Part I: Baking in Security for the Internet of Things

February 17, 2015
Cybersecurity Predictions and Trends: Post by Brian McKenney
Brian McKenney

In my previous post, I discussed some of the security challenges and concerns regarding the Internet of Things (IoT), including the potential consequences of the lack of built-in security (e.g., unauthorized access to services and data). This post is the first of two that I'll be devoting to six key initiatives designed to achieve "baked-in" security and interoperability for the IoT. Some of these initiatives focus on interoperability and security standards for a broad view of “things”—and some focus on standards for particular "things," such as thermostats and medical devices. I'll look at the first group in the first post.

NIST Cybersecurity Framework for the IoT

In August 2014, the National Institute of Standards and Technology (NIST) initiated an effort to develop a new cybersecurity framework dedicated to the IoT. The IoT, also referred to as cyber-physical systems (CPS), includes three defined entities: (1) physical objects with tags or identifiers (e.g., radio frequency identification), (2) physical objects with one or more sensors that use one or more types of network connections (e.g., wireless, wired), and (3) sensors and other technologies embedded in physical objects, such as refrigerators and medical devices.

The NIST CPS Public Working Group (PWG) is developing uniform definitions and a reference architecture to promote common and integrated CPS standards and guidance across industry sectors. The CPS PWG consists of five subgroups: cybersecurity and privacy; vocabulary and reference architecture; use cases; timing and synchronization (i.e., how and when a device sends data); and data interoperability. The development of common taxonomies, architectures, and representative security controls will enable devices (things) to provide security and communicate securely with other devices and services. In 2015, NIST will produce a draft reference architecture, based on individual working group reports, and a draft roadmap to help promote broad consensus and shared understanding of CPS across a variety of domains and applications (e.g., personalized healthcare, intelligent buildings, and smart cars).

Industrial Internet Consortium

The Industrial Internet Consortium (IIC) was founded in March 2014 to bring together academic, consulting, and industry leaders (e.g., Carnegie-Mellon, Cisco, Intel, Microsoft, and AT&T) to promote open interoperability standards and common architectures. The architectures will connect smart devices, machines, people, and processes across various industrial environments, such as energy, manufacturing, and transportation. In 2015, the IIC plans to complete a broad reference architecture (including security) for CPS and establish test beds for industry members to use in identifying gaps and needed standards (e.g., secure communications). The reference architecture will establish interoperability requirements and identify applicable industrial Internet standards.

Open Interconnect Consortium, Inc.

The Open Interconnect Consortium, Inc. (OIC) was formed by technology companies in July 2014 to address IoT challenges regarding secure and reliable discovery, connectivity, and communications across multiple devices. The OIC's objectives are similar to NIST's and the IIC's: to identify and promote secure and interoperable IoT solutions from among the multiple vendor approaches and available forums. The OIC goal is to define a standard for connecting devices using an open source platform to ensure interoperability of the more than 30 billion devices projected to come online by 2020. The OIC sponsors an open source project called IoTivity to enable developers and manufacturers to connect devices across a wide range of platforms (e.g., Linux, Arduino and Tizun). It also targets devices based on iOS, Android, Windows, and real-time operating systems. The OIC continues to gain participation from vendors whose products and services range from back-end platforms to a variety of consumer products (e.g., automotive, consumer electronics, enterprise, healthcare, home automation, industrial, and wearables).

Allseen Alliance

The Allseen Alliance, formed in December 2013, is a nonprofit consortium dedicated to driving the widespread adoption of IoT products, systems, and services across a variety of sectors with an open development framework. Like the OIC, the Allseen Alliance is working to accelerate the development of a connectivity and communications framework for IoT. Its members include leading consumer electronics manufacturers, home appliance makers, automotive companies, IoT cloud providers, and chip manufacturers. Also like the OIC, the Allseen Alliance supports an open source project based on open standards to enable IoT objects and other embedded devices to work together.

The Allseen Alliance is similar to NIST's CPS Working Group in establishing subgroups to address different consumer and technical areas. These subgroups include Analytics and Telemetry; Base Services, Compliance and Certification, Connected Lighting, Core (includes Security v2.0), Data-Driven API, Gateway Agency, and Smart Home. The Security v2.0 effort addresses a concern that I raised in a previous post—access to IoT devices by unauthorized users and services. Security v2.0 defines features that allow an application to validate access to secure interfaces and objects based on policies installed by the owner.

In my next post, I'll provide a snapshot of the two initiatives aimed at developing standards for specific things. I'll also talk about what we can expect from these combined efforts in the future.