Getting serious about IoT security
One of the great challenges for the Internet of Things in 2020 will be the improvement of the security and privacy of the connected devices. To achieve this, the collaboration of all the agents of the IoT ecosystem becomes more necessary than ever as evidenced in the recent edition of the IOT Solutions World Congress held at Fira de Barcelona.
By Anna Solana
Shodan claims to be the first search engine for the Internet of Things (IoT) and it’s been dubbed by some as the scariest search engine in the world. Back in 2013, its creator, John Matherly, a bioinformatician from Austin (Texas, USA), warned that there were about 500 million connected devices with the password set to ‘1234’ or ‘admin’.
Among them were -and oddly enough, still are- security cameras, thermostats, garage doors or glucose meters (for diabetics), but also gas station pump controllers, automatic license plate readers, traffic lights controllers, maritime satellites, or electric vehicles chargers. And, indeed, it’s pretty scary.
Security and privacy are still the weak points of the story when talking about the Internet of Things. The more devices become ubiquitous within organisations, the higher the risk, as a single point of failure opens the door to multiple attacks. And this is a key issue IT professionals will have to keep on tackling in 2020. In fact, some predict the rise of alternative solutions, like Blockchain-based SigmaDots, to block most of the methods that hackers are using to attack IoT networks.
Concrete deliverables
All in all, getting serious about IoT security is now crucial for any business and the IOTSWC19 gave a good account of it. The sector faces the same security challenges as any other IT area, said Kevin Gillick, Executive Director of Global Platform, “but these challenges, and how people are addressing them, are becoming very fragmented. There are a lot of people popping up saying we’re going to solve it, but what we’re seeing is a lack of real concrete deliverables.”
To tackle this issue, Global Platform publicly launched IoTopia during IOTSWC19. IoTopia is a new collaborative industry initiative that proposes a common framework for standardising the design, certification, deployment, and management of IoT devices.
It sounds like a holistic solution and it’s what it purports to be. It develops fundamental elements such as Security by Design, Device Intent to identify connected things and managing their behaviour; Secure Onboarding and Device Lifecycle Management.
These four pillars are not easy to implement but collaboration is a powerful engine. “We work in partnership with other industry bodies and organisations like the Industrial Internet Consortium, GSMA, ENISA and others to deliver the best solution, and engage the entire IoT ecosystem,” Gillick added.
It’s true that there are already a lot of best practices out there related to Security by Design, admits Global Platform’s Executive Director, but IoTopia wants to take those practices, identify gaps that exist and take also into account government mandates.
Much to be done
As for Device Intent, IoTopia looks for a consistent way to know what a device really is, whom it belongs and what it is intended to do. Also, onboarding is a big issue “as the time to onboard many devices in a company is a great challenge”. Last but not least: Lifecycle management is vital to help manufacturers, device owners, vendors, and IT staff to implement product end-of-life.
“People have the right to be skeptical about this initiative,” said Gillick, but for more and more devices in 2020, “it will be not enough to say that they are secure. They will have to prove it,” he concluded.
The ecosystem and the expertise are already there. AI-powered monitoring and analytics tools may also help, even if they are complex to adapt to all circumstances. However, there’s still a lot to be done as cyber criminals are proactively finding out new techniques for security threats. And, of course, unfortunately, ease of installation and use is still a selling point, while security is not.
Now, the sector has the power to change this sentiment and advance security and privacy. Almost everyone will appreciate it.