Who’s Responsible When Rogue IoT Device Brings Down Network?

[ See IoTWiki FreshThinking ]

UL says integrators and manufacturers share liability when IoT systems are hacked. Here’s how to implement cybersecurity guidelines and best practices.

Lakomiak says the issue of accountability for cyber-hacking incidents is unclear right now.

“Liability is a continuum,” he says. “Who’s negligent? Who’s liable for certain incidents? We will certainly see more individuals held accountable for not addressing cybersecurity. Liability will certainly start at the manufacturer in the sense of what are they doing from a software development standpoint to make sure the products they’re selling to the marketplace are hardened, and they’ve taken into consideration design security as part of their product development.”

Neil Lakomiak, director of business development and innovation at UL, says the recent FCC call for manufacturers to include cybersecurity in the initial design of all products is a signal the private sector has a limited window of opportunity to act.

He continues, “There’s also accountability on the part of an integrator that is taking multiple connected products and then providing a solution to their customers.  The end user, of course, has a responsibility to make sure they’re updating passwords, not accepting files or emails that might have suspicious-looking information in them, or making sure that they’re not plugging USB thumb drives into their system that they found in a desk drawer somewhere. All of those could lead to vulnerabilities. That’s why I say it’s a shared responsibility.”

He thinks manufacturers could be the first to fall if they’re sloppy on cybersecurity, but their liability wouldn’t excuse an installer who fails to follow best practices.

Integrators will face tough choices when balancing system-wide performance with cybersecurity concerns: Every device added to a home system brings a new vulnerability with it.

“It’s like medication, right? There are always side effects to medication,” Lakomiak says. Do those side effects pale in comparison to the benefits that you receive from the medication? I think you have a similar scenario here in you can’t eliminate the risk. There’s no system with zero cyber-security risk, but you can do lots of things to help mitigate it and handle it,” he says.