health-care users influential enough to help secure our home thermostats?
It seems to me that car manufacturers have said it will take them several years to incorporate rudimentary security into cars so the on-board computers can’t be hacked through the electronic tire-pressure sensors (which can be done now). So does anyone *really* care?
It does not sound right.
We should turn to existing protocols for guidelines on how to secure new technologies. These protocols arose through industry consensus and open or popular proprietary standards (HTTP, SSL, wifi security, PGP) rather than because buyers demanded them on their lawyers’ advice.
At the very least the buyer will be able to choose devices that are more secure by doing this. For the bigger picture, it strikes me as one of those things that can’t hurt, and might help. The key is to require information about security methods on the products and include that on the decision ranking – rather than dictating specific details.