Failure to get security right could stall the whole internet of things (IoT) market, according to the IoT Security Foundation (IoTSF).
To aid the adoption of IoT, the international, non-profit, supplier-neutral foundation is seeking to engage with IoT industry stakeholders to promote IT security excellence.
The IoTSF aims to be the “home of IoT security best practice” that keeps pace with the security challenges that emerge as the industry expands and evolves.
The foundation grew out of a team focusing on design innovation at the National Microelectronics Institute (NMI) and is based on the conviction that the internet of things will happen, but growth of the industry will stall or be stunted if security is poor.
“That is why the foundation is focused on the threats of IoT and not only the opportunities, which are much easier to identify,” said foundation director John Moor.
“We recognised that there was not enough being done to co-ordinate a response to the threats and support the standards bodies in developing guidelines for the use of the industry,” he told Computer Weekly.
The approach is one of engagement, consultation and collaboration with industry stakeholders such as chip makers, intellectual property providers, systems integrators, regulators, governments and government departments.
“Where good things are happening, we get behind them. Where there are gaps, we seek to fill them,” said Moor.
“Everyone has a role to play. We set up the foundation to provide a focal point and bring together all the siloes of good practice and activity,” he said.
Moor said the foundation aims to be “collaborative by default” and is happy to work with any IoT stakeholders and bring together all the good work being done in IoT security worldwide.
A co-ordinated response to security
The foundation is currently at around 50 members from around world, just three months after the official launch. It is seeking to recruit many more members to mount a co-ordinated response to the size and scope of the security challenges to the nascent IoT industry, starting with technology providers.
“We need to marshal a cohesive response across the stakeholder groups, including technology providers, service providers, network providers and eventually organisations that are going to acquire IoT systems to improve efficiency and enable services,” said Moor.
These early adopters, he said, are likely to include manufacturing companies, financial companies and insurance companies. “However, we realised that our focus needs to be global, not just on the IoT industry in the UK,” said Moor.
Building a bigger picture
In 2016, the foundation aims to produce its first best practice guidelines aimed at addressing the emerging threats to IoT security.
Allied to that, the foundation is working to “build the big picture” by understanding what IoT security and privacy looks like each sector.
“Security is really context-dependent. Issues in the medical and health sector will be different to those in the manufacturing, which will be different to those in critical national infrastructure,” said Moor.
The foundation is exploring key topics such as the challenges of software updates in “constrained” devices, responsible disclosure of security risks and best practice in consumer devices.
Another key initiative for the foundation is developing a system for enabling some sort of self-certification.
“Initially the barrier is likely to be fairly low, but the aim will be to ratchet up the quality of security as quickly as possible,” said Moor.
“We recognise that all of the answers do not exist just now, but we believe it is important to develop a process that will ensure we get to those answers. A big part of that will be engaging with the community to stimulate discussion and raise awareness of the issues,” he said.
Moor believes that raising awareness is a key part of tackling the problem by focusing attention on IoT security to ensure that the mistakes of the past are not repeated.
“Just doing the same as everybody else is not an adequate response, and hoping for the best is not a good plan,” he said.
IoT Security Foundation holds meeting
The IoT Security Foundation believes that it will be easier to address security risks up front than try to fix things later and aims to address the confusion around IoT security by informing businesses and helping them to make good choices.
“However, we are just at the start of what is likely to be a long journey and we would welcome new members who are looking to help the industry as the whole to move forward,” said Moor.
“Any organisation is welcome to join the debates on patching IoT devices, developing self-certification mechanisms and promoting responsible disclosure of security risks,” he said.
The IoT Security foundation is to hold an open plenary meeting on 1 February 2016 in London, and non-members are invited to attend.