Assessing the Security of ‘Simple’ IoT Devices
Kai-Fan Chang, General Manager Brightsight Greater China
Technology commoditization is allowing both traditional vendors and newcomers to innovate in the IoT space. It’s often the case that developers in this space are not able to address security matters, either by lack of expertise or digital transformation maturity: “we make coffee machines, we are not an IT company”. While this carries negative impacts in the mass market for consumer devices, it has larger implications in the B2B domain. Industrial solutions, smart cities, critical infrastructure and automotive are some of the domains where insufficient security functionality has a more significative impact.
A significant issue facing IoT vendors in general, is the absence of effective independent or broad industry accepted security standards and security assessment.
Worldwide, lawmakers have reacted by regulating the market. Legislation has been crafted for general purposes like data protection, specific sectors such as the protection of critical infrastructure, or specific markets like financial, automotive or energy, just to mention some examples. This in time is evolving on security product evaluations to meet specific compliance requirements.
Trusting trust
Developers of IoT products and services for the B2B domain will face an ever-increasing regulated secure domain. At the core, what all regulations ask from the vendors and solution providers is to take ownership of the security problem, by implementing measures proportional to the risk. Addressing this complexity requires a collaborative approach from parties focused on their fields of expertise. At the end, all the players on the value chain must play a role towards bringing security features to the IoT application developers. It’s not the developer that is ultimately responsible for developing those security measures, but rather implementing them.
One good example is the requirement for “secure communications”. The utopia fulfilling this requirement is the product developer calling a library provided by the software stack. This software is supported by the hardware components. On that way, the developer can focus on their area of expertise, the product, while the security technology providers deliver the expected security capabilities. This set of capabilities is a toolbox for developers allowing them to select those that best fit their use cases. For developers, the ability to understand and demonstrate the strength of those security measures allows them to meet time and cost-effective evaluation requirements.
Tackling the issue of security on IoT devices and the effective way to assess it, requires cooperation between all the actors in the industry. From manufacturers to policymakers, and the organizations with a large experience and expertise in setting up industry initiatives. We all have a role to play with our own expertise, in cooperation addressing the challenges of our ever-more-connected digital world.
Interested to learn more? Mr. Chang and a range of other thought leaders will be presenting at GlobalPlatform’s "Security in our Connected World" Seminar on 19 September. View the agenda and sign up now.