Who is Responsible for Securing the IoT?
We all love progress, especially when it comes to our gadgets. Everything from thermostats to grilling equipment is now potentially connected, opening a broad range of functions and opportunities for convenience and pleasure. A big reason for the increased functionality we enjoy today is the broad ecosystem that has evolved to connect everything to everyone all the time. For example, if we want to listen to our favorite band, we can choose Spotify, Pandora, or Apple music on a range of inexpensive wireless speakers via Bluetooth, WiFi, or LTE and we can do it all at home, work, in the car, or when on vacation. Indeed, it would be hard to imagine a single company with the skills, reach, and resources to deliver a music listening experience that is as broad and ubiquitous as the IoT-enabled experience we now enjoy. The complexity of that IoT ecosystem does not come without serious questions about who in the ecosystem owns the issue of IoT security.
In the old days, when we usually had to go home to listen to our favorite tunes, big brands like RCA were often tied to both our stereo equipment and the music we listened to. Those big brands of our past worked hard to earn our trust and earn a space in our homes, and their ownership of all issues tied to the customer experience was clear. In contrast, many of the IoT products we use today leverage the brand power of others. Indeed, the “front end” of our IoT experience, the cheap wireless speaker in the example above, is probably the one part of the IoT ecosystem associated with a company we have never heard of. At the same time, the “back end” ecosystem that enables our speaker to deliver music–including the streaming service, the broadband provider, and even the manufacturer of the chip powering the speaker–is comprised of large companies we know.
The ‘disequilibrium’ between the relative brand recognition of the front end and back end of the IoT ecosystem could have implications for security. When a hacker compromises the security of your cheap wireless speaker, whose “problem” is it? On the face of it, the problem is clearly with the speaker designer who failed to put in appropriate security safeguards. That said, many of the smaller companies that make cheap speakers and the other IoT devices in our homes generally have relatively little experience protecting their (or anyone else’s) products from hackers. In contrast, the companies that make up the back end of the IoT–from the connectivity providers all the way to the chip manufacturers–are usually large, mature companies with lots of experience and sophistication when it comes to security. Those larger companies may not be at fault for a compromised IoT speaker, but their respective brands can take a big hit when something goes wrong whether they were directly at fault or not.
One approach to define ownership of the challenge of securing the IoT is to fall back on standards. Standards play an enormous role in ensuring interoperability across the IoT ecosystem, and they do speak to the issue of security. The problem is that most standards efforts take years and the IoT is just progressing too quickly for standards bodies to keep up. Last year, Arm published its IoT Security Manifesto, and in that document, Arm’s CEO Simon Segars writes that Arm sees security standards “being enacted by industry bodies and governments and maybe even the UN,” but he goes on to write:
[We] believe that standards and government regulations generally describe yesterday, and in a world as fast-moving as the IoT we need to describe tomorrow.
It does not look like falling back on standards will necessarily provide any easy answers.
The IoT is made up of a large and complex ecosystem so drawing clear lines of accountability for security can be difficult. However, when security is compromised one thing is clear, everyone suffers. The good news is that many of the more mature companies in the ecosystem offer developers significant resources and support to implement security. At SecureRF we are proud to have partnered with many of the largest players in Silicon Valley to work with their teams to offer IoT developers the tools and the training they need to make their IoT products more resistant to attack. Recently we partnered with Intel to share strategies for securing their FPGAs, and we have other such webinars coming in the fall. If you would like to learn more about how we support our semiconductor partners and their security needs, please contact us at firstname.lastname@example.org.