Global IoT security standard remains elusive
Despite the lack of a global internet of things security standard, existing security frameworks are on the same page in areas such as device upgradability and data stewardship
The plethora of security standards and technologies being used to secure the internet of things (IoT) today could make it difficult for a global IoT standard to emerge, according to the Internet Society.
Speaking to Computer Weekly on the sidelines of the ConnectechAsia conference in Singapore this week, Olaf Kolkman, chief internet officer at the Internet Society, attributed the lack of a global IoT security standard to differing security requirements across industries.
“There are so many different verticals using IoT, with each of them having different safety and security standards,” said Kolkman. “A connected device like a smoke detector, for example, has different security properties from that of a medical device.”
Complicating matters is the fact that technology suppliers have a vested interest in advocating the use of certain technologies to secure IoT devices.
Mastercard, for instance, has suggested using tokenisation services to enable specific uses and transactions in IoT applications, while others like Gemalto have touted the use of blockchain technology to make IoT devices smarter in responding to security threats independently without the need for a central authority.
Despite the cacophony of approaches towards IoT security, Kolkman noted that most are underpinned by common IT security principles. “If you look at the different IoT security frameworks, there seems to be consensus on things like upgradability and data stewardship – even if there’s no global standard that describes it all,” he said.
These principles are reflected in a set of enterprise IoT security recommendations released by the Internet Society this week. Among them is the need for companies to closely follow the lifecycle of IoT devices, which should be decommissioned once they are no longer updatable or secure.
Meanwhile, the Internet Society’s Internet Engineering Task Force is also working on IoT standards in areas including authentication and authorisation, cryptography for IoT use cases and device lifecycle management.
With cyber security at the top of most national security agendas today, Kolkman said the Internet Society has reached out to policy makers to provide recommendations about what they can do, such as setting minimum standards of IoT security and accountability.
“We advise them to work with stakeholders, such as the Consumer Technology Association, to come up with solutions and certifications that have buy-in from government and industry,” he said, adding that liability laws will also ensure all players in the IoT market have skin in the game.
Read more about IoT security
- Wireless devices and smart technologies are increasingly being brought into the workplace, and pose a growing risk to company data.
- The UK government has announced plans to develop a new code of practice to improve the security of connected internet of things devices.
- The security failings in today’s internet-connected devices will only become more pervasive unless action is taken immediately, according to industry experts.
Kolkman said policy-makers could also lead by example by buying more secure devices. This will provide incentives for IoT suppliers to build better security into their products, especially low-cost devices that often do not justify heavy investments in security.
“Devices that are cheap and long-lived are contrary to good security posture, especially in a growing market like the IoT. The economics work against the security,” said Kolkman.
According to Ecosystm, a Singapore-based technology research and advisory firm, global IoT spending will grow at a compound annual growth rate of 6.9% from 2017 to 2022, reaching a value of US$367bn.
The Asia-Pacific region is expected to become the global centre for IoT solutions, accounting for almost half of worldwide IoT spending by 2022.