When you huddle around the coffee machine at work or flip on your smart kettle at home, do you consider the security of the Internet of Things (IoT) devices you are using?
If you’re like most, IoT security is probably the last thing on your mind. Today it is more and more likely that these caffeine dispensers are part of the IoT. But who is responsible for securing these devices? How could a breach threaten an organization or individual?
A New Frontier for Security
IoT security is becoming an important issue for consumers and enterprises as the volume of smart, connected devices increases. Security analysts have already seen cybercriminals exploit vulnerabilities in IoT devices ranging from coffee machines to car alarms.
Security leaders face many challenges related to IoT security. Discussions tend to focus on technologies, products and solutions. There are other important factors to consider, however, such as experience, knowledge sharing and business networks. IoT is not a new concept, but it is gathering more traction as the number of connected devices rises dramatically. Still, the risks related to these devices are not yet well understood.
Theses challenges are not at all unique. There is a lot to be learned, in fact, from existing security services and technologies, such as endpoint protection. As enterprises expand into the IoT domain, many will choose to adopt secure IoT platforms.
IoT Security in Numbers
The IoT Security Foundation (IoTSF) is a nonprofit organization dedicated to driving security excellence. The group includes over 65 member companies ranging from research institutes and universities to IoT startups and global corporations. IBM is one of those members, investing to infuse security knowledge and build a community around IoT security. IBM also participated in the development of an IoT security framework for industrial use as part of the Industrial Internet Consortium.
IoTSF members defined the scope and focus of working groups to shape the agenda and recommendations around IoT security. Industries and companies within the IoTSF actively collaborate to establish and uphold security principles. Membership and participation in the IoTSF enables organizations to become thought leaders in the IoT security space. It echoes values of openness, community, collaboration and standards to better serve enterprises adopting and developing IoT solutions.
Five Working Groups
IoTSF has an evolving agenda. The group is working on developing security strategies for consumer devices and solutions, which is the most valuable product segment in the IoT market. As such, the IoTSF defined five working groups built around that segment of IoT marketplace opportunities.
A recent plenary session focused on updating the five working groups and organizing the IoTSF Conference in December 2016. The five working groups are defined as follows, according to the IoTSF website:
- Self-Certification Scheme;
- Connected Consumer Products;
- Security Patching and Updating of Constrained Products;
- Framework for Disclosure; and
- IoT Security Landscape.
The working groups interlock to ensure that their missions are not carried out in silos. This also allows the teams to collaborate to reuse and interweave efforts. They strive to ensure that the strategies developed are useful, accessible and easy to adopt. Many of these artifacts are intended for public release ahead of the IoTSF Conference.
IoTSF Conference 2016
Following the success of last year’s conference, the main theme this year is convergence and holistic security. The IoTSF intends to promote the supply chain of trust and a duty of care for customers. In addition, the conference will highlight the fact that while information security is not new, the IoT is an uncharted frontier.
IoTSF held its inaugural conference on Dec. 1, 2015, at the Royal Society in London. Approximately 200 professionals gathered from across the globe, including representatives from government agencies, automotive manufacturers, defense contractors, buildings consultants, platform providers, IT services, telecommunication companies and venture capitalists. The conference offered case studies of cybercriminals compromising connected cars, wearables and medical devices. It examined the threats to companies and consumers, and asked participants to consider how to better defend against those threats.
Last year’s event included a presentation by one of IBM’s IoT security engineers. IoTSF is looking to build on the popularity of that event by incorporating the outputs of its working groups and offering tracks for both mid- and senior-level managers. There are also more technical details for practitioners.
As more devices come online, enterprises need to address the security implications. Consider what an IT professional could learn and share about IoT security by working with like-minded people.