what is “plan b” for iot security?

Schneier has a recent article on security concerns for IoT (internet of things) devices - IoT Cybersecurity: What’s Plan B?

We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference.

We need a Plan B, although I’m not sure what that is. Comment if you have any ideas.

There are loads of great comments on the post.

Here’s the start of some of my thoughts:

There are a host of avenues which need to be gone down and addressed regarding device security in general, and IoT security in particular.

Any certification program could be good .. right up until the vendor goes out of business. Or ends the product line. Or ends formal support. Unless we go to a lease model for everything, you’re going to have unsupported/unsupportable devices out there.

We can’t have patches ad infinitum because it’s not practical: every vendor EOLs products (from OSes to firearms to DB servers to cars, etc).

A few things which would be good:

• safe/secure by default from the vendor – you have to manually de-safe it to use it (like a rifle which only becomes usable/dangerous/operable when you load a cartridge and put the safety off)
• well-known, highly-publicized support lifecycles (caveating the vendor going out of business)
• related to the above, notifications from the device as it nears end of support
• notifications from the device as well as the vendor that updates/patches are available
• liability regulations – and an associated insurance structure – affecting businesses which choose to offer IoT devices across a few levels:
  1. here it is :: you deal with it || no support, no insurance, whatever risk is there is your problem
  2. patches / updates for 1 year || basic insurance / guarantee of operation through supported period, as long as you’re patched up to date
  3. patches / updates for 3 years ||
  4. patches / updates for 5 years || first-level business offering || insurance against hacks / flaws that have been disclosed for more than 90 days so long as you have patched
  5. patches / updates for 10 years || enterprise / long-term support || “big” insurance coverage (up to a year, so long as you’re yp-to-date) || proactive notifications from the vendor to customers regarding flaws, patches, etc

There are probably other things which need to be considered.

But there’s my start.