We all know that IoT devices are being adopted on an impressive scale, with some estimates as high as 34 billion connected devices by 2020. These new devices will be utilised in our homes, at our offices, by the industrial sector and by our governments – all for different uses, depending upon the design, need and technological savvy of their users.
However, IoT devices pose two great challenges for developers seeking to cross ‘the chasm’ of adoption of advanced technology by mainstream consumers. First, the security threats of attack are greater than for traditional computing devices (e.g. laptops, smartphones, etc) as those attacks target data while the IoT introduces the threat of cyberphysical attacks on an industrial level and consumer level.
Second, these security threats compound already valid and growing privacy concerns around IoT devices. Such increased concerns will place greater pressure upon fractured regulators to act to protect users of such devices.
IoT security threats
Some of the IoT security challenges are already here, such as the recent spate of DDoS botnet attacks relying upon IoT devices or attacks upon industrial equipment controlled by IoT devices.
How long until attackers begin to direct similar attacks upon the home appliances plugged into smart plugs or controlled by smart thermostats? And, of course, the potential for taking and directing control of IoT devices remains omnipresent.
Further, in an age of ransomware, where one’s electronic world can be held hostage by a remote attacker demanding payment, how long until one’s connected, physical world is held hostage in a similar manner? This could be done by taking direct control of individual devices, by use of a DDoS attack against a user’s devices, or by other means.
While the specific steps to take to protect against such attacks will vary with the device, the use, and the end user’s sophistication, these are concerns that utilities should be mindful of as the IoT becomes omnipresent in our own facilities and our customers’ homes.
Over the last several years, the Federal Trade Commission (FTC) has led the way in regulating the privacy and security of consumer devices in the United States. A 2015 settlement between the FTC and Wyndham Worldwide over three data breaches that resulted in 600,000 customer records being released, ended the last legitimate challenge to the FTC’s jurisdictional authority over such matters. More recently, in a vote of 2 – 1, the FTC filed suit against D-Link, a hardware manufacturer that allegedly failed to properly secure its wireless routers and IoT cameras.
Like much else in Washington, however, things are changing. The FTC is currently undergoing a leadership change from chair Edith Ramirez – who has been a leading advocate of expanding the FTC’s jurisdiction in this area, and was in the majority on the D-Link decision – to Maureen Ohlhausen, the lone dissenting vote and now acting chair. Acting chair Ohlhausen sees the FTC’s authority as limited to those instances where concrete harm was experienced by the end-user.
It is hard to say what exactly this will mean for FTC policy beyond the broad stroke that there is likely to be a significant pull-back in the FTC’s activity in this space. This uncertain future, however, does not mean that the FTC will not return to this field in the future.
Nor will the FTC’s absence mean a lack of regulation. On the contrary, it will likely lead to more regulation of privacy in the US as individual states enter the space more aggressively. Filling their role as ‘the labs of democracy,’ the states will be willing to try many new things – some good, some bad. However, all will require diligence on the part of IoT developers, manufacturers and retailers, in order to stay on the right side of the law.
Internationally, the splintering of the European Union may also result in a similar patchwork across Europe. EU privacy regulators are still charging forward and the General Data Protection Regulation (GDPR) is set to become law in 2018. However, as international agreements such as Privacy Shield are threatened by actions in the US and abroad, there is only a greater need for diligence in monitoring these regulators as well.
What can a utility do?
First, utilities may wish to conduct a thorough analysis of what features are being offered and how they are being delivered by their partners, with an eye on the security and regulatory implications. This means having your attorneys or regulatory staff work closely with your engineers and all relevant partners. Independent analysis would also be helpful, as it can provide an objective, critical point of view from those not involved in the process.
Second, consider keeping less data. Too often, a vendor’s preferred approach is to keep as much data as possible, in the hope that it will lead to future potential value or features. However, doing so creates continued risk for your business and your customers. Data is risk in this world and by not having unnecessary data from the start you can avoid unnecessary headaches in the future.
Third, stay abreast of the regulatory landscape in the markets where you are active (and those where you hope to be active). When building a product or deploying new technology, it is not only the immediate regulations that are of concern but with the regulatory landscape moving as quickly as the technology, the product’s shelf life may be limited by not watching for regulatory activity on the horizon. MI
About the Author
David works for a large utility company in the United States and has over 15 years of experience in the technology policy arena. He is a sought-after speaker, and a member of the Advisory Board for the Georgetown Cybersecurity Law Institute, a planning commissioner for the City of Pasadena, California, Chair Emeritus of the State Bar of California’s Committee on Group Insurance Programs, and an active alumni leader of Long Beach City College, the University of Southern California, and the Georgetown University Law Center. The ideas expressed above are David's own.
Image credit: www.ubuntuinsights.com