The Case for “Shared Responsibility” in IoT Security

Commissioner Simington has advocated to require IoT device manufacturers (specifically, wireless device manufacturers) to explicitly commit to supporting their devices with firmware updates, an important step in the direction of securing IoT devices at scale. 

With the proliferation of IP-connected devices in various sectors such as Healthcare, Manufacturing, Energy, Retail, Hospitality, Financial Services, and several others, emphasizing fundamental security hygiene for devices should be a paramount consideration in any regulatory proposal aimed at securing IoT, including IoMT, ICS, OT, IIoT, and more. From a threat modeling standpoint, three primary areas of significance in IoT are passwords, configuration, and firmware. 

Undoubtedly, the use of default passwords stands out as the most trivially exploitable vector by threat actors when targeting this fast-growing attack surface aspect of IoT. If an IoT device — patched and running current firmware — uses a default password, a threat actor can still effortlessly compromise the device without the need for developing a sophisticated exploit that targets firmware vulnerabilities; they would simply use the default password. Furthermore, the sheer diversity of devices (manufacturers, deployment models, operating systems, communication protocols) in this space also means that there is no body of prescriptive configuration recommendations that map to IoT at scale. Device misconfigurations and a general lack of adherence to best practices continue to leave large critical infrastructure environments at risk. 

Lastly, echoing the concerns raised by Commissioner Simington, it is worth noting that IoT firmware patching remains a challenging issue, with the practice often not deemed essential in many critical environments across the United States today. 

Much like the Shared Responsibility Model in cloud security that defines the responsibilities of both the cloud service provider and the customer regarding securing and managing cloud environments, the ubiquity of IoT now necessitates immediate attention and underscores the urgency for a similar model of “shared responsibility” with regards to IoT security.

Read the rest of Sonu Shankar's piece here at Phosphorus.io or at FCC.gov.