Industry-Led Security Approach Key to IoT’s Commercial Future

Ian Smith, IoT Security Director, GSMA
With broadening connectivity comes, unfortunately, greater potential for breaches of security.  As the IoT expands, bringing an ever-increasing array of previously standalone objects online, there are correspondingly more points of entry for hackers to target. The GSMA and its members take nothing more seriously than security; it is the prerequisite to everything else we do. Consumer and customer confidence is essential to the IoT’s ability to scale to its full potential – without the trust of those using services and products that they are safe while they do so, the demand simply will not be there to drive forward investment.
Thankfully, a great deal of work is going into achieving that trust, among some of the most effective security professionals on the planet. The mobile industry has an excellent record of providing secure, reliable services, earning operators the status they now enjoy as the established and trusted providers of secure IoT services.
Building on this work – and taking it forward to meet new challenges as the IoT scales – the GSMA has developed IoT Security Guidelines, a comprehensive set of best practice recommendations which provide a proven approach to end-to-end security.  Solutions can be checked for compliance with the Guidelines by way of the IoT Security Assessment, a straightforward and flexible framework which takes into account the immense diversity of the IoT market.
This was welcomed at our seminar yesterday on IoT Security – Creating a Connected and Secure Future, a special session bringing together some of the world’s leading authorities in cybersecurity. Delegates gathered to hear discussions among those at the forefront of securing the IoT, and consider the best approach to ensuring this in future.
“Transparency on security credibility is key – it’s all very well and good saying you’re secure, but you need to prove it,” warned Francisco Jose Ramirez Vicente, IoT Security Researcher at ElevenPaths.  “Furthermore, IoT is very diverse. Any assessment-based process has to fit with the diversity of the IoT, and the business models that IoT devices have to be accommodated.” The GSMA agrees entirely with this, and it has informed design of the guidelines and assessment at all stages, so that IoT companies of all shapes and sizes can be sure they are properly shielding their solutions from cyberattack, and safeguarding customer data.
To make this as effective as possible, cross-industry collaboration is essential. “IoT security has to follow a standardised approach – it should share some basic features across many different sectors,” explained Dr. Apostolos Malatras, Network and Information Security Expert at ENISA.  “We don’t work on our own, we work with different sectors and companies – ultimately, we’re here to help you help us to help you. Together we can boost the basic level of cyber hygiene from where it stands at present, and indeed we must.”
Top of the agenda were hopes of building a consensus on industry-led approaches to best practice. There was agreement throughout the room that – however well-intentioned – it is unlikely civic authorities will be able to develop such frameworks as effectively as those whose working lives are spent absorbed in IoT security. “When we say certification, what we really mean is conformance,” explained Katerina Megas, NIST’s Program Manager for IoT Cybersecurity. “Requirements should be built in the standards – and we take a broad view of what a standard is – but ultimately we believe this should be industry-lead, through a consensus method.” For this to work optimally, and avoid governments feeling they need to play a greater role, it is essential that events such as yesterday’s take place. “The first challenge is around business drivers – there’s not a single place where we can get all stakeholders together,” observed Ms Megas.
While there is much work to be done, the industry is well-placed to win the trust of consumers in the years ahead.  Carlos Carazo, Global CTO for IoT at Telefónica, pointed out that many of the industry’s core assets, like LTE networks and SIM cards, are highly secure by design. There is however no room for complacency, as was unanimously recognised by attendees. The live hack performed in the session focussed minds very well – if the industry is to reassure consumers of the safety of sensitive use cases like driverless cars, it will need to work at the top of its game over the next year. We at the GSMA are confident it will do precisely that.