Durham chief constable Mike Barton has called for cyber security ratings to be displayed on all internet-connected devices so that people can purchase devices that will ensure their security and privacy.
Cyber security ratings in connected devices should be the most significant component of what people are buying, Barton said.
In a welcome move, Durham chief constable Mike Barton has called for all internet-connected devices to display cyber security ratings, just like the way they display energy-efficiency ratings as a mandatory requirement.
He said that the industry should shoulder the responsibility to devise a suitable rating system for internet-connected devices.
“You’ve got a situation where we don’t know what the security is like in the devices we are buying in the internet of things. It’s just not reported. And yet that is the most significant component of what it is you are buying,” he said.
If customers are given at-a-glance information on IoT devices' security credentials, they will be able to make informed choices while buying products that will ensure their security and privacy for as long as they will use them.
In the recent past, a number of security research firms have uncovered hundreds of vulnerabilities in modern Internet-connected devices which can easily be exploited by hackers. If people end up buying connected products with poor security credentials, hackers can invade their privacy by hacking into their Wi-Fi routers, security systems, cameras, and other devices.
Manufacturers of internet-connected devices are responsible for updating their firmware with the latest security patches to protect such devices from hackers. At the same time, they must inform customers on how secure such devices are and whether the latter's' privacy could be at risk. Given that there is no security rating system in place, customers are not aware of such things.
“It’s not just how many yoghurts you are eating that is at risk, it’s that your internet of things are all plugged into the same network. That is a back door into your network,” said Barton.
Barton added that there could be no better time to introduce such a rating system. While the concept of internet-connected devices is slowly gaining traction, it will be difficult to introduce a rating system in ten years' time when billions of such devices will be in use. “I don’t want to look back and be accused of not actually waving a flag to say we should be doing more,” he said.
Chris Hodson, CISO EMEA at Zscaler, says that unlike software vulnerabilities which can be easily patched, hardware products have no easy means of patching the firmware. So like it is the case with mobile devices, hardware products should go through authentication, authorisation and logging practices to ensure that policy can be enforced and measured.
“Having the visibility over connected device traffic is also key to mitigate the threat of assets being infiltrated by hackers. A lack of visibility can result in a new form of shadow IT creating user dangers,” he concluded.