PPB February 2018

60 | FEBRUARY 2018 | THINK identified in a hacking contest staged at the August 2016 Def Con Conference in Las Vegas. Def Con is the longest-running computer security conference in the world, attracting more than 20,000 hackers and IT professionals annually. A month later, Def Con announced that 47 new vulnerabilities affecting 23 devices from 21 manufacturers were identified at the conference, allowing hackers to open locks, reprogram thermostats, freeze water pipes and take control of a wheelchair, among others. Fred Bret-Mounet, a researcher who found some of the issues, stated, “I can shut down the equivalent of a small to mid-sized power generation facility, or I can use that device as a trojan within a target’s network to spy on them.” The vulnerabilities identified at Def Con have been attributed to a variety of predictable causes: poor design decisions, coding flaws, hard-coded passwords, back doors, inadequate testing, rush to market, lack of standards and regulations and the lack of cybersecurity expertise. These vulnerabilities are already showing up in the marketplace. In January 2016, the Department of Consumer Affairs issued a warning about baby monitors that provide easy access for predators to watch or even speak to unsuspecting children, and the department announced that it had filed subpoenas against several major manufacturers of video monitors, all of whom market their devices as secure. The risk of these types of vulnerabilities appearing in IoPT devices could be significant since our industry has little experience with cybersecurity and many of the factories that develop promotional products are small, with limited resources and with fast-track development cycles that sometimes skimp on performance testing. Low cost and speed to market are often their defining objectives. At the Tokyo International Consumer Product Health and Safety Organization (ICPHSO) conference, one of the expert panels focused on solutions— ways that IoT devices could bemademore secure—and whether existing cybersecurity standards fromorganizations like the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC) and Underwriters Laboratories (UL) are robust enough for IoT. Stephen Brown, director of innovation at the global test lab CSAGroup, argued that existing cybersecurity standards are adequate if products are tested at qualified labs and subjected to comprehensive testing at each stage of their development. But the testing protocol Brown advocated was extensive andmay only be affordable for mega corporations. David Kosnoff, VP of quality assurance for Hasbro, approached the problem from the manufacturer’s perspective and spoke about the need for cybersecurity training of everyone involved in the design and development of IoT products. He also advocated enhancing Failure Modes Effects Analysis (FMEA) to include cybersecurity. FMEA is a standard quality assurance tool that manufacturers use to identify all the ways a product might fail as a critical step in eliminating defects in the product development stage. Many questions our industry will have to deal with as new IoPT products hit the market are yet to be answered. Without even considering privacy issues, the cybersecurity questions IoT Product/Service Certification Options Standard Scope International Certification ISO 27000 Series Information Security Management System including SDLC and incident management Y IEC 62443 Series Cyber Security Management System including product security and SDLC Y NIST 800-53 Cyber Security Management System *U.S. Only N UL 2900 Product testing and evaluation N Source: CSA Group Many questions our industry will have to deal with as new IoPT products hit the market are yet to be answered. Without even considering privacy issues, the cybersecurity questions are extensive.