Certification Marks for IoT Devices – A Suggestion to the FTC and California

According to a recent prediction detailed in the Deloitte Global TMT Predictions 2017 report, incidents of DDoS are expected to rise to 10 million attacks during the year. The escalation of DDoS, according to them, is primarily due to the growing base of insecure IoT devices, readily available online instructions for unskilled attackers, and rising uplink data speeds.

One of the solutions Deloitte Global has recommended is certification marks for connected devices. They propose that device vendors should obtain security certification for their products, and for this to be labeled on the device packaging. In addition, they also recommend the introduction of software grading systems to help consumers understand the caliber of the security provided with the product they are considering purchasing.

Simultaneously, the Federal Trade Commission (FTC) has launched an IoT Home Inspector Challenge, with a prize of up to $25,000, that challenges the public to create a technical solution for consumers that can guard against software security vulnerabilities found on connected Internet of Things (IoT) devices in their homes. Contestants also have the option of adding features, such as those that would address hard-coded, factory default, or easy-to-guess passwords.

And in a similar way, California lawmakers are asking for IoT regulations through SB 327, which calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates

Certification Marks Suggestion for Home Appliances

Similar to the suggestions I made in my 2015 blog, the FTC and California lawmakers must ask vendors to self-declare at least following information:

1. This IoT device ONLY communicates to a specific Internet address or defined set of addresses (name the address or provide a very short list.)
2. This IoT device ONLY communicates outbound, and DOES NOT respond to inbound communications except under specified conditions.
3. This IoT device ONLY uses the following named protocols and ports (and list the protocols and ports).
4. This IoT device uses reasonable security for authentication, authorization, and encryption for communication with the device. (This is where a certification standard would be helpful.)

These communication declarations will force IoT manufacturers to revisit their quality assurance processes and fortify their Internet communications.

The reason why this is so important is that most home users are simply not technical enough as users, and therefore cannot create sophisticated firewall rules for themselves. As a result, the responsibility for security must lie primarily with the IoT vendors and their associated operating systems to self-enforce such behavior.

Posture of Security Appliances

Security appliances must enforce the above policies to ensure that IoT devices are secure, and that cybercriminals are not able to misuse their connectivity. This is true both for individual consumers and for organizations adopting IoT as part of the new digital business model.

For enterprises and other organizations, the Fortinet Security fabric architecture can also ensure that networks, devices, and data are protected from both inbound and outbound attacks, including malware and DDoS attacks. Within a Security Fabric framework, ATP security tools inspecting for advanced threats, the automatic segmentation of IoT traffic, anti-DDoS tools, and other security technologies can all work together to correlate intelligence, identify threats, and provide a coordinated and synchronized response anywhere along the potential attack surface, from IoT to the cloud.