Whose Responsibility is it to Secure IoT?

  • Published: Wednesday, Dec. 4, 2019

IoT (Internet of Things) comes with security risks. But who is responsible for locking it down? The manufacturer? The Government? The organization? The end user?

IoT is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

Examples of IoT enabled devices are a security camera and a personal assistant like an Amazon Echo (Alexa). You might want to have Alexa control your camera. What are the security settings on each of the devices? That is important for the end user to know and configure. Remember that the security is only as strong as the weakest link.

So where does the responsibility for security lie? Certainly it is important the manufacturer takes care to manage the possible vulnerabilities and ensure the ‘rush to market’ and affordability factor does not conflict with security concerns. Manufacturers have been collaborating for several years to establish standards and certifications for IoT security.

Can government set requirements and restrictions to ensure that the use of IoT devices is secure? A set of standards that follow the Underwriters Laboratory Certification has been discussed but there is no real action realized. Last year California passed an IoT security law (SB 327) which will go into effect at the start of 2020. Part of law requires manufacturers to provide what is stated as ‘reasonable’ security features which basically just addresses the use of a unique password.

Organizations should certainly take care when deploying IoT devices on their network. Through the use of documentation, authentication, firmware updates, segmentation and continued vulnerability testing an organization can do a good job of strengthening their security posture.

Can the user be expected to know how these devices interact with each other and how to best enable controls to protect security risks? When discussing cyber security related issues it is assumed that the human element is the weakest link. Disabling default credentials and configurations, strong passwords and heightened alert of suspicious activities should be part of the practice.

So whose responsibility is it to secure IoT? It’s everyone’s.   


Internet Engineering Task Force MUD