IoT Security Ratings Needed

Companies are now focused on security, but so far there is no simple way to sell it.

popularity

Concerns about security have been growing alongside adoption of the IoT, and it seems to be making some headway. This is good news, if it continues, because one of the biggest concerns about buying connected devices is that they can provide inroads into personal data.

Data security has been a persistent annoyance for several years. Almost anyone who travels or shops at major department stores using a store credit card has received a letter in the past couple of years saying their personal information may have been compromised. That’s the legal way of saying your information was stolen but you won’t be compensated in any way. After all, most of those systems were secured with accepted industry standards for software, hardware and network security, despite the fact that security experts have been warning for years that those measures were insufficient. They were right.

IoT is being dragged into this, as well, even though the market for connected things is really just beginning. A good sign of this segment’s growth is that the debate about what to call it—IoT, IoE, Iox—has simmered down. Translation: People are finally getting to work on real products. Sales are up in many IoT segments, although the initial rush to develop connected watches and home appliances seems to have fizzled. Just adding an I/O subsystem into a washing machine is no guarantee that consumers will pay more for it, particularly if there is no accompanying literature about how secure it will be.

Two years ago, there was almost no security being added into these devices. Much has changed since then.

There are several measures of this. First, startups in this area—which generally pass under the radar of financial analysts—are selling their technology to systems companies these days. Companies like ChaoLogix, Intrinsic-ID, Quantum Trace, to name a few, all report significant growth in sales of their technology over the past year.

Second, established companies that sell IP are also beginning to sell secure versions of that IP. ARM has been particularly active in this space, building out its TrustZone concept into all of its IP to establish a chain of trust. And Rambus has purchased entire companies to deliver this kind of security. But others now are adding secure versions of their IP, as well, such as Kilopass with OTP memory that can resist side-channel attacks, and Mentor Graphics, with its secure RTOS.

And third, anyone who has been attending security conferences lately can see that attendance is booming. RSA began life as a small conference in a few hotel conference rooms. It now commands two halls of San Francisco’s Moscone Center, and exhibitors now range from those focused on the IT space to IoT and even government security. Last year the conference reported 40,000 attendees.

These are all good signs, but what’s missing is a standardized way of measuring all of this. If consumers could look at a device and figure out how secure it is, similar to the way Energy Star rates how much electricity an appliance will consume over a year, security would begin to determine buying decisions. Reporting a list of secure acronyms means nothing to most people. Numbering security from 1 to 10 would boost sales across the scale, and provide the impetus to close up any remaining security holes.

This would require an independent security agency to test devices, of course, but the impact on connected electronics would be enormous. Technology companies already recognize the need for security, and there is plenty of work underway to make devices more secure. But rating these devices would accelerate this process significantly. How much more would you pay for a connected device that is rated 10 on a security scale versus 6?

eglabel
Energy Star label. Source: energy.gov

Related Stories
Making Secure Chips For IoT Devices
Technology is improving, but so is awareness about the need for security.
IoT Security Risks Grow (Part 2)
Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.
Chaos, Progress In Mobile Payment Security
Rapid transitions have stalled some development efforts, limited others, but improved security is on the way.