IoT Interoperability Requires Security

As Internet of Things (IoT) initiatives spin up around the globe, the race is on. And building from a foundation that isn’t going to require short-term retooling is critical for continued success of your effort.

Privacy and security have emerged as key requirements for IoT. The cost of not protecting data—both inside a closed environment and end-to-end through the Internet—is too high. Sensor networks such as those envisioned for IoT raise the specter of early-generation SCADA system build-outs, which taught us many lessons. Nobody wants a repeat build-out of early-generation, unprotected infrastructure controls.

The US government is paying close attention. For example, “Security Tenets for Life Critical Embedded Systems” is a draft document from the US Department of Homeland Security currently open for comments. The opening paragraphs include:

“Designing security into life critical embedded systems is increasingly important as more and more devices are becoming Internet connected smart things in the Internet of Things (IoT). . . . These devices have the potential to better mankind, but also the potential to be co-opted by malicious parties and do grave harm.”

Interoperability of IoT devices depends on widely accepted standards. Who’s putting out standards with security in the core?

The Internet Engineering Task Force (IETF) is soliciting final comments for “TLS/DTLS Profiles for the Internet of Things” and should be making a decision on approval in a few weeks. The content of the document “defines a Transport Layer Security (TLS) and Datagram TLS (DTLS) 1.2 profile that offers communications security for this data exchange thereby preventing eavesdropping, tampering, and message forgery. The lack of communication security is a common vulnerability in Internet of Things products that can easily be solved by using these well-researched and widely deployed Internet security protocols.”

As we have seen again and again, existing well-designed standards can be applied in emerging areas. This allows quick development that leverages widely accepted solutions already supported in the market. Those building blocks are visible in this solid IETF effort in the security area.

IEEE has a blockbuster IoT initiative that brings together academia and industry for a full-spectrum approach and understanding. There are now hundreds of IEEE standards applicable to the IoT already developed and supported in the marketplace. IEEE also has a specific IoT framework in development with IEEE P2413, “Draft Standard for an Architectural Framework for the Internet of Things,” which has seen steadily increasing buy-in and participation. Finally, IEEE routinely cooperates with its Open Stand partners, and P2413 adds collaborations with other industry organizations, such as SAE and the Industrial Internet Consortium. More collaborations are in development.  It’s a powerful effort that explicitly includes protection, security, privacy, and safety as goals.

The International Telecommunications Union (ITU), a UN agency, is now forming an IoT study group (ITU-T SG20). The nascent group may work at coordinating IoT build-outs in developing countries that use best-of-breed solutions based on standards developed with wide participation following Open Stand principles, or it may put its effort into frameworks and standards it would develop primarily at the ITU. It remains to be seen what the group views as its goal.

In any case, with the need for privacy and security critical to IoT success, it is encouraging to see strong solutions coming out from established standards organizations. When security is built in from the start, many problems can be avoided.

Let’s get this right the first time! Is your organization willing to bet it’ll get a second chance in a market headed to warp speed? Be sure to share your comments and feedback.