Act now on IoT security, says Beecham Research

Industry must act now on security for the internet of things before its too late, says Beecham Research

Industry must act now on security for the internet of things (IoT) before it is too late, say the authors of a Beecham Research report.

“IoT security failures have the potential to impact every level of society needs, including food supplies and heating,” said Jon Howes, technology director at Beecham and co-author of the report.

“Devices must be securely managed over their entire lifecycle to be reset, if needed, and to enable remote remediation to rebuild and extend security capabilities over time,” he said.

There are currently insufficient security capabilities in the emerging IoT standards to manage the long life cycles expected in many IoT devices such as heating systems, the report said.

 “Standards are slow-moving, but this is something that has to be fixed faster than that,” said Haydn Povey, Beecham Research technical associate.

The authors of the report believe industry must unite from silicon semiconductor manufacturers to network operators and system integrators to ensure security is built in from start to finish.

“The aim of this report is to close the loop between the security requirements of government, industry organisations and system integrators, and some of the solutions that already exist,” said Povey.

The report highlights potential future attacks on IoT systems and how these may impact users from home owners losing control of white goods to door locks being disengaged.

“The attack surface of an IoT system may be substantially larger than traditional PCs,” said Howes.

“The complexity of ensuring multiple suppliers’ systems working together will lead to a greater probability of exploits being available,” he said.

Security in the IoT is significantly more complex than many system designers have previously experienced, said the report.

The authors believe significant evolution is required in the identification, authentication and authorisation of devices and people in IoT systems.

“System designers must presume that all devices will be compromised at some point, and ensure it is possible to regain control,” said Howes.

“Security is the major challenge for IoT, and industry needs to adopt a holistic approach to ensure it is built in from the start,” he said.

The report welcomes the work of industry organisations such as the AllSeen Alliance and the Open Interconnect Consortium looking at aspects of security within the IoT.

But the report notes that government organisations, including the UK’s Centre for the Protection of National Infrastructure (CPNI), have made it clear that IoT security must evolve more rapidly to counter threats from hacktivism, terrorism and cyber warfare.

“Techonologies such as advanced cryptography are being introduced into IoT devices,” said Povey.

“But governments agree that more work is needed to meet the threats outlined in the 20 Critical Security Controls developed for mainstream IT security by the Council for Cybersecurity,” he said.

The report’s authors said there is an urgent need to deliver cost-effective IoT systems that enable robust security, but also maintain the flexibility to deliver real benefits.

“This requires well-architected and interoperable frameworks across suppliers and technologies, integrated at an IP and silicon level to enable the evolution of security services the whole industry can use,” said Povey.

“But security is critical for the delivery of high-value services, so perhaps this is where the money lies and can be used to drive in security by design, because, although people will not pay for security, they will pay for services that security enables,” he said.

Beecham Research founder Robin Duke-Wooley said the initial steps in security for IoT are sufficient only for the near term.

“Pressure must be applied to drive greater system robustness, ensure that interoperability is applied across the industry, and deliver standards that can be measured and certified,” he said.

The Evolving Secure Requirements for the Internet of Things report is aimed at organisations across industry and government focused on the rapidly evolving IoT and machine-to-machine markets.

The interim report marks the end of the first phase of a longer study in collaboration with industry.

In the second phase, Beecham Research will go into further details with industry partners around the world on IoT security issues.

The final phase of analysis of all the market and stakeholder feedback in the first two phases will be published in a final report before the end of the year.

The final report will include cost analysis of product development and marketing, as well as risk assessment and mitigation strategies.

Read more on Privacy and data protection