IT security in the Internet of Things (IoT)
IoT security requires new solutions, both from a commercial and from a technical perspective. The first exciting approaches have been developed to make longer-term solutions commercially viable. On the legal side, on the other hand, the requirements are already at hand: it is necessary to consider both general rules and industry-specific needs, solutions and procedures.
Today, no company can do without IT; everyone has to deal with IT security accordingly. Anyone who manufactures IT products faces additional tasks. What are the concrete challenges?
IT security, especially in the environment of the Internet of Things, is essential for today's businesses.
IT security is gaining importance as a result of increasing connectivity and interconnection. Hardly any devices are really separated by "air barriers" (i.e. complete lack of networking). Every networked device is potentially vulnerable. IoT devices (products from the field of the Internet of Things) are particularly susceptible: due to their restricted resources, they are often more difficult to secure; they are distributed decentrally and therefore maintenance is more difficult. The dilemma of implementing security is even more prominent in production environments and in the field of medicine; both applications require to keep systems stable and predictable, hence to avoid updates as far as possible.
Attacks are constantly on the rise; at the same time the legal challenges are increasing, such as in the context of data protection or industry-specific requirements. That is:
No company can afford to ignore IT-security anymore. Before starting concrete implementation, concrete requirements need to be identified.
Economic perspective: Integrating IT security into the business model and financial planning is a challenge.
IT security costs money and thus poses a challenge to business models and financial planning. In most industries, IT security is more of a side task than being a positive product feature of its own—it is therefore difficult to market. In this respect, the task is to reflect the costs for IT security in the calculation and to cover them in the business model. This is demanding, especially because IT security is not a static property, but rather an ongoing process. Costs arise continuously—even after products have been placed on market: Products already sold and circulating in market still require further maintenance, and customers generally expect manufacturers to provide solutions for security issues.
An exciting approach was presented by Microsoft about a year and a half ago: Microsoft Azure Sphere offers a license for an operating system for small devices on the Internet of Things. This software is used in combination with licensed chips. Microsoft guarantees maintenance for the components over a significant, pre-agreed period of time. The price is such that even industrial applications can be economically produced in higher quantities. However, there is a problem for use in sensitive areas such as digital health: the solution is not fail-safe in itself, i.e. it must not be used in an operationally critical manner. This project follows a predecessor at Microsoft, Project Sopris. Other similar offers are not known to me at the moment, but I'm always happy to hear about them.
In their own environment, business people have options for action in two areas:
- On the sales side the topic can be reflected in the calculation. In addition to combined costing, a subscription model is particularly suitable: in addition to the purchase of the product, the customer can offer a contract with regular payments that enable him to update. This is essentially the same as the broadly used practice of software maintenance—hence, it can be considered a standard approach, even if the implementation in detail can be quite complex.
- On the cost side, it is possible to try to split at least part of the costs amongst different parties. This can be achieved by establishing a consortium with other companies. Thus, a cost reduction can be achieved with the same or higher quality—after all, a significant part of the development can be used in several products—for example the basic routine, which checks the suitability and integrity of an update.
The legal issues of IT security in the environment of the Internet of Things are complex, yet manageable.
Legally, we may ask: how long the manufacturer of a product is responsible for IT security; and: in what form. For example, is it sufficient to build a product according to the state of the art applicable at the time of placing on market—or must it still be secure later, even if this originally includes unforeseeable requirements?
Organisational obligations (which are the responsibility of the management/board of directors) can give rise to requirements, e.g. from the fields of product safety, contractual obligations as well as public requirements such as data protection laws. What is concretely necessary varies depending on the area of application. In many industries and applications, manufacturers are not subject to fixed requirements. At the same time, they meet market expectations: Customers ask them to act. This is not least because, depending on the area of application, users have to comply with specific requirements, such as the protection of personal data. As a provider, offerings solutions is often in the best business interest: after all, it is important to protect your reputation and trade secrets.
Certain industries are generally subject to certain specifications; in Germany these are grouped under the term KRITIS (referring to "critical Infrastructure"). As the compliance rules for the industry set the specific level of protection, using IoT solutions will not lead to differing rules, however the requirements may be more challenging to fulfil.
In short: the requirements are the same as for classical IT products, but practically more difficult to implement both on the technical side and on the commercial side: the mostly lower product costs reduce the financial room for manoeuvre very much. This is good and bad news at the same time. We hope that further innovative solutions will come onto the market.
I, Baltasar Cevc, offer strategic legal advice, in particular on the specifics of business models, cooperation with competitors, regulations for bringing to market, contracts as well as data protection and IT law. My colleague Hubert Andres complements me with industry experience from the life sciences and contractual and commercial law if required.
Further reading: An interesting scientific article describing the tension between IT security and business based on concrete examples taken from the ZigBee standard is: Exploring Security Economics in IoT Standardization Efforts by Philipp Morgner and Zinaida Benenson (note added on 24.10.2019).
Disclaimer: The article does not constitute legal advice. It gives a rough overview from a German law perspective. Situations in other jurisdictions may differ.
Photo credits: Louis Reed (electronics on a green matte) and Marília Castelli (educational robot vehicle), both retrieved by Unsplash