IoT: Security Guidelines Emerge
There are two sides to the coin: security and data privacy, both of which have the potential to undermine confidence in the entire IoT concept.
With regards to security, there is a whole host of situations where an IoT device or system could be compromised. Think of last year’s hacks of a Jeep on a motorway or a power station in Ukraine. Thankfully, no lives were lost in either, but it is no stretch to imagine the havoc that could be unleashed.
On the issue of data privacy, few connected devices will have a user interface through which an operator or vendor can inform the user about the terms and conditions of use, where their personal data may be stored and how it may be used, and thereby gain the user’s acceptance of those terms.
Combine the two: a connected dustbin could tell a hacker if the homeowner is away, potentially providing valuable information for thieves. Even if a device is not communicating it could indicate the resident is out or away. A developer may not have considered that as a privacy issue but the potential ramifications are obvious.
How is this minefield to be regulated? On the data privacy side, many countries and blocs are busy updating existing regulations. But the security side is less structured and more siloed. The GSMA published a new set of IoT Security Guidelines in February aimed at IoT service providers, device manufacturers and developers. Other industries, including the cloud, energy and automotive sectors are also working on guidelines. The guidelines may be similar, but what is needed is deep cross-industry collaboration. And it’s highly unlikely that it will be possible for globally enforceable legislation to be agreed upon.
They key challenge is bringing together the entire supply chain to produce a secure end-to-end implementation for every single device that can connect or will be connected to the internet.
The GSMA’s guidelines are based on the concept of multi-layer security. They advise that an initial security layer is implemented end-to-end on the application layer, from the endpoint (device) to the service platform, which should be in some way encrypted. Then another layer is implemented where the different systems are monitored and password controls added, ensuring that the credentials for that layer have been securely provisioned.
The technologies to achieve this exist, but there is a shortage of people with the necessary skillsets to be able to implement an end-to-end solution. There also seems to be a lack of industry-wide resolve: if IoT is truly going to become a secure reality, then security must be built into the business model and processes of every supplier and developer of every touchpoint along the chain.
We wish to thank Ian for his time and valuable insights into security in the IoT era. IoT is a key theme for Scrutinise Research and Analysis and we will be speaking with established and up-and-coming vendors in security and IoT, as well as regulators and industry and consumer associations as we put together our report “Securing the Internet of Things”. If you would like more information or would be interested in being a source, please get in touch.Back