Security standards for the Internet of Things are in their infancy. But do they work and how can companies in the business of making connected stuff make the best use of them? A UL-sponsored panel discussion at our June 19th Forum will tackle this very issue.
There has been a lot of ink spilled about the need and the possible benefits of Internet of Things standards in areas like security and privacy. To what end?
Well, there’s been some progress. Cyber security standards already exist from a number of organizations and address issues such as data security, incident management and identity management, software assurance and supply chain risk. That’s both good and bad. By one count (NTIAs) there are scores of different and in some cases competing IoT security standards.
Despite their proliferation, adoption of those standards has been slow across the many industries that have embraced Internet of Things including manufacturing, healthcare and critical infrastructure, a recent report by NIST found. Furthermore, in areas, such as network security or IT system security evaluation, standards are sorely needed, but haven’t yet been developed, NIST found.
The big question looming for industry, the public sector and policy makers is this: can standards work to benefit a problem as amorphous as securing the Internet of Things? That’s the topic of a great discussion we have coming up at our June 19 Security of Things Forum in Boston, “Missing in action: IoT standards.” Sponsored by our friends at UL, which will bring experts from UL, Johnson Controls and Cloud Security Alliance together to talk about how security standards work in practice. What advantages do they offer for companies that are considering leveraging a standard, and what pitfalls do they introduce? Which standards are suitable for which kinds of IoT implementations?
“The challenge is that the standards are not that atomic,” notes Rob Black of FractionalCISO, who is moderating the discussion. In a recent conversation on The Security Ledger podcast, Black listed some of the limitations of existing standards. The OTA Internet of Things security standards, for example, lumps a wide range of criteria into one requirement, including unit testing, regression testing and threat modeling of the connected device, along with management of third party libraries and source code. “How do you measure compliance with that?” Black asked. “Say you do 8 out of the 10 – have you satisfied the requirement?”
In other areas, the standards lack precise language that is likely to stymie would be adopters. “One of my favorites is that ‘developing secure software requires thinking about security,” Black notes. “If you brought an auditor in to measure that, how would you assess ‘thinking about security,” he asked.
Standards like the NIST 800-171 standard do a good job of being achievable and measurable, Black said, but aren’t applicable to every use case. Organizations like UL have tremendous credibility assessing quality, safety and security in both consumer and commercial products – but what will it take to encourage smaller, start up firms to submit their products for certification to an organization like UL?
“The challenge is that if you’re a product manufacturer, how do you use these standards,” Black told me.
Our panel on the 19th, sponsored by UL, will take a deep dive on one organization who has walked the walk: Johnson Controls, which was the first company to receive UL’s highest rated security certification for a connected product (a network video recorder, as it turns out). Rob will be joined on stage by Ken Modeste, the Director of Connected Technologies at UL and by William Brown, a Senior Engineering Manager for Cyber Protection at Tyco Security which helped design and then implement the standards. Joining them will be Brian Russell of the Cloud Security Alliance.
If you’re in the business of designing connected products, this panel is a ‘must see,’ so register now for Security of Things Forum if you haven’t yet! We look forward to seeing you at the show!