REGISTER | LOGIN
Breaking News
Blog

IoT Security: What We Need Next

NO RATINGS
Page 1 / 2 Next >
View Comments: Newest First | Oldest First | Threaded View
realjjj
User Rank
CEO
....
realjjj   5/23/2017 2:04:56 AM
NO RATINGS
https://www.enisa.europa.eu/news/enisa-news/enisa-works-together-with-european-semiconductor-industry-on-key-cybersecurity-areas

rick merritt
User Rank
Author
Re: IoT security framework
rick merritt   5/4/2017 10:45:44 AM
NO RATINGS
Thanks for the additional info.

I'd love some specifics. Please contact me at rick.merritt@aspencore.com

laffez
User Rank
Rookie
Does government have a role to play?
laffez   5/1/2017 2:57:05 PM
NO RATINGS
Thanks for an excellent call for solutions!

To try to constrain the question on possible solutions, is the industry sufficiently incentivized to solve this without government regulation? If not, I guess the answer is partly or fully that government has to play a role. This has been expressed by prominent security researches such as Bruce Schneier in the post-Mirai congress hearing:

https://energycommerce.house.gov/hearings-and-votes/hearings/understanding-role-connected-devices-recent-cyber-attacks

Likewise, both Germany and England have set requirements for smart metering in each respective country.

On the other hand, there are examples where the industry has managed to handle the requirements on their own, such as EMVCO in the banking industry.

What do you think?

IoTsecurityFoundation
User Rank
Rookie
Re: IoT security framework
IoTsecurityFoundation   4/27/2017 4:45:10 AM
NO RATINGS
Well, IoTSF was established as a dedicated initiative focused on security issues across IoT. At the time we completed the consultation process (just under a year's worth of prep which included an IoT Security Summit at the Bletchley Park in May 2015), it was clear there were significant issues with insecurity. However many of the associations that were around, or being created at that time were looking at the opportunity end of IoT (markets), less was being applied at the threat end.

That's not to say nothing was being done - rather it was further down the list and fragmented - security is not something that can be done in part. We recognised efforts within a number of those groups on security - indeed, we continue the communication today as part of our remit... certainly all the efforts you identify are known and we're liaising - and the list is significantly longer and includes efforts around the globe - we're also talking to professionals in South America, Australia, EMEA etc. as well as the US.

So, recognising that this is a critical and global issue, more collaboration/coordination is needed for our collective defenses. IoTSF is a non-profit and technology neutral initiative - our stance is not to compete but partner (the adversaries would prefer we fight amongst ourselves by the way). Hence we see ourselves as a unifying entity and we (a) have a natural accord with all organisations who have effort to improve security and (b) a mission to drive the wider agenda, fill the gaps - raise the quality and ubiquity of solutions. Security will increasingly be recognised as a fundamental enabler of IoT - insecurity will delay roll outs.

To that end, our own gudiance material references external sources widely and is intended to be easy to consume and actionable. That's crucial as many companies see the need to move at market speed and security is seldom on the priority list. Cost is also a major challenge - hence anything that can be done to share/lower the (total) costs is attractive.

So please do take a look - we've been carefully constructed, we're beyond the forming stage and now in the performing stage. As I said at our last conference paraphrasing Churchill, we're at the end of the beginning, growing and the effects of our early efforts are beginnng to have the desired effect.

The crucial point is this: there are a wide range of adversaries across the globe and IoT potentially provides rich (and easy) pickings. As a technology provider community, we need as many of the good guys working together to mount defenses that are (a) native to the product (b) fit for purpose and, this one is vital, resilient over the life-cycle. Those are (paraphrased), our 3 founding values... and we'd like to work with as many members and partners as we possibly can.

Thanks for asking.

rick merritt
User Rank
Author
Re: IoT security framework
rick merritt   4/26/2017 2:22:13 PM
NO RATINGS
@IoTsecurityFoundation: Thanks for chiming in! I'll check out your site.

I'd love to hear how you feel you fit in with the other efforts mentioned in the story.

Meanwhile, if there are still other groups out there, I want to hear from you.

IoTsecurityFoundation
User Rank
Rookie
IoT security framework
IoTsecurityFoundation   4/26/2017 12:15:23 PM
NO RATINGS
Rick

You'll be glad to learn that the IoT Security Foundation (IoTSF) has been leading on this challenge since it was established back in 2015 (https://iotsecurityfoundation.org).

IoT security is a wicked challenge - there is no universal solution and it is a much wider problem than purely technical requirements.

We published our first set of best practice guides last December and significantly, the IoT Security Compliance Framework (release 1). More is coming down the pipe...

Work is also underway looking at how that Framework and the guidance documentation can be certified against by NRTL's (e.g UL / CSA / Intertek / TUV etc.).

Please take a look - there's more effort been applied than you may be aware.

JWM

Most Recent Comments
Like Us on Facebook
EE Times on Twitter
EE Times Twitter Feed