Steve Rogerson talks with Matt Wyckhouse from Finite State about security and the IoT.

Security has always been an issue since the world became connected, but the growth of the IoT has changed the landscape somewhat, moving the onus from individuals using the technology to the companies making the modules and devices. We are all used to downloading security patches for our phones and computers, and, if we don’t, then really it is ourselves to blame. I don’t agree with that, by the way, but that is the way it is pitched to us.

For most IoT devices, the situation is different. If we want a smart speaker, we buy one based on its price and features. Same for a thermostat, or smart door lock, or whatever. People generally don’t ask about the security of these devices, trusting the manufacturers to have got that right. Well, a lot of times they don’t get that right and that is why we are increasingly seeing governments and law makers stepping up and pressurising companies to do it properly. As I said, the onus has moved.

Well-publicised incidents a few years ago, such as a casino being hacked via the thermometer in its aquarium, ransomware attacks in hospitals and the famous jeep being driven off the road in a controlled breach, all served to increase the awareness and prompt action from above.

I was reminded of these incidents this week in a chat with Matt Wyckhouse, CEO of Ohio-based security company Finite State (www.finitestate.io).

“The experiment over the past decade has been to see if the free market can handle this, and it hasn’t,” Matt told me, “so governments are stepping in to enforce security standards. This is happening in several countries at the same time.”

The USA started taking this seriously three or four years ago, but mostly on the medical side with strict requirements on software and hardware for a device to be approved by the FDA.

“The minimum is a pretty high bar,” said Matt. “But if they don’t meet it, the device gets rejected.”

This was really the start of shifting the responsibility for security to the manufacturers.

In Europe, the EU’s Cyber Resilience Act came into existence late last year and has set cyber-security standards across a range of IoT goods from burglar alarms and baby monitors to smart watches and just about any IoT device. The penalties for not complying are strict, including fines up to €15m or 2.5% of global annual turnover. There is a three-year transition period, with enforcement starting in late 2027.

“And if you don’t meet the requirements, you can’t get the CE Mark,” said Matt. “The EU likes regulations a lot more than the USA does. The EU is taking the lead and that is becoming less of an issue because companies sell globally, so if they do it for products going into the EU, they work the same for other markets.”

However, he said it looked like the US federal government would start enforcing cyber-security standards. The voluntary Cyber Trust Mark is a step in this direction.

The problem is we are seeing different initiatives in different parts of the world to tackle the same problem, and that can be a bit of a nightmare for the manufacturers of components, modules and final products trying to cut through all this and sell their products without risking heavy fines or being rejected and sent back to the drawing board.

To help, the IoT M2M Council (IMC) and the Global Certification Forum (GCF) have formed a joint task force (www.iotm2mcouncil.org/imc-gcf-joint-task-force-on-iot-security), a move welcomed by Matt. His company Finite State recently joined the IMC (www.iotm2mcouncil.org/iot-library/news/iot-newsdesk/finite-state-joins-imc-to-push-holistic-security) and Matt is keen to see the task force get to grips with the problem.

“The goal of the task force is to provide practical guidance, showing companies the hands-on steps that are most relevant to them,” he said. “It wants to provide clear steps that IoT firms can follow.”

These are still early days, with the task force being unveiled to the industry at last month’s CES in Las Vegas, but Matt says the pace will pick up rapidly in the next couple of months.

“We don’t need more standards,” said Matt. “What this is trying to do is provide more guidance on which standards to look for. There are too many standards and there is a lot of room for interpretation on how to meet those standards. The goal here is practical guidance. If I am building a new IoT device, what are the steps I must follow? The task force wants to help them follow a process that sets them up for success from the beginning.”

All of which has to be a good thing. Companies don’t want the products they sell to be hacked, or be fined for not complying with regulations, but often struggle to know exactly how to achieve this. They want someone to take them by the hand and lead them through the maze. Hopefully, the task force will do just that.