For the past few years, concerns have been mounting over the lack of security in many consumer Internet of Things (IoT) devices. Stories are far too common about Internet-connected devices spying on users, or about consumer devices being “hijacked” and then being used as part of massive botnets by hackers. So it’s a positive sign that industry trade groups and IoT security firms are finally starting to create new IoT security ratings that can bring more safety, security and transparency to everyday consumer IoT devices.
For example, global safety certification firm UL recently introduced a new IoT Security Rating with five different levels of security: Diamond, Platinum, Gold, Silver and Bronze. The key selling point of this new IoT security rating is that it will be an independent, efficient and comprehensive evaluation of the security features of any device, based on industry best practices. UL says that it has used 20 different design principles to come up with a methodology to certify products and their security features. The new IoT Security Rating, which will appear on packaging for popular consumer-facing IoT products, is designed to offer a number of benefits to both consumers and manufacturers.
First and most importantly, the new IoT security rating system is designed to empower consumers to make smarter decisions about the products and IoT solutions they purchase. Currently, when consumers purchase IoT devices or other connected devices, they have little or no idea of the relative safety of these devices. Often, they are encouraged to buy the latest “cool” tech gadget, without once giving thought to safety and security measures. For example, consumers might purchase Ring video doorbells or Nest thermostats, without once considering how those devices might be hacked to track and monitor homeowners.
Secondly, the new UL IoT security rating will enable manufacturers to differentiate their products from those of rivals. With safety and security very much on the minds of consumers these days, those firms that can demonstrate their dedication to IoT security are likely to garner greater market share, and ultimately, greater profitability. Thus, consumers would be more likely to purchase a product with a “Diamond” IoT security rating than a product with a “Silver” or “Bronze” IoT security rating. In the tech sector, there is tremendous opportunity to use IoT security as part of overall marketing, branding and promotional efforts.
Thirdly, the new UL IoT security rating will bring much greater openness and transparency to the Internet of Things. Right now, there is no way to compare” apples with apples” and “oranges with oranges,” since manufacturers like to make claims about their products that have not been independently verified. The new IoT security rating will make it immediately possible to consider and weigh the security features of new products. And, since packaging will contain the IoT security rating very prominently, it will bring much more consumer awareness to IoT security.
The new UL IoT security rating is further proof that the push for IoT standards and regulations is finally gaining momentum. Right now, the UK and Australia are world leaders when it comes to IoT security, with both nations already enacting voluntary standards for consumer IoT devices. And, in January 2020, both California and Oregon in the United States are scheduled to enact new legislation that will require “reasonable security features” to be added to IoT devices.
Since UL is a global company with a 100-year history and offices in 46 countries, it is not unreasonable to expect that UL will begin to push its new “trust mark” in every country where it does business in order to help secure devices. Since so many IoT tech companies are based in California, it’s not unreasonable to think that IoT security ratings could start to take off across America if a number of big-name Silicon Valley firms begin to embrace them. And it might lead to new thinking about IoT security ratings for industrial control systems.
While new IoT security ratings are, generally speaking, a positive development, there are some problems and challenges to consider. For example, some IoT security experts have theorized that these IoT security ratings might lead to a false sense of security and a weaker, not stronger, security posture. Lazy consumers might think there is no need to update default passwords, for example, if a product comes with a “Diamond” rating.
Another issue is the rapid pace of change in the tech space: a rating or certification given in one year may no longer be valid as soon as new security vulnerabilities are discovered. Thus, a “Gold” product with continuous updates and patching might end up being much safer than a “Diamond” product.
And then there’s the matter of the rankings themselves. According to IoT security experts, most products today would probably get “zero stars” if judged fairly and accurately. So it might be misleading to hand out even two or three stars to most products today.
And, finally, there is the pesky matter of how IoT products interact with each other as part of an “ecosystem” of products. Each individual product, analyzed separately, might come with a stellar ranking or rating. But that same product, when connected to a host of other products in the home, might introduce a number of very obvious security flaws.
Beyond new IoT security ratings and new IoT legislation that mandates best security practices, what else can be done to improve the state of IoT security and secure the Internet? According to IoT experts, three different sets of stakeholders – consumers, businesses and government – all need to step up and play a role. For their part, consumers need to take responsibility for software updates and changing passwords on a regular basis. Businesses need to make security a design priority, and not just something added at the end of the design process as an afterthought. And governments need to take a proactive role in not only creating new standards, but also enforcing them.
At the end of the day, IoT security is not a static target or goal. New security vulnerabilities will be discovered over time, and hackers will continue to be more and more devious in how they target IoT devices. So it’s important for all players involved – consumers, businesses and governments – to stay ahead of potential security flaws, vulnerabilities and weaknesses. The good news is that, with new IoT security ratings in place, that process becomes much easier and more transparent.