When you huddle around the coffee machine at work or flip on your smart kettle at home, do you consider the security of the Internet of Things (IoT) devices you are using?

If you’re like most, IoT security is probably the last thing on your mind. Today it is more and more likely that these caffeine dispensers are part of the IoT. But who is responsible for securing these devices? How could a breach threaten an organization or individual?

A New Frontier for Security

IoT security is becoming an important issue for consumers and enterprises as the volume of smart, connected devices increases. Security analysts have already seen cybercriminals exploit vulnerabilities in IoT devices ranging from coffee machines to car alarms.

Security leaders face many challenges related to IoT security. Discussions tend to focus on technologies, products and solutions. There are other important factors to consider, however, such as experience, knowledge sharing and business networks. IoT is not a new concept, but it is gathering more traction as the number of connected devices rises dramatically. Still, the risks related to these devices are not yet well understood.

Theses challenges are not at all unique. There is a lot to be learned, in fact, from existing security services and technologies, such as endpoint protection. As enterprises expand into the IoT domain, many will choose to adopt secure IoT platforms.

IoT Security in Numbers

The IoT Security Foundation (IoTSF) is a nonprofit organization dedicated to driving security excellence. The group includes over 65 member companies ranging from research institutes and universities to IoT startups and global corporations. IBM is one of those members, investing to infuse security knowledge and build a community around IoT security. IBM also participated in the development of an IoT security framework for industrial use as part of the Industrial Internet Consortium.

IoTSF members defined the scope and focus of working groups to shape the agenda and recommendations around IoT security. Industries and companies within the IoTSF actively collaborate to establish and uphold security principles. Membership and participation in the IoTSF enables organizations to become thought leaders in the IoT security space. It echoes values of openness, community, collaboration and standards to better serve enterprises adopting and developing IoT solutions.

Five Working Groups

IoTSF has an evolving agenda. The group is working on developing security strategies for consumer devices and solutions, which is the most valuable product segment in the IoT market. As such, the IoTSF defined five working groups built around that segment of IoT marketplace opportunities.

A recent plenary session focused on updating the five working groups and organizing the IoTSF Conference in December 2016. The five working groups are defined as follows, according to the IoTSF website:

  1. Self-Certification Scheme;
  2. Connected Consumer Products;
  3. Security Patching and Updating of Constrained Products;
  4. Framework for Disclosure; and
  5. IoT Security Landscape.

The working groups interlock to ensure that their missions are not carried out in silos. This also allows the teams to collaborate to reuse and interweave efforts. They strive to ensure that the strategies developed are useful, accessible and easy to adopt. Many of these artifacts are intended for public release ahead of the IoTSF Conference.

IoTSF Conference 2016

Following the success of last year’s conference, the main theme this year is convergence and holistic security. The IoTSF intends to promote the supply chain of trust and a duty of care for customers. In addition, the conference will highlight the fact that while information security is not new, the IoT is an uncharted frontier.

IoTSF held its inaugural conference on Dec. 1, 2015, at the Royal Society in London. Approximately 200 professionals gathered from across the globe, including representatives from government agencies, automotive manufacturers, defense contractors, buildings consultants, platform providers, IT services, telecommunication companies and venture capitalists. The conference offered case studies of cybercriminals compromising connected cars, wearables and medical devices. It examined the threats to companies and consumers, and asked participants to consider how to better defend against those threats.

Last year’s event included a presentation by one of IBM’s IoT security engineers. IoTSF is looking to build on the popularity of that event by incorporating the outputs of its working groups and offering tracks for both mid- and senior-level managers. There are also more technical details for practitioners.

As more devices come online, enterprises need to address the security implications. Consider what an IT professional could learn and share about IoT security by working with like-minded people.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…