How to address the fragmented nature of IoT security requires understanding where the issues come from, writes Zachary Amos, Features Editor of ReHack Magazine
The Internet of Things (IoT) boom connected billions of devices, from factory sensors to smart doorbells, changing the way people live and work. Yet, security efforts are scattered, making it challenging for device makers, developers and users to stay on pace with threats. Look at why IoT security is fragmented and explore practical steps to help developers and manufacturers navigate the patchwork of rules and practices.
Why IoT security is fragmented
The patchwork stems from a handful of core issues that pull security efforts in different directions. Fragmentation means everyone is using different tools and rulebooks, leading to patchy coverage. Here are some of the reasons why.
Variances in manufacturer processes
An industry poll showed that while most UK IoT makers agree on security matters, just over 76% have no way for security researchers to alert them of security problems. Some also add safety features only once penalties loom, while others only act under customer pressure. The result is a plethora of devices — some are updated regularly, and others are not patched at all.
Differences in rule books
In the UK, the Product Security and Telecommunications (PSTI) Act sets the basic guidelines for Internet-connected devices. However, manufacturers also follow the UK Code of Practice for Consumer IoT Security and European Standards like ETSI EN 303 645. Each of these rules has its own deadlines and definitions, leading to gaps and uneven protection.
Differences in sector needs
Healthcare monitors, consumer gadgets, and industrial controllers have distinct rules and risks. A hospital infusion pump and a smart speaker can both connect to the internet but still follow separate guidance. The split means one firm’s best practices in a certain industry may not apply to another, scattering security efforts further.
Complexity and scale
As deployments expand — say, from a hundred smart meters to millions of IoT sensors — companies struggle to keep up. Staying on track with software versions, device models, and configurations across such large scales brings problems in updating, support, administration and more.
Steps for manufacturers and developers
Even in a mixed environment, teams can take straightforward actions to raise security. These steps include the following.
1. Setting up clear bug-reporting protocols
Provide an easy-to-use intake form or email address. That way, anyone can report faults, commit to acknowledging them within 36 to 72 hours, for example, and then aim to fix critical errors within 90 days or as applicable.
2. Designing with security as the priority
From the first sketches of the device, imagine how it could be attacked later on. Start with the basics, such as using unique passwords, restricting permissions and ensuring the device can check its own software before it begins running. Missing steps can be spotted early by matching product features against core standards.
3. Rolling out updates
Use over-the-air updates that can push patches without any user intervention. If the update fails, allow the design to revert to its previous working state. Rigorous testing under real-world conditions should be performed for every change and update made.
4. Limiting access and segmenting networks
Separate IoT traffic so breaches in one gadget do not spread to core systems. Use robust credentials and certificates for strong authentication and apply least-privilege rules, where the device or user only has access to the minimum rights necessary to function.
5. Engaging with standards groups and demanding transparency from suppliers
Get involved with the UK IoT Security Foundation or ETSI groups to know about rule changes as they happen. This is also a great way to collaborate with peers and develop best practices. Suppliers should provide a detailed bill of materials and confirm the reliability of their own security checks.
Customer feedback and reports are critical to resolving issues. Provide plain-English instructions for the initial setup process, update installations and password changes. Online tutorials and an automated help desk also enable users to fix issues without exposing device weaknesses.
Bridging the IoT security divide
Shifting from disjointed efforts to a unified approach requires manufacturers, regulators and users working together. Fragmentation won’t vanish overnight, but a shared commitment to collaborate and improve continuously can turn today’s patchwork into tomorrow’s foundation. When everyone treats security as a shared responsibility, the IoT ecosystem can move away from vulnerability and turn into a unified and resilient network.
Zac Amos is a freelance tech writer who specialises in IoT, cybersecurity, and automation. He is also the Features Editor at ReHack Magazine. Follow him on LinkedIn.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
