Internet of So Much Stuff: Don't wanna be a security id-IoT
IoT is not the same as IT... normal infosec does not pply
Apple Mac vs PC all over again?
Does this, therefore, really help the IoT cause? Do we really have to accept that to have a relatively secure IoT infrastructure we need to back a particular horse and stick with it? It all seems a bit Apple Mac versus the PC all over again. However, while standards for interoperability exist, it is the security element that is still holding it all back. So, do we need more standards?
According to O’Farrell Dell is working with policy makers and industry groups like OpenFog, IIC and others to ensure security is "top of mind when setting new industry standards." He cites the EdgeX Foundry, an open-source project to create a vendor-neutral IoT edge ecosystem.
"Participating in projects like this help foster IoT innovation and manage risk more effectively, which are two of our main objectives," he says.
Moor, however, is not so sure we need more security standards. "Standards for interoperability are a good thing for market adoption but when it comes to standards for security however, it is a different picture," he says.
"A lot of standards, very good standards, already exist and our view is that we need to make better use of what we have. Is creating more standards the answer? Well, I recall a conversation I had when we were contemplating what should be done to address security challenges ‘pre-IoTSF’. I was speaking to a senior security professional from one of the big telecom’s providers and he said to me: 'John, the great thing about standards is that there’s so many to choose from.' Too many standards are almost as bad as none."
The problem that a lot of people have is that IoT is something completely different and therefore requires different thinking when it comes to security. The additional problem is that vendors are already pushing products out into the field and at some point they will need re-engineering to cope with new security threats, or better still, ripped out and replaced. Who pays for this? Customers of course, in more ways than one.
"There is a growing awareness that IoT security is not like traditional cybersecurity," says Moor, "that IoT is not the same as IT and 'we can’t carry on like this'." He points to the recent proposed Cybersecurity Improvement Act 2017 in the US and the publication of the automotive cyber security principles for connected and autonomous cars in the UK, as political reactions to the industry’s fragmentation and confusion over IoT security. Politicians are clearly getting twitchy.
As if to drive home the point, in October, EU security and law enforcement agencies Europol and ENISA came together for a conference to discuss the issues of IoT security. Apart from saying a few obvious things, such as 'something needs to be done about it', the conference did come up with a European cup for cybersecurity inventions. Organised by the Spanish National Cybersecurity Institute INCIBE and with the support of ENISA, the European Cyber Security Challenge (ECSC) was to run in late October and early November.
What this will achieve is as yet uncertain. A chance to showcase skills perhaps. It seems a little off the mark and just adds to the overall confusion. Vendors and industries are surely better placed to make a call on what will and won’t work? Perhaps industry-specific security measures are needed to cope with the wide variety and varying use cases of connected devices and sensors?
"It is fair to say that since the Miller and Valasek Jeep hack in 2015, the automotive industry is moving en masse, to re-architect with security in mind," adds Moor, suggesting that it takes a good kicking to really get an industry thinking more productively about security.
IoT security challenges will be with us for the foreseeable future - hackers are agile and will move from exploit to exploit and from new opportunity to new opportunity as systems are connected and placed online.
It's not a lack of standards that's the root cause of the IoT problems of recent past, present and the future - it's lack of both individual and co-ordinated action.
The challenge comes in making sure vendors uphold their duty of care and deliver fit-for-purpose security in products and services, in having vendors take responsibility and in making them accountable for when things go wrong. Of going beyond grand $1bn statements that win headlines and prioritise yet-more product, but seem vague on the subject of security.
After all, if a children’s nurse gets it, the industry has no excuse. ®