One year on…
On September 23 2015 the IoT Security Foundation (IoTSF) was launched at the Digital Catapult in London. Sir Hossein Yassaie, former CEO of Imagination Technologies, announced to a packed room overlooking St Pancras International that IoTSF was open for business. These were the first steps to coordinating an eco-system wide response to the growing threats of insecurity. Security is one of the top three issues facing IoT, without addressing it the many anticipated benefits of adopting IoT will face headwinds.
Just one year on, IoTSF has amassed over 70 international members, large and small. Those members are actively working on projects to address insecurity issues. Our overarching mission is to simultaneously improve quality, and drive the pervasiveness of IoT security so it is safe to connect. Our priorities within that mission have been guided by a bigger picture, because the challenges are far more than just technical.
Beyond technical: the big picture of IoT security
Prior to the launch of IoTSF, we journeyed across the landscape to better understand the status and context of security. It was not difficult to find problems but comprehensive answers that addressed the bigger picture were simply not present. It is still commonplace to find headlines such as, Our insecure internet of Things is becoming terrifying’ and ‘Hacking traffic lights with a laptop is easy.’ While the headlines are often sensationalised they illustrate that not all companies are created equally when it comes to a connected world. Too many have shown little regard to their customers, or the wider, connected eco-system and where security is concerned, corners are being cut in quick pursuit of profit. In security parlance, the scale and scope of IoT represents a very large attack surface and, taking even the most conservative of market forecasts, it is clear it is expanding.
Today, a number of the readily identified vulnerabilities demonstrate a failure to provide even the most basic of security measures. While many issues are related to technology, the security challenge is even bigger.
As the industry transforms, there is a real need to consider what it takes to operate as an IoT vendor and this includes a cultural and organisational consideration. It is widely recognised that disciplines are converging with the emergence of IoT – most notably the realms of IT, OT and embedded products. Each has a traditional reporting structure, culture and primary objective quite distinct from each other. To illustrate this, ‘responsible disclosure’ is a term widely recognised amongst IT professionals yet it has little currency amongst OT and product engineering departments. For many traditional product companies (domestic appliances, cars, cameras, traffic controls etc.), after-sales maintenance has typically been the preserve of a department quite separate from the development team where product creation starts. For connected products or services, organisations are increasingly recognising a new context and the need to operate quite differently as the common understanding ‘that what is secure today will be insecure tomorrow’ rings true.
Hence a need to establish new mechanisms that can handle vulnerability reporting and take care of bug fixes in the field – oftentimes in rapid succession. Yet even patching is not as (relatively) straight forward as the PC or mobile domains – for a stereotypical high volume, constrained resource device which runs on batteries, doing regular updates is not necessarily a viable option as it can significantly reduce operating life and open up yet another attack vector. These few examples illustrate just how businesses will need to redesign their internal workings to service a connected service/product business.
Beyond organisational boundaries
It does not stop at the organisational borders either. If we assume that a company has got its technical design/mechanisms attended to, has reorganised and put business processes in place to manage the new operating lifecycle of products, what if the system that the product is part of has vulnerability exposure elsewhere via an unknown vendor or network provider? You’ve taken care of your own part yet others may have not upheld their duty and now pose a pivot attack threat to you and your customer base. This exposes another layer; not only do you have to bake in security to all that you do, you also need to depend on others to do the same to preserve integrity overall. In the era of IoT, we need to consider how we encourage a trustworthy supply chain that has a duty of care with the connected eco-system (especially direct customers).
And let’s not ignore the issue of cost either as it’s very much part of the overall challenge. Who will eventually pay? It’s clear that we need to lower the price points and the overheads necessary to achieve minimum levels of security as a priority. Security has to become consumable for the masses.
The democratisation of IoT is attracting many new players, is forcing change on incumbents and many will be ignorant of such matters and blind to the consequences. The knowledge, understanding and best practices need to be better distributed.
IoTSF’s objective is to catalyse change, by working collaboratively we can deliver accessible, actionable and low cost (i.e. free) best practices to industry and provide catalytic leadership. We must start at the beginning – raise the bar from the lower echelons where many of the contemporary issues are and move forwards from there.
Within the big picture context, IoTSF set forth on its quest with the creation of five priority working groups:
- Self-Certification Framework – a structured approach to implementing security measures. This aims to be easy to adopt, have minimal cost/overhead and applicable to any organisation in the IoT supply chain.
- Connected Consumer Products / Smart Home – the unregulated consumer space was prioritised for guidance due to the acuteness and volume of reported issues.
- Vulnerability Disclosure – a guide and template documentation to help organisations setup the mechanisms to be vulnerability ready.
- The IoT Security Landscape – reference architectures which map segment implementations and inform the vulnerability areas / points of attack.
- Patching Constrained Devices – a consideration of what is required to patch resource constrained IoT devices.
Each of the output support our founding values of:
- Security First Approach
- Fit For Purpose
Before the end of the year IoTSF will publish a number of best practice guidelines. Our aim is to have them publicly available by the time of our second annual conference on 6 December. Our conference is being held at the IET in London and will build on the success of the Bletchley IoT Security Summit and our inaugural conference at the Royal Society last year. The theme for the conference is, naturally: Building an Internet of Trust.
We’ve been busy in our first year. It has been progressive and productive – as any startup knows, you have to get organised and mobilise. We have much more planned for 2017 now that we are firmly up and running, most notably addressing sectors beyond the connected consumer. For those of you who are members – thank you for helping to make the world a safer place and enabling IoT. For those with a professional interest in IoT security, we invite you to engage with us in some way – by attending our conference, volunteering as a best practice reviewer or encouraging your organisation to become a member. And to all, we hope that you’ll do your part – whether you’re a provider, buyer or consumer – by helping us to promote the concept of a ‘Supply Chain of Trust and passing on a Duty of Care’ to the connected world – make it safe to connect.