What does it take to call a connected device secure? In the rush of stories detailing how connected devices have been harnessed in a botnet army, can be used to spy on children or can be rendered useless with inadvertently downloaded code, security is top of mind.
But when we talk about security what exactly are we talking about? We don’t know.
Right now, there are several efforts to create standards for securing connected devices, but they don’t all require the same elements. This lack of clarity means that securing connected devices is more expensive and harder than it should be, and it also makes assessing the security of a device by consumers impossible.
When I ask if a device is secure, I’m not looking for a yes or no response, but whether it meets my own criteria: encryption, rigorous penetration testing, a plan to issue patches over a set time frame, and a responsible cloud architecture that doesn’t leave passwords in plain view on a web-connected database. But a CIO for an enterprise or hospital probably has different criteria.
So for IoT security, it’s not just an issue of the goalposts moving; we haven’t even agreed on the sport yet.
That’s why Microsoft’s recent research effort with Project Sopris is so interesting to me. Microsoft laid out seven elements for a secure microcontroller used in connected devices. While chip companies, individual security providers and even software companies offer aspects of these things, Microsoft appears to be saying that you have to have all of these or your device isn’t going to be secure.
Larry Stefonic, CEO of WolfSSL, likes Microsoft’s approach. He agrees that the seven items will lead to more secure products, although he’s not certain if Microsoft can create a de facto standard for the fragmented industry.
But that is what Microsoft has done in the past. With Intel’s help, it took on the many variations of operating systems in personal computing and funneled them into Wintel dominance. One could view this as an OS that must sit on secure hardware.
Some kind of accepted framework or standard has to happen, says Hugo Fiennes, CEO of Electric Imp. His company makes hardware and cloud software that let companies build secure connected devices. Customers include Pitney Bowes and Eaton Corp.
He is frustrated by the current state of IoT security, not because it’s non-existent or poor, but because it’s horribly inefficient. His product has gone through penetration tests by more than five different firms (penetration testing is where a company tries to hack your product, there are plenty of penetration testing companies uk to choose from) and multiple different standards certifications.
Each client wants different things before it decides the Electric Imp platform is secure.
“Basically, we have to pass their arbitrary hurdles before passing some other arbitrary hurdles,” Fiennes says. For Electric Imp, that’s the price it has to pay to be what is effectively a security platform, but for other companies it’s expensive. One client may want to see UL certification while another may have its own testing protocols.
The lack of clarity around what makes a connected device secure has big impacts beyond adding a lot of extra tests for some nebulous certification. It also means that engineers building connected products don’t have a playbook to work from.
With IoT devices being so complex, the lack of some kind of standard checklist leads to security vulnerabilities.
Microsoft’s plan for hardware-based security is good, says Sami Nassar, the VP of Cybersecurity Solutions at NXP. However, if a software designer building on top of that secured hardware doesn’t design their OS correctly, the value of some of those secure elements is lost, he says.
“I see it a lot where the CEO says that we have all the security needed in there, but it really depends on what the engineer has been exposed to,” Nassar says. “They don’t know what they are facing.”
Yet, Nassar is optimistic that security for IoT devices is improving. Fiennes seemed a little more grounded, noting that good security is expensive, and for now the ones that will pay for it are industrial clients. Steps like Microsoft’s framework could help promote a more standardized approach to security by defining what security means in the context of a connected product.
Over the long term, this means the internet of things may be better off with both a set definition that covers the basics of security and a few platform companies that can deliver as much of that security as possible over the long term.