Recognizing the persistent need for security to protect connected devices, industry leaders are collaborating through two separate efforts on Internet of Things (IoT) standards and guidelines to help combat the emerging IoT threat landscape.
On the mobile front, a number of global operators including AT&T, China Mobile, China Telecom, China Unicom, Deutsche Telekom and Orange committed Wednesday to a common approach to IoT security through an effort coordinated by the mobile standards body GSMA.
Specifically, the operators said they would adopt and implement the GSMA IoT Security Guidelines, a set of best practice and recommendations for IoT security backed by a comprehensive security assessment scheme.
“Our guidelines encourage the industry to adopt a robust set of best practices that will help create a more secure IoT market with trusted, reliable services that can scale as the market grows,” Alex Sinclair, CTO of the GSMA said in a statement. “The mobile industry has a long history of providing secure services in licensed spectrum and by implementing these guidelines, we can help ensure the long-term sustainability and growth of the market.”
Meanwhile, a group of high-profile companies in building automation and IoT technolgoy led by Cisco Systems, Siemens, Silicon Labs and others also are working together to create safe IoT systems, this time in the commercial-building automation vertical.
Calling themselves the Fairhair Alliance, the consortium this week released a white paper outlining a security architecture for implementing IoT security in commercial buildings. Implementing IoT solutions to replace legacy and isolated building automation systems is an emerging market, and companies want to ensure security is built in from the ground up.
“While no system is impervious to attack, the Fairhair security architecture is intended to clarify how building-automation systems can be secured to mitigate any attacks that occur,” Ruud van Bokhorst, secretary general of the Fairhair Alliance said in a blog post on the group’s web site. “This is achieved by limiting the scope of what an attacker can do, enabling attack detection, and providing mechanisms to defend against the attacks (detection, response, and remediation).”
Big holes remain in IoT security
Indeed, the immediacy of figuring out common security practices for the IoT is certainly apparent across all industries. Despite knowing about threats to IoT security–and seeing a number of first-hand examples of how mobile devices and IoT systems can be exploited–most research finds that little is being done at the moment to keep track of IoT devices across enterprises and other types of business, let alone secure them.
Knowing this, key players in industries and verticals seem to be trying to get ahead of major IoT security mishaps and ensure that new devices and implementations have standard security baked in.
On the mobile side, the GSMA IoT Security Guidelines operators are implementing include 85 detailed recommendations for the secure design, development and deployment of IoT services and cover networks as well as service and endpoint ecosystems. The guidelines address security challenges, attack models and risk assessments as well as provide concrete examples that have already been tested to provide secure IoT frameworks.
The GSMA IoT Security Assessment supports the guidelines, providing a checklist to support the secure launch of IoT solutions into the market and maintain their security to create a sustainable IoT ecosystem. Both the GSMA IoT Security Guidelines and IoT Security Assessment also cover the fast-growing Low Power Wide Area and mobile IoT technologies, LTE-M and NB-IoT.
A good start, but what next?
The Fairhair Alliance also outlined its plan for IoT security with a different target–the automation of commercial buildings. The security model the alliance presented in its white paper is aimed at taking a layered approach based on network segmentation, federated security zones and application-level authorization that can be applied to multiple networking technologies, including Ethernet, Wi-Fi and Thread (IEEE 802.15.4-based) networks, the group said in a press release.
Rather than create its own set of standards, however, Fairhair aims to provide a security architecture that is open and compliant with existing and new specifications of the Internet Engineering Task Force (IETF) as well as support system designers as they strive to meet existing and emerging regulations and security standards for the industry vertical, the alliance said.
These new IoT collaboration and standardization efforts aren’t the first and certainly won’t be the last to try to secure the IoT. NIST, for example, earlier this year unveiled its own guidelines for the IoT cybersecurity standards. At the time, the standards body suggested that industries are being slow to adopt available standards that already exist to secure the IoT, and urged harmonization of efforts.
Indeed, it remains to be seen if these new standards efforts are merely lip service of if they actually will have some impact on improving the current security situation for connected devices and IoT implementations.