I believe the issue, is not that we understand what should happen in the case of IoT. It comes down to the bare facts that it is far cheaper for a manufacturer on mass apply firmware attributes in the production line i.e. web interface with default settings, digital certificates - self signed, or with default settings; default passwords, defaults protocols including many protocols which specific to IoT devices and still being defined and many have never been through the engineering specifications or any standards scrutiny at all.
As stated previously look how cheap an ARM chip is these days per unit - and then look at their specifications i.e. two 1 Gigabit interfaces on board ready to go - sufficient to cause a DoS within a device or organisation etc.
Although the issue has been known back in 2012, with NIST producing bare bones standards this was plainly ignored and only now in 2018/2019 is the implications being felt with standards being endorsed for Medical devices via the USA and UK, but this has previously never been enforced - it was simply allowed to run away.
There are many instances as @rslade has indicated including the famous London Council who introduced Wi-Fi enabled dustbins, which had the capability to track and locate any one with a mobile phone, until it was found out that the council were making money via advertising by selling the collected information - a breach of privacy etc. We are producing Smart Buildings, which uses IoT devices - which have operational cost savings in terms of monitoring and when to call out the Service Engineer (JIT) etc.
What we are concerned with the rate that technology is being introduced, without the full implications being realised as to whether we should be applying controls at manufacturing time etc. We are running into situations, whereby it seemed to be a good idea, until someone realises the implications normally far too late or it is too costly to apply etc.
With the convergence of Privacy by Design and Security by Design being thrown at us, with GDPR and other Privacy issues - we simply carry on doing the same old thing again and again, without understanding the implications and the associated risks balanced against the benefits.
Who gains? We must apply good security design by default to each and every situation - which probably marks us as the the bad guys in terms of an organisation, as they want to make clients happy, meet their every customized needs, and keep them on board. However, we cannot stop or slow down progress, we have to be part of it and be the voice of sanity, ready to deal with some very interesting challenges, clearing up the mess when the full implications are realised and by then it may be too far gone.
Increased legislation and the implications of privacy breaches along with a whole host of API's in 2019, will come be top of mind to us. However, most organisations will be monitoring the wider economic down turn carefully, and looking for increased innovative means of using overcoming these issues, whilst keeping the share holders happy. As the old adage goes, if it costs 500K in what ever currency to put in resilience and safe controls vs 30 million cleaning up, I know which one I would prefer.
But once again the human condition, we must feel the pain, before something is done about - often too late.
Regards
Caute_cautim
