How to Understand IoT Cybersecurity and EU Regulations? Part 2: Vulnerability Disclosure.
Wojciech Uzdrzychowski
I Help IoT Companies with CE Marking | Product Compliance | Cybersecurity | EMC | RED
In the last article, you read about general CyberSecurity IoT product requirements. We highlighted the importance of no default passwords and regular software updates.
Today we are gonna delve into vulnerability disclosure policy. It is another part of IoT Cybersecurity requirements.
The number of attacks continues to increase.
In 2022, there were almost 112 million IoT cyberattacks globally. This number has substantially climbed in the last few years. About 32 million cases were recorded in 2018. The percentage of malware occurrences that increased year over year in the 2022 that was measured was 87%. [1].
Another report [2] found that:
“89% of respondents’ organisations that operate and use IoT and connected products have been hit by cyber-attacks at an average cost of $250K. In the past three years, 69% of organisations have seen an increase in cyber-attacks on their IoT devices.”
How to minimize the number of successful cyberattacks?
Several things must happen to minimize successful cyberattacks. One is a transparent environment that encourages people to report vulnerabilities. It encourages external researchers to report weak points. Those researchers are valuable resources for your company. You must take care of them. Otherwise, they can feel not treated seriously and can exploit what they’ve found. They can go public or demand a ransom just to name a few risks.
Vulnerabilities can be discovered not only by the development team. Also, independent researchers, ethical hackers or normal users of your product can discover them.
You should allow them to report what they’ve found, and keep them informed on issue status until resolution. You can achieve that by implementing a Vulnerability Disclosure Policy.
By not doing that you put your customer at risk and gambling on their data. Also, you risk your company's reputation and money.
Establishing a vulnerability disclosure policy will be a part of implementing EU Cybersecurity regulations.
What Vulnerability Disclosure Policy is?
Let’s expand on what we just introduced and define a Vulnerability Disclosure Policy.
It is the proactive process of identifying, reporting, and addressing security weaknesses. It consists of three parts.
Why It Matters for IoT Devices?
IoT, Smart Home, and Wearable devices will have vulnerabilities that can be gateways for cyber threats. Recognizing and disclosing these vulnerabilities is not just a best practice. It's a fundamental strategy to strengthen the cybersecurity armour of IoT devices. Plus it ensures your product stands resilient against potential attacks.
Of course, you don’t disclose vulnerability right away. Time for patching and verification is mandatory. You also want to take the business perspective into account. We will discuss it in the later part of the IoT Cybersecurity series.
The Role of Transparency in IoT Cybersecurity.
You shouldn’t think of it as a mere compliance or legal requirement. You should think of it as an opportunity to catch and correct sensitivities in your product. And do it before someone else will do that for you, which won’t make you happy.
Transparency is a foundation in the Cybersecurity world. It will encourage reporters and increase trust among your customers.
Legal Landscape in the EU.
Although ETSI 303 645 [3] still needs to be harmonised with RED, it is an excellent starting point. According to ETSI, manufacturers should make disclosure policies publicly available.
Recommended by LinkedIn
At a bare minimum, the policy should contain three components:
Another big inspiration for the IoT industry can be taken from some large software companies.
They use ISO 29147[4] for managing Coordinated Vulnerability Disclosure (CVD). The ISO standard has proven its worth in the IT world. CVD is a set of processes for dealing with disclosures about potential security vulnerabilities and supporting remediation of these vulnerabilities.
Best Practices for Vulnerability Disclosure.
Creating an effective vulnerability disclosure program goes beyond having a policy. It entails fostering an environment that encourages ethical hacking and responsible reporting.
However, care must be taken as outside individuals don’t always understand business needs.
Another consideration is related to “Bug Bounty” Programs. Before considering a rewards system, you need to carefully evaluate a few factors. Just to name a few:
A higher workload for your team as a reward encourages frequent reporting
Bugs put in the code on purpose, just to be “discovered” later by the author,
A reporter may not be happy with the value of a reward.
But besides potential negative impact, encouraging responsible reporting has its undoubted pros. IoT companies fortify their security measures. They also demonstrate a commitment to collaboration and transparency. This approach not only safeguards the integrity of IoT devices. It also contributes to the overall resilience of the cybersecurity ecosystem.
In summary.
A vulnerability disclosure policy will be required very soon for IoT companies.
You must prepare and test the policy before you publish it.
Develop and test your processes.
Beware of risks associated with a ”Bug Bounty” Program.
Further reading.
[3] ETSI EN 303 645 V2.1.1 (2020-06) Cyber Security for Consumer Internet of Things: Baseline Requirements
[4] ISO/IEC 29147:2018 Information technology; Security techniques; Vulnerability disclosure
➡️ PS: Send me a friend request if you don’t want to miss the next article.