Taking Stock Of IoT Standards

It may be years before consistent standards emerge for the IoT, but there are plenty of choices in the meantime.


Trying to make sense of Internet of Things standards today is like opening a can of worms. Definitions are still shaking out, consortia are popping up quickly, and everyone is in a mad scramble to capture their piece of the much lauded potential of an intimately connected world of devices.

With so many points to consider, security is a good place to start.

It is obvious from the proliferation of news articles about the latest in hacking successes, it’s not enough just to secure the perimeter of a network and think the devices inside of that are going to be secure.

“To anyone who’s been in the industry and really paying attention it’s clear that having perimeter security, while a critical piece of the security solution, isn’t sufficient,” said Alan Grau, president of Icon Labs. “There have been all kinds of reports in the news where people are able to breach security perimeters. The IoT at some level is no different. You can’t just say a perimeter is going to solve the problem. In another way, it’s an even bigger concern because many IoT devices are going to live out in the world and not necessarily behind a protective perimeter, so they’re going to be easier to attack. There will be people who get physically close to devices to attack them.”

The big change is that many of the attacks that occurred in the past involved breaching secure server rooms from remote locations.

“In an IoT network, they’re probably low-cost devices that you can have physical proximity to, maybe even have physical access to them, so there will be a wider range of attacks you need to protect them from,” Grau said. “They’re also low cost, so you might be able to go out and steal one if they’re out in the world someplace, or buy one, then start seeing what vulnerabilities you can find. As you look at security inside the perimeter, you really need security throughout the network.”

Lessons learned
Given the fact that the IT world has been getting hacked for a long time, that sector has been thinking about security for just as long. What are they doing to build secure systems, and what lessons can be learned?

“The idea is that as we move forward into the IoT, all of these worlds are converging. There are no longer separate networks with operational technology devices running on an IT network that are separate. These are starting to converge and connect with each other and talk more. The embedded or IoT devices are going to need to meet the same security standards as in the enterprise, so things like secure boot and authentication, and secure communication — all of these are critical capabilities,” Grau noted.

To address this, companies are building security in a scalable fashion, from the bottom up. For example, something that will run on an 8-bit MCU that’s controlling a smart appliance in a home needs to have some security on it. At the other end of the spectrum, the security approach needs to align with the enterprise world.

If it is true that 70% of new IoT devices have no security, there’s much work to be done.

IoT mishmash standards stew
At present, there is a healthy list of competing IoT standards. Cees Links, CEO of GreenPeak Technologies, compares the current standards to the Wild West—similar to what WiFi went through over the past couple of decades.

“People think that WiFi from invention to today’s worldwide acceptance was one straight line,” Links said. “Having lived through the early days of inventing WiFi and making it a standard, I can tell you it was a lot of work and a lot of confusion, and a lot of guidance and misguidance, a lot of positioning, and on-purpose confusion creation. People today have completely forgotten that at one stage Bluetooth stole the world: ‘You don’t need WiFI because Bluetooth can do everything.’ That was 1998, and I was selling WiFi and I had to answer all these questions and explain why Bluetooth was different than WiFi. Bluetooth was supported by Intel and Nokia and a few other companies that had a name and reputation that had forgotten to jump on the WiFi bandwagon, so their only interest was to delay WiFi and WiFi acceptance. I can tell you it was not a straight line; it was a line with a lot of curves and today, the world is very, very clear: people know where to use Bluetooth, people know where to use WiFi, people know where to use cellular networks, and so forth. But that wasn’t the situation 10 or 15 years ago.”

To be sure, with all of the current confusion between ZigBee, WiFi and Bluetooth, there’s also the confusion around network operating standards between Google, Apple, Intel and Qualcomm, he pointed out. “The good news is that what we have learned from WiFi is in the world of communications, open worldwide standards are the ones that sooner or later will break through in the market, and that’s what we are betting on with ZigBee based IEEE 802.15.4. We think sooner or later there will be some sort of convergence where these open standards and open transport layers will be used.”

But there is another impact of the confusion: It limits the market size because with the confusion and anxiety of adopting technology that isn’t standardized, purchasing decisions are postponed.

Finding common ground
Standards vary by market, too. Grau said in the area of industrial automation, there are sub-standards. “If you really dig into them, what you find is that underneath they require all these same capabilities. They require that you can authenticate the device, that you’ve got secure communication, event reporting and command audit logging and policy management They might be described differently and there will be different details wrapped around them. But it’s really the same core fundamental building blocks because at some level, building a secure device is really not all that different if you’re building an industrial automation control system that controls the temperature of liquids as they flow through a chemical processing system or you’re building a ZigBee controller that’s going to sit in the home and control your heating and air conditioning and other things. The cyber attacks look similar for the most part, so they need the same sorts of security capabilities.”

Market players need to figure out how to leverage these capabilities across vertical segments so the wheel isn’t be reinvented at every turn.

Current IoT Standards Options:

Interestingly most of these are concerned with communication rather than security. Security for many of these is an afterthought.

One way to tackle this is to fuse together security across markets, such as home and automotive.

“Maybe the automotive guys are onto something that the home people should be leveraging instead of going and creating all their own stuff,” said Drew Wingard, CTO of Sonics. “The whole idea of a driverless car that someone could highjack remotely is scary.”

The implication is that reliability is really important, but security is going to be incredibly important before this next level of full connectivity, he said. “All of our cars have had a socket for a long time where they could plug in a piece of diagnostic equipment and learn all kinds of stuff about the history of our car, and the current status. We were kind of connected, but we weren’t continuously connected, and we weren’t bridged. What was connected wasn’t connected to anything else. It was an isolated system. As we take this and make it more connected, the security concerns are very realistic.”

Wingard noted that the most capable piece of electronic equipment in the car is likely the infotainment system “There are really good and valuable reasons why that needs to be a hub through which a lot of the other sensors play. Certainly my back-up camera had better show up on the screen where I might be doing other stuff. That’s the most logical place to put it. I can imagine all kinds of other sensors that might want to report their data through that thing. Now suddenly, someone has access to the whole sensor part of the system. But the infotainment system also has to be able to be field upgradable because, as people have said, these days the electronic system in a two-year-old car looks obsolete. As much as Detroit loves having people want to trade in their car because it feels obsolete, two years is a little bit too quick for them.”

One of the key criteria in next-generation infotainment systems is downloadable access to new features or upgrades, which raises questions about the impact on sensors and actuators inside a vehicle.

“There is no alternative,” Wingard said. “You have to have multi-layer security on the chip. Some of that is about encryption and keys. There are plenty of people who do really good work around that. But at some level that’s going to have to be physical security of the data streams, and that’s where the on-chip network provider has a role because we are the gathering point for the information. There are resources that will be shared between the more secure/less secure/super secure parts of the design.”

He believes a multi-layer hardware protection architecture will be a requirement for future systems, and the degrees of openness of different parts of the system cause him to believe that a single-bit solution such as an ARM TrustZone won’t be sufficient.

Zach Shelby, vice president of technical marketing for the IoT business unit of ARM, couldn’t agree more. He acknowledged that the IoT needs a software ecosystem in addition to TrustZone, given the changing embedded developer demographics. ARM’s mbed OS is the company’s answer to this. It acknowledges the importance of the ecosystem, the device server and the OS.

The bottom line: Sorting out standards will take time. In the meantime, products for every part of our connected world will continue to flood the market. How those interplay going forward is still up for grabs at this point.