EU Pushes IoT Security Regulations

The European Commission has said it is planning to push industry governance measures that would improve the security of Internet-connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.

Speaking at a conference in Brussels, a senior Commission official said the body wants to take the measures to ensure consumers continue to trust Internet-connected products.

Certification scheme?

Thibault Kleiner, deputy head of cabinet for Commission digital policy commissioner Günther Oettinger, said the body wants to see the creation of a certification process for “Internet of Things” devices that would ensure users are protected.

“That’s really a problem in the Internet of Things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,” Kleiner said, according to a report by news outlet EurActiv.

He said such a scheme could be comparable to the European energy-consumption labelling scheme, which was implemented by an EU directive in 1992 and covers products such as white goods, light bulbs and automobiles.

But he acknowledged some hardware manufacturers consider such a scheme unworkable and instead want to see the development of a standardised SIM card-like component that would be used in connected electronics to ensure security.

IoT botnets

Currently most connected devices include minimal security protections, allowing hackers to infiltrate them en masse and assemble them into powerful botnets directing malicious traffic to knock websites offline.

The users of such compromised devices would in most cases be unaware that the product was being misused, according to computer security researchers.

The Commission has begun to organise its efforts around IoT, including setting up a group called the Alliance for Internet of Things Innovation last year backed by large firms in industries including energy, automotive and health care.

But there are already around 6 billion connected devices in use around the world, a figure expected to rise to 20 billion by 2020, according to consultancy Gartner.

Insecure devices

The IoT security issue made headlines last month month when a botnet made up of compromised devices was used in an attempt to disable popular IT security website Krebs On Security.

The attack was carried out on a scale rarely seen before, even in incidents involving more conventional botnets made up of PCs, according to Akamai, the Internet management service that dealt with the attack.

Bruce Schneier, a well-known computer security researcher, said last week the attack shows regulation is necessary.

“What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem,” he said in an editorial on IT publication Motherboard. “The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care.”

Are you a security pro? Try our quiz!