Sharing information about IoT security is the only way it will be dealt with effectively.
One of the common refrains about the IoT is that it opens up a whole bunch of new security issues that no one has dealt with in the past. The problem is that aside from complaining about it, most companies aren’t actually sharing information because they consider it either a proprietary advantage or a tip-off to thieves.
The thieves, on the other hand, have no problems sharing information about security holes. In fact, breaches are discussed before and after the fact, identifying security holes and techniques that have resulted in the largest thefts of personal data in history—hundreds of millions of names, addresses, credit card numbers and even medical data. And to make matters worse, the same technology that was meant to improve user experiences by mining data is now being sold by thieves for more nefarious purposes such as illegal transactions, skimming and outright identity theft.
There are several problems going on here that need to be addressed across the entire semiconductor industry, and even up into the electronics devices:
1. Everyone needs to start talking. While security usually involves an element of keeping things quiet, which is why it took so long for breaches at big retailers, banks and credit companies to surface, sharing all of those details will go a long way toward quickly closing similar loopholes at other establishments. The network for instant communication is all around us, but so far only the thieves are using it. And a collection of highly sophisticated, Internet-savvy crooks with the same or better background in programming and hardware design as the best security experts makes openness about breaches a requirement.
2. Costs can only be contained with standards. Designing secure chips and systems costs money. The better the design, the more money it costs. That’s why the only effective approach for containing costs is the equivalent of an open-source security model, with modifications. You don’t want a rogue nation state adding things into design, but you also need to create an infrastructure where modifications can be made quickly and relatively easily by a multi-company standards group as changes are required. This will be essential in markets where there is little wiggle room on cost, such as consumer electronics and wearables.
3. Security needs to be considered in the context of use models. While it’s important to build security features into designs, security also needs to be contextual. You don’t need high-level security for an atomic clock, but if that same chip is being used in a smart thermostat where information is relayed to a remote device, it may. The communication between components vendors and OEMs or device makers needs to be much more open than in the past, which isn’t always so easy in a disaggregated supply chain.
Finally, standards need to be set, reviewed, consolidated, collapsed and new standards need to be added. This is a never-ending cycle, and it requires diligence, collaboration, and commitment by all electronics companies. For the IoT to be successful, it has to be secure and safe. And at this point, the electronics industry has barely scratched the surface on what promises to be a monumental undertaking.
Leave a Reply