iconimage - Fotolia

Tech firms tackle IoT security with management protocol

A group of tech firms have joined forces to develop a management protocol for IoT devices that could pave the way to an open, interoperable standard to address security and privacy risks

Tech firms have joined forces to create an open and interoperable management protocol for internet of things (IoT) devices to help address security concerns.

The group includes UK-based chip maker ARM, security firm Symantec, digital identity specialist Intercede, and telecom and mobile security specialist Solacia.

They have been working with Sprint, Beanpod, Sequitur Labs, Thundersoft, Trustkernel and Verimatrix to assess the security challenges of connecting billions of devices across multiple sectors, including healthcare, manufacturing and transport.

The cross-industry initiative is in response to growing concerns that billions of connected devices are at risk unless security and privacy sensitive data can be managed to an acceptable level.

Tech industry attention to security has been increasing, amid growing concerns by security and privacy professionals and a prediction that failure to get security right could stall the whole IoT market, according to the IoT Security Foundation.

The tech firms have concluded that any IoT system can be compromised unless a system-level root of trust is established through a combination of code signing, encryption and authentication.

The resulting Open Trust Protocol (OTrP) combines a secure architecture with trusted code management, using technologies proven in large-scale banking and sensitive data applications on mass-market devices such as smartphones and tablets.

The protocol set out standard practices for installing, updating and deleting applications, and to manage security configuration in a trusted execution environment (TEE).

"In an internet-connected world, it is imperative to establish trust between all devices and service providers,” said ARM security systems vice-president Marc Canel.

“Operators need to trust devices their systems interact with and OTrP achieves this in a simple way. It brings e-commerce trust architectures together with a high-level protocol that can be easily integrated with any existing platform,” he added.

Symantec estimates that one million internet attacks were carried out every day during 2015. IoT expands the attack surface and according to analyst firm Gartner, security is now the top priority when building any connected product.

The research firm has said organisations are likely to continue to underinvest in IoT security, despite the company’s predictions that more than a quarter of cyber attacks will involve IoT systems by 2020, when Gartner expects the number of connected IoT devices to have risen to around 26 billion worldwide.

OTrP is a high-level management protocol that works with security solutions such as ARM’s TrustZone-based trusted execution environments that are designed to protect mobile computing devices from malicious attack.

Read more about IoT security

The protocol could pave the way for an open and interoperable standard to enable the management of trusted software without the need for a centralised database by reusing the established security architecture of e-commerce.

The lack of any robust and industry-supported standard is commonly cited as one of the biggest challenges to finding a practical way of addressing the security and privacy risks of IoT systems.

The management protocol is used with public key infrastructure (PKI) and certificate authority-based trust architectures, enabling service providers, app developers and OEMs to use their own keys to authenticate and manage trusted software and assets.

According to the group of tech firms behind its development, OTrP is a high-level and simple protocol that can be easily added to existing trusted execution environments or to microcontroller-based platforms capable of RSA cryptography.

Read more on Privacy and data protection