Internet of Things security isn’t one-size-fits-all, and that’s a problem.
Security is a hot topic within the vast swath of the electronics industry that is working to bring the Internet of Things/Internet of Everything from concept to reality. A slew of standards and protocols are currently being developed to help secure the IoT from the edge nodes through the networks that carry the accumulated data. Chip vendors are implementing anti-tampering technologies within devices that previously had little need for them and industry alliances and consortia are developing protocols for device- and network-level security.
The level of activity is an indicator that the electronics industry understands that the promise of IoT cannot be realized without robust security. Headline-grabbing security breaches like the recent hacking of a Jeep Cherokee reinforce the point that predictions about the IoT’s massive economic opportunity are nothing but hot air unless safety and privacy are locked down.
While nearly everyone agrees that there must be consolidation of the many security standardization efforts now underway, one thing is clear: There won’t be a “one-size-fits-all” approach to IoT security. “It’s not a ‘silver bullet’ kind of problem,” said Bill Morelli, an industry analyst who serves as director of IoT, M2M and digital at IHS.
That seems to be the common consensus among industry experts, but there does have to be at least some limits on what can be done both for the sake of progress and cost.
“There will not be one single thing. But there won’t be a hundred things, either,” said Manas Saksena, senior director of technology and marketing of the IoT business unit at Marvell.
The IoT is a broad description for a conceptual framework that includes automotive, consumer, medical, industrial, and military/aerospace application segments, among others, each of which requires a different level of security. A smart refrigerator, for example, doesn’t require the same level of security as automation equipment in a chemical plant or a military jet—although even refrigerators need some security because it can serve as a gateway to other devices. But mission-critical applications demand especially robust levels of security, which is a problem because many IoT applications simply can’t justify the cost or the loss of network speed required to achieve this level of security.
“Are we talking about a nuclear plant or an agriculture farm? Different applications need different levels of security,” said Majid Bemanian, director of segment marketing for security at Imagination Technology.
Part of the issue is that IoT, by definition, connects many devices to the Internet that were previously not connected and thus not vulnerable to hacking. According to John Dixon, director of corporate marketing at Freescale, while there are maybe 20 million Java developers in the world, there are only about 600,000 embedded developers. Many have little experience with security for connected devices and have their hands full sorting through the alphabet soup of technologies promised by various chip vendors. Most of these technologies are proprietary and vary widely from vendor to vendor.
“There’s no such thing as a closed platform anymore,” Bemanian said. Many of these developers are used to designing, for example, a washing machine, and then moving on to the next project, not needing to give much thought to the security of the system, he added. “They were just putting a lock on the door and calling it secure. Now they have to go into the house and watch everything.”
Dixon said smaller customers are overwhelmed by the information on security features found on chip vendors’ websites. “Even among chip companies, we have different names for different security functions,” Dixon said.
“If there are 50 different companies out there doing security 50 different ways, it’s going to be very difficult for any of them to gain traction,” said Brian Davis, vice president of the IoT business unit at Renesas Electronics.
According to Gartner, by 2017, some 50% of IoT products will be marketed by startup companies less than three years old. Dixon—who believes Gartner’s estimate may be low—said a lot of these startups do not have any security expertise. He predicted that many would push ahead with getting products out the door and that some would fail simply because of lack of security.
Clearly, one thing that is needed is the development of standard definitions of security features and common descriptions of security levels. Davis believes it will take up to a decade for the electronics industry to evolve to the point where these descriptions are available and understood well enough to have an impact. At that point developers will have built up an understanding of the potential vulnerabilities of their products and be able to weigh those against the costs involved in order to decide what level of security to implement.
“People are going to learn to think about what the potential outcomes are, and then they will configure their security around these potential outcomes,” Davis said. He added that developers with knowledge of the different levels of security and where each is needed would then be able to apply them appropriately. “They don’t want to overburden a device with security.”
Nevertheless, for the IoT to fulfill its many promises it will require various levels of standardization so that security can be applied effectively and consistently. According to Davis, there is currently “a lot of attention and effort,” but not a lot of consolidation around creating common security terms to span the broad applications areas of IoT. (See related story.)
Davis noted that MCU vendors are now adding security to their platforms. “It is going to get more interesting, and we will be seeing industry alliances and consortiums coming together to create [security] guidelines,” he said.
At least there is some consensus on what must be done, even if there isn’t a clear path for getting it done. “Standardization has to happen, and it has to be driven by end customers if not a government body,” said Freescale’s Dixon. He added that, for customers to feel confident that IoT products are secure, they may well need a certification on the back of the box. “There is nobody pushing a security standard right now,” he said.
The good news is that there is wide agreement that overcoming the security challenges posed by the IoT is not a matter of if, but when. While some acknowledge that the turbulence expected over the next few years as security issues are ironed out may be a speed bump on the road to IoT realizing its potential, they also point out that the electronics has walked this path for many years, tackling security for devices that were already connected to the Internet, such as PCs.
“I would characterize it more as a growing pain,” said IHS’ Morelli. “We have learned a lot from having to secure smartphones and PCs. It’s not like you are starting at ground zero for all of these industries and markets.”