There isn’t a day that goes by now without another Internet of Things (IoT) security story. The details are lurid, the attacks look new and the tech is well, woeful. You would be forgiven for thinking that nobody is doing anything about security and that nothing can be done, it’s all broken.
What doesn’t usually reach the press is what has been happening in the background from a defensive security perspective. Some industries have been doing security increasingly well for a long time. The mobile industry has been under constant attack since the late 1990s. As mobile technology and its uses have advanced, so has the necessity of security invention and innovation. Some really useful techniques and methods have been developed which could and should be transferred into the IoT world to help defend against known and future attacks. My own company is running an Introduction to IoT Security training course for those of you who are interested. There is of course a lot of crossover between mobile and the rest of IoT. Much of the world’s IoT communications will transit mobile networks and many mobile applications and devices will interact with IoT networks, end-point devices and hubs. The devices themselves often have chips designed by the same companies and software which is often very similar.
The Internet of Things is developing at an incredible rate and there are many competing proprietary standards in different elements of systems and in different industries. It is extremely unlikely there is going to be one winner or one unified standard – and why should there be? It is perfectly possible for connected devices to communicate using the network and equipment that is right for that solution. It is true that as the market settles down some solutions will fall by the wayside and others will consolidate, but we’re really not at that stage yet and won’t be for some time. Quite honestly, many industries are still trying to work out what is actually meant by the Internet of Things and whether it is going to be beneficial to them or not.
What does good look like?
What we do know is what we don’t want. We have many lessons from near computing history that we ignore and neglect security at our peril. The combined efforts and experiences of technology companies that spend time defending their product security, as well as those of the security research community, so often painted as the bad guys; “the hackers” have also significantly informed what good looks like. It is down to implementers to actually listen to this advice and make sure they follow it.
We know that opening the door to reports about vulnerabilities in technology products leads to fixes which bring about overall industry improvements in security. Respect on both sides has been gained through the use of Coordinated Vulnerability Disclosure (CVD) schemes by companies and now even across whole industries.
We know that regular software updates, whilst a pain to establish and maintain are one of the best preventative and protective measures we can take against attackers, shutting the door on potential avenues for exploitation whilst closing down the window of exposure time to a point where it is worthless for an attacker to even begin the research process of creating an attack.
Industry-driven recommendations and standards on IoT security have begun to emerge in the past five years. Not only that, the various bodies are interacting with one another and acting pragmatically; where a standard exists there appears to be a willingness to endorse it and move onto areas that need fixing.
Spanning the verticals
There is a huge challenge which is particularly unique to IoT and that is the diversity of uses for the various technologies and the huge number of disparate industries they span. The car industry has its own standards bodies and has to carefully consider safety aspects, as does the healthcare industry. These industries and also the government regulatory bodies related to them all differ in their own ways. One unifying topic is security and it is now so critically important that we get it right across all industries. With every person in the world connected, the alternative of sitting back and hoping for the best is to risk the future of humanity.
Links to recommendations on IoT security
To pick some highlights – (full disclosure – I’m involved in the first two) the following bodies have created some excellent recommendations around IoT security and continue to do so:
• IoT Security Foundation Best Practice Guidelines
• GSMA IoT Security Guidelines
• Industrial Internet Consortium
The whole space is absolutely huge, but I should also mention the incredible work of the IETF (Internet Engineering Task Force) and 3GPP (the mobile standards body for 5G) to bring detailed bit-level standards to reality and ensure they are secure. Organisations like the NTIA (the US National Telecommunications and Information Administration), the DHS (US Department for Homeland Security) and AIOTI (The EU Alliance for Internet of Things Innovation) have all been doing a great job helping to drive leadership on different elements of th
I maintain a list of IoT security resources and recommendations on this post.
I’ve been running a cyber session on behalf of UKTI and BIS for the past few years. The event has been an increasing draw as a hub for security and privacy discussion at Mobile World Congress. We have an absolutely stellar line-up this year, across three days of lunchtime sessions and I’m really looking forward to MCing! If you’re around at MWC, come along to the UKTI stand in Hall 7 (7C40) at the times below.
Cyber Security in the Mobile World: MWC Lunchtime Seminar Series
In the fourth year of our MWC Cyber Security in the Mobile World event, the topic remains at the top of the headlines. 2014 saw a large number of attacks which were both news-grabbing and serious. Are things getting better or are they going to get worse?
Securing the Internet of Things
Mon 2nd March
12:00 to 12:40
Location: Hall 7, UKTI stand 7C40
The Internet of Things (IoT) has exploded in the last year. Many machine-to-machine (M2M) and IoT devices being purchased by consumers and being implemented within technology from cars to chemical plants, are we adequately prepared to handle the increased cyber risk?
• Richard Parris, Intercede: Introduction to the Cyber Growth Partnership
• Richard Parris, Intercede: The Role of SMEs in Securing IoT
• Marc Canel, Vice President of Security, ARM: Hardware security in IoT
• Svetlana Grant, GSMA: End to End IoT Security
Mobile Cyber Security for Businesses
Tues 3rd March
12:45 to 13:25
Location: Hall 7, UKTI stand 7C40
The Prime Minister recently said that 8 of 10 large businesses in Britain have had some sort of cyber attack against them. With a big increase in the number of mobile devices, how can businesses defend themselves, their data and their employees? What cyber standards are being developed and what enterprise security mechanisms are being put into the devices themselves?
4 person keynote panel, moderated by David Rogers:
• ETSI, Adrian Scrase, CTO
• Samsung, KNOX, Rick Segal, VP KNOX Group
• Good Technologies, Phil Barnett, Head of EMEA
• Adaptive Mobile, Ciaran Bradley
Innovation in Cyber Security: Secure by Default
Wed 4th March
11:40 to 12:20
Location: Hall 7, UKTI stand 7C40
Our speakers will get straight to the point by giving 3 minute lightning talks on a variety of innovations in cyber security.
1. Symantec, IoT Security, Brian Witten
2. W3C, Web Cryptography, Dominique Hazaël-Massieux
3. NCC Group, Innovative Security Assessment Techniques, Andy Davis
4. Plextek, Automotive Security, Paul Martin, CTO
5. SQR Systems, End-to-End Security for Mobile Networks, Nithin Thomas, CEO
6. CSIT, Queens University, Belfast, Philip Mills & David Crozier
7. Trustonic, Your Place or Mine? Trust in Mobile Devices, Jon Geater, CTO
8. NquiringMinds, Picosec: Secure Internet of Things, Nick Allott, CEO
9. Blackphone, Blackphone update, Phil Zimmermann
10. GSMA, The Future of Mobile Privacy, Pat Walshe