Sarb Sembhi discusses the results of the polls from our recent webinar regarding the challenges of secure IoT. You can watch the full webinar, here.
As part of IFSEC Global’s Digital Week in May, my good friends and colleagues from the IoT Security Foundation Smart Building Group participated in a webinar entitled ‘The Challenges of Secure IoT’.
In this webinar I spoke first on: ‘Security provisions for the connected and IP based business – How secure is IoT?’ Next up was James Willison, who spoke on: ‘Security Strategies and the tactical response to IoT risks in the business’. Finally, Nick Morgan closed of the presentation part of the webinar with his talk entitled: ‘Security considerations for smart buildings’. If you were unable to attend, or would like to listen to the whole webinar again, it is available here.
During the webinar we were permitted to have a few integrated polls within the presentations to ask attendees, each related to our topic talks. Here are the full results and some thoughts on them.
Since I was speaking about ‘Security Provisions for the Connected and IP-based Business – How secure is IoT’, my first question at the end of the talk was to get an understanding of how many listeners were aware of the upcoming legislation on the security of Consumer IoT products.
Question: Are you aware of the upcoming Consumer IoT Legislation?
| Response options: | Result |
| Yes, and we have made all the necessary arrangements to: “develop securely” or “buy securely” | 8.20% |
| Yes, we are in the process of: “exploring complying” or “buying securely” | 16.30% |
| Yes, but we are in the very early stages of implementing this for: “developing” or “buying securely” | 18.40% |
| No, we have not heard of this but will explore for: “developing securely” or “buying securely” | 44.90% |
| No, this is not relevant for our products, or our buying decisions | 12.20% |
Unfortunately, as this was nothing more than a poll rather than a survey where we may have been able to differentiate who was a manufacturer and who was a consumer, the response options had to be phrased such that we could only gauge the knowledge and response of all participants, rather than why they were acting according to their role as a consumer or manufacturer.
However, this means that there was a “Yes” response of 42.90% compared to a “No” response of 57.110%. To me this seemed a little higher than I was expecting, I thought that the total “Yes” response would come in at around 33.00% in total. I based this on the feedback I get from the people I speak to in the industry – so this was the first interesting point for me.
The breakdown of the “Yes” response wasn’t that surprising, one would have expected to see the percentage of those who had already made arrangements to “develop securely” or to “buy securely” to be the smallest number and then to increase along the three options.
My expectations were that we would see higher numbers in the “No” response, because I don’t believe that the education by either the EU or the UK has been sufficient enough to get to either manufacturers or consumers. Also, I thought that there would be a greater percentage who may have considered that this legislation wouldn’t apply to them.
Overall, I was impressed with the higher “Yes” response than I expected, regardless of whether the respondents were mainly manufacturers or customers, or whether the customers were enterprise or consumer buyers. The unfortunate aspect of many of these webinar polls is the limitation to ask further questions, in this instance I would have liked to understand more about where the “Yes” respondents were going to get their information from to make an educated decision. I have talked about the upcoming legislation in the past and will cover it again in the coming months.
My second poll question was asked towards the end of the webinar, but I have included it here because it relates to my talk and the first poll question. I was interested in the views of attendees about their belief as to how likely they thought manufacturers would be able to meet the upcoming requirements.
The reason I was particularly interested in this is that the requirements of the legislation are considered to be the easiest of the 13 requirements which form the Code of Practice. Since they are considered to be the very basic that consumers should be able to expect, if manufacturers find these hard, it is unlikely that they will be able to comply with the other 10, if and when they are made mandatory in the future.
How likely do you think manufacturers are to be able to meet the requirements for non-consumer devices when the Legislation comes into effect?
| Response options: | Result |
| Very likely | 6.70% |
| Likely | 40.00% |
| Possible | 33.30% |
| Unlikely | 13.30% |
| Very Unlikely | 6.70% |
The results were not surprising, with very low numbers at each extreme and high numbers in the middle options. My conversations with people in the field reflect the similar 20% who believe that manufacturers are unlikely or very unlikely to be able to meet the requirements. The reason why many believe this is not because these requirements are necessarily difficult, but more that they believe that the cheaper manufacturers will ignore the rules and continue to sell their sub-standard products on online marketplaces.
The reality of how large the number will be is anyone’s guess, but the interesting response I have heard from westerners working in China is that the security standards for IoT devices that the Chinese are working towards are actually much higher than those in the West. This is interesting because my view on the upcoming legislation has been that the UK and EU will both become less likely to be ‘dumping grounds’ for sub-standards products. This is still one of my hopes for the upcoming legislation.
The next speaker was James Willison, who has a long-standing background and experience in working in cyber/physical teams, and his poll question was related to monitoring cyber-physical attacks in real-time.
Does your organisation monitor cyber-physical/IoT attacks in real time?
| Response options: | Result |
| Yes – using advanced technologies in one department | 30.20% |
| Yes – using advanced technologies in different departments | 9.30% |
| No | 27.90% |
| Unsure | 32.60% |
The “Yes” response of 39.5% and the rest of 60.5% was not much of a surprise, but what is worth noting is perhaps the categoric “No” response of nearly 28% and the unsure of over 32%. Both illustrate a combination of physical teams not working with cyber teams and a lack of knowledge of what actually happens about the cyber monitoring side of physical security.
My difficulty with the first two “Yes” response numbers is that they can be both seen as positive and negative depending on how you wish to interpret them. The first “Yes” response could be interpreted either as the one department (information security team) who are monitoring without reference to the physical teal, or that it is a single converged security team doing the monitoring. The second “Yes” response may be interpreted as a good thing that monitoring takes place in more than one department, or simply as the left hand doesn’t know what the right hand is doing.
Last up was Nick Morgan, whose job involves understanding the cyber-physical threats to building systems, and his poll question attempted to understand the level of real-time cyber-physical monitoring in businesses. Both James Willison and I are working with Nick on this matter in the IoT Security Foundation Smart Building Group, and thought the responses to be very telling of the level of collaboration between the cyber physical teams.
How mature would you consider the level of collaboration is currently for managing cyber security risk between IT (networks & infrastructure) and ICS (BMS, CCTV & Access control) within your organisation?
| Response options: | Result |
| No collaboration at all (treated as completely separate entities) | 20.00% |
| Some level of collaboration between a building owner’s IT/Info sec teams, ICS suppliers and facilities management teams | 60.00% |
| Well converged (IT/Info Sec teams, ICS suppliers and facilities management teams regularly collaborate on cyber security risk management) | 20.00% |
These numbers are numbers that both James and I are familiar with, where there is always some level of convergence and collaboration, but very few organisations where either there is none or where they are fully converged. Part of the reason why many respondents may indicate some level of collaboration is because they are aware that their technologies run on the network, which is considered (regardless of the reality) as being owned by the cyber team. In most organisations the network ownership may sit with IT, but the security rules for the network will be with the cyber security team. Therefore, if we were to remove the network component, there would possibly be more respondents who may have selected the No collaboration option.
The case for converged teams is not just about savings (although there are great savings to be gained), but about having a single view of enterprise risk with an appropriate set of cyber-physical responses.
Again, all these multiple interpretations point to the difficulty of webinar polls, where the audience can be very diverse.
I found the webinar highly informative, fun and a great learning experience. The polls we had were very interesting to create, use and observe the responses to, but as in all polls they had several limitations. The questions are often interpreted by what has preceded the poll.
Going forward, James, Nick and I may consider a wider survey research project on these issues. If you have any thoughts about this topic, please do get in touch with us.
Watch the full webinar on The Challenges of Secure IoT
