When you huddle around the coffee machine at work or flip on your smart kettle at home, do you consider the security of the Internet of Things (IoT) devices you are using?

If you’re like most, IoT security is probably the last thing on your mind. Today it is more and more likely that these caffeine dispensers are part of the IoT. But who is responsible for securing these devices? How could a breach threaten an organization or individual?

A New Frontier for Security

IoT security is becoming an important issue for consumers and enterprises as the volume of smart, connected devices increases. Security analysts have already seen cybercriminals exploit vulnerabilities in IoT devices ranging from coffee machines to car alarms.

Security leaders face many challenges related to IoT security. Discussions tend to focus on technologies, products and solutions. There are other important factors to consider, however, such as experience, knowledge sharing and business networks. IoT is not a new concept, but it is gathering more traction as the number of connected devices rises dramatically. Still, the risks related to these devices are not yet well understood.

Theses challenges are not at all unique. There is a lot to be learned, in fact, from existing security services and technologies, such as endpoint protection. As enterprises expand into the IoT domain, many will choose to adopt secure IoT platforms.

IoT Security in Numbers

The IoT Security Foundation (IoTSF) is a nonprofit organization dedicated to driving security excellence. The group includes over 65 member companies ranging from research institutes and universities to IoT startups and global corporations. IBM is one of those members, investing to infuse security knowledge and build a community around IoT security. IBM also participated in the development of an IoT security framework for industrial use as part of the Industrial Internet Consortium.

IoTSF members defined the scope and focus of working groups to shape the agenda and recommendations around IoT security. Industries and companies within the IoTSF actively collaborate to establish and uphold security principles. Membership and participation in the IoTSF enables organizations to become thought leaders in the IoT security space. It echoes values of openness, community, collaboration and standards to better serve enterprises adopting and developing IoT solutions.

Five Working Groups

IoTSF has an evolving agenda. The group is working on developing security strategies for consumer devices and solutions, which is the most valuable product segment in the IoT market. As such, the IoTSF defined five working groups built around that segment of IoT marketplace opportunities.

A recent plenary session focused on updating the five working groups and organizing the IoTSF Conference in December 2016. The five working groups are defined as follows, according to the IoTSF website:

  1. Self-Certification Scheme;
  2. Connected Consumer Products;
  3. Security Patching and Updating of Constrained Products;
  4. Framework for Disclosure; and
  5. IoT Security Landscape.

The working groups interlock to ensure that their missions are not carried out in silos. This also allows the teams to collaborate to reuse and interweave efforts. They strive to ensure that the strategies developed are useful, accessible and easy to adopt. Many of these artifacts are intended for public release ahead of the IoTSF Conference.

IoTSF Conference 2016

Following the success of last year’s conference, the main theme this year is convergence and holistic security. The IoTSF intends to promote the supply chain of trust and a duty of care for customers. In addition, the conference will highlight the fact that while information security is not new, the IoT is an uncharted frontier.

IoTSF held its inaugural conference on Dec. 1, 2015, at the Royal Society in London. Approximately 200 professionals gathered from across the globe, including representatives from government agencies, automotive manufacturers, defense contractors, buildings consultants, platform providers, IT services, telecommunication companies and venture capitalists. The conference offered case studies of cybercriminals compromising connected cars, wearables and medical devices. It examined the threats to companies and consumers, and asked participants to consider how to better defend against those threats.

Last year’s event included a presentation by one of IBM’s IoT security engineers. IoTSF is looking to build on the popularity of that event by incorporating the outputs of its working groups and offering tracks for both mid- and senior-level managers. There are also more technical details for practitioners.

As more devices come online, enterprises need to address the security implications. Consider what an IT professional could learn and share about IoT security by working with like-minded people.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…