It’s quite incredible to think that it has been a full year since the IoT Security Foundation (IoTSF) was founded. At the launch event, Stan Boland (now CEO, FiveAI) outlined the journey to that point and Sir Hossein Yassaie (former CEO of Imagination Technologies), announced to a packed room at London’s Digital Catapult, that “IoTSF” was open for business. Security is a top 3 challenge for IoT and we immediately began taking the first steps to coordinate an eco-system wide response to the growing threat of insecurity.
Just one year on, IoTSF has amassed over 70 international members, large and small and they are actively working on projects to address security issues. With an overarching mission to improve the quality and drive the pervasiveness of security in IoT, our priority work has been guided by the bigger picture, because the challenges are far more than technical.
Beyond technical: the big picture of IoT security
When we launched it was not difficult to identify problems with IoT security yet comprehensive answers that addressed the bigger picture were illusive. It is still commonplace to find headlines such as, ‘Our insecure internet of Things is becoming terrifying’ and ‘Hacking traffic lights with a laptop is easy’. While the headlines are often sensationalised they illustrate that not all companies are created equally when it comes to a connected world. Too many have shown little regard to their customers, or the wider, connected eco-system and corners are being cut in quick pursuit of profit. In security parlance, the scale and scope of IoT represents a very large attack surface and, taking even the most conservative of market forecasts, it is clear the threat is expanding.
As the industry transforms, there is a real need to consider what it takes to operate in the IoT domain and this includes a cultural and organisational dimension. It is widely recognised that disciplines are converging with the emergence of IoT – most notably the realms of IT, OT and embedded products. Each has a traditional reporting structure, culture and primary objective quite distinct from each other. To illustrate this, ‘responsible disclosure’ is a term widely recognised amongst IT professionals yet it has little currency amongst OT and product engineering departments. For many traditional product companies (domestic appliances, cars, cameras, traffic controls etc.), after-sales maintenance has typically been the preserve of a department separated from the development team where product creation happens. For connected products or services, organisations are increasingly recognising a new context as the common understanding ‘that what is secure today will be insecure tomorrow’ rings true. There is a need to establish new mechanisms that can handle vulnerability reporting and take care of bug fixes in the field – oftentimes in rapid succession. Even patching is not as (relatively) straight forward as the PC or mobile domains – for a stereotypical high volume, constrained resource device which runs on batteries, doing regular updates is not necessarily a viable option as it can significantly reduce operating life and open up yet another attack vector. These few examples illustrate just how businesses will need to reimagine their internal workings to support a connected service/product business.
Beyond organisational boundaries
It does not stop at the organisational borders either. If we assume that a company has got its technical design/mechanisms attended to, has reorganised and put business processes in place to manage the new operating lifecycle of products, what if the system that the product is part of has vulnerability exposure elsewhere via an unknown vendor or network provider? You’ve taken care of your own part yet others may not have upheld their duty and now pose a pivot attack threat to you and your customer base. This exposes another layer; not only do you have to bake in security to all that you do, you also need to depend on others to do the same to preserve integrity overall. In the era of IoT, we need to consider how we encourage a trustworthy supply chain that has a duty of care towards the customer and the connected eco-system.
And let’s not ignore the issue of cost either as it’s very much part of the overall challenge. Who will eventually pay? It’s clear that we need to lower the price points and the overheads necessary to achieve minimum levels of security as a priority. Security has to become consumable for the masses.
The democratisation of IoT is attracting many new players, is forcing change on incumbents and many will be ignorant of such matters and blind to the consequences. The knowledge, understanding and best practices need to be better distributed.
IoTSF’s objective is to catalyse change – by working collaboratively we can deliver accessible, actionable and low cost (i.e. free) best practices to industry and provide catalytic leadership. We must start at the beginning – raise the bar where many of the contemporary issues are, and move forwards from there.
Before the end of the year IoTSF will publish a number of best practice guidelines. Our aim is to have them publicly available by the time of our second annual conference on 6 December. Our conference is being held at the IET in London and will build on the success of the Bletchley IoT Security Summit and our inaugural conference at the Royal Society last year. The theme for the conference is, naturally: Building an Internet of Trust.
We’ve been busy creating the home of IoT security in our first year – it has been progressive and productive. As any startup knows, you have to get organised and mobilise. We have much more planned for 2017 now that we are firmly up and running, most notably addressing sectors beyond the connected consumer.
For those of you who are members – thank you for helping to make the world a safer place and enabling IoT. For those with a professional interest in IoT security, we invite you to engage with us in some way – by attending our conference, volunteering as a best practice reviewer or encouraging your organisation to become a member. And to all, we hope that you’ll do your part – whether you’re a provider, buyer or consumer – by helping us to promote the concept of a ‘Supply Chain of Trust’ and passing on a ‘Duty of Care’ to the connected world – make it safe to connect.
@JohnWMoor / @IoT_SF
IoT Security Foundation