Getting serious about IoT security: what can be done?

Shodan claims to be the first search engine for the Internet of Things (IoT) and it’s been dubbed by some as the scariest search engine in the world. Back in 2013, its creator, John Matherly, a bioinformatician from Austin (Texas, USA), warned that there were about 500 million connected devices with the password set to “1234” or “admin”.

Among them were –and oddly enough, still are– security cameras, thermostats, garage doors or glucose meters (for diabetics), but also gas station pump controllers, automatic license plate readers, traffic lights controllers, maritime satellites, or electric vehicles chargers. And, indeed, it’s pretty scary.

Security and privacy are still the weak points of the story when talking about the Internet of Things. The more devices become ubiquitous within organizations, the higher the risk, as a single point of failure opens the door to multiple attacks. And this is a key issue IT professionals will have to keep on tackling in 2020. In fact, some predict the rise of alternative solutions, like Blockchain-based SigmaDots, to block most of the methods that hackers are using to attack IoT networks.

Concrete deliverables

All in all, getting serious about IoT security is now crucial for any business and the IOTSWC19 gave a good account of it. The sector faces the same security challenges as any other IT area, said Kevin Gillick, Executive Director of Global Platform, “but these challenges, and how people are addressing them, are becoming very fragmented.” “There are a lot of people popping up saying we’re going to solve it, but what we’re seeing is a lack of real concrete deliverables”, he added.

To tackle this issue, Global Platform publicly launched IoTopia during IOTSWC19. IoTopia is a new collaborative industry initiative that proposes a common framework for standardizing the design, certification, deployment, and management of IoT devices.

It sounds like a holistic solution and it’s what it purports to be. It develops fundamental elements such as Security by Design, Device Intent to identify connected things and managing their behavior; Secure Onboarding and Device Lifecycle Management.

These four pillars are not easy to implement but collaboration is a powerful engine. “We work in partnership with other industry bodies and organizations like the Industrial Internet Consortium, GSMA, ENISA and others to deliver the best solution, and engage the entire IoT ecosystem”, Gillick says.

It’s true that there are already a lot of best practices out there related to Security by Design, admits Global Platform’s Executive Director, but IoTopia wants to take those practices, identify gaps that exist and take also into account government mandates.

Much to be done

As for Device Intent, IoTopia looks for a consistent way to know what a device really is, whom it belongs and what it is intended to do. Also, onboarding is a big issue “as the time to onboard many devices in a company is a great challenge”. Last but not least: Lifecycle management is vital to help manufacturers, device owners, vendors, and IT staff to implement product end-of-life.

“People have the right to be skeptical about this initiative”, admits Gillick, but for more and more devices in 2020, “it will be not enough to say that they are secure. They will have to prove it”, he concludes.

The ecosystem and the expertise are already there. AI-powered monitoring and analytics tools may also help, even if they are complex to adapt to all circumstances. However, there’s still a lot to be done as cybercriminals are proactively finding out new techniques for security threats. And, of course, unfortunately, ease of installation and use is still a selling point, while security is not. Now, the sector has the power to change this sentiment and advance security and privacy. Almost everyone will appreciate it.

Pedro Mier

Pedro Mier holds a degree in Telecommunications Engineer ing from the Polytechnic University of Catalonia, MBA from ESADE and PADE from IESE. He is currently President of AMETIC (Association of Electronics, Information Technology and Telecommunications Companies of Spain), Shareholder and Chairman of the Board of Directors of TRYO Aerospace & Electronics, Board Member of the Premo Group and Committee of CTTC. member of Space Angels Network and Member of the Sc ientific Advisory