A Standard Response to IoT’s Security Challenges

Technical standards are essential to securing billions of connected devices

The Internet of Things (IoT) is causing an explosion in the number of connected devices. Many of these will be deployed on networks that are also a part of the security fabric of our facilities, our infrastructure, and – literally – our way of life. While they promise to make many positive contributions to our society and our personal experiences, they also open numerous new attack surfaces for cybercrime, identity theft, invasions of privacy, and even terrorism.

This threat has recently been dubbed a “denial of safety” attack, and it is expected to spread as facilities are increasingly equipped with IoT-like devices for both security and building automation. Accordingly, many in the technology community openly wonder whether this Pandora’s Box can ever be closed. If it can, it will almost certainly require the adoption of standards that will help to contain the morass of special cases and one-off device profiles that are so burdensome and unsecure today. Without standards, it will only become worse, eventually giving way to the dystopian future of Ubisoft’s Watch Dogs video game, in which an antihero can hack into physical infrastructure to “obtain and control information or destroy such devices completely.”

Financial Drivers

The financial drivers behind IoT are large enough that the security industry cannot hope to escape its influence on the practice of protection. The economic impact of IoT between now and 2025 is estimated to be in the tens of trillions of dollars, according to forecasters as diverse as GE, Cisco, McKinsey and Gartner. That is a huge number, bigger than the impact of many of the recent technology trends that have already changed our lives dramatically.

The sheer number of devices that will be added to the Internet is equally staggering: According to recent findings, that number was already at 3 billion as 2015 closed, and it will surge to more than 20 billion by 2019.

Connecting with all of these devices will be another 8 billion or so remote devices such as smartphones, tablets, watches, and even good old PCs, creating a “many to many” security problem of unprecedented magnitude.

Against this backdrop, there is a growing sense in the industry that IoT will play a significant role in physical security. The most obvious example is IoT in home automation, which usually leads to a “peace of mind” security message. These systems feature an expanding set of inexpensive wireless sensors and communications devices that are simpler and easier to install with each new generation of the technology. Even better, they interact effortlessly with all of our connected devices, from smartphones to wearables, so that we really do not have to think about having the right device with us in order to benefit from their services.

It is less obvious – at least for now – how these or similar systems will cross over into commercial security, but the numbers say they will. According to Business Intelligence, out of the billions of IoT devices that will be connected to the Internet between now and 2019, only a surprisingly small 25 percent of that total will be installed in homes. That leaves three-fourths of them to be installed in an enterprise (39 percent) and government or infrastructure (36 percent) settings. Many of these devices will be in service of physical security, broadly defined, including building automation, energy management, and presence monitoring, as well as traditional access control, surveillance, and alarm applications.

In fact, it is not difficult to argue that the electronic security industry has been using IoT since well before the term was coined and the current hype cycle catapulted the topic into daily fodder for both the professional and consumer media.

The largest contribution that IoT will make to security is in the proliferation of sensors that add to the data available for decision-making. It is likely that some of this data will be generated by devices that were not originally deployed as part of the security enterprise. Many of them will have been installed or deployed by people outside the security practice. The challenge for security practitioners will be to accept and even encourage the growth of these technologies, while harnessing the data and protecting both physical and network infrastructures.

How Do Standards Fit into this World?

First, we need to accept the premise that, in the absence of standards, nothing can be secured, except one device at a time. That is neither scalable nor practical, and it would leave every network unmanageable at best and defenseless at worst. Standards have many benefits beyond basic interoperability. One of the most important is making devices conform to certain technical and behavioral patterns so that they can be treated as a class, not as individual instances. This is at the core of making them securable in any mass deployment.

In the absence of standards, nothing can be secured, except one device at a time. That is neither scalable nor practical, and it would leave every network unmanageable at best and defenseless at worst.

Second, we need to recognize that there will not be just one standard for IoT devices. It would not be reasonable or practical to expect that all IoT devices could use a single standard, except at the most rudimentary levels (e.g., IPv6 addressing). IoT device capabilities and purposes are so widely divergent that there will need to be many standards to fit varying circumstances. They cannot just be shoe-horned into the same mold. A light bulb, a toothbrush, and a security camera or sensor have very little in common, except that all may now be classified as IoT devices.

Third, we need to accept that the relevant standards for IoT devices – and even many security devices that fit within the IoT paradigm – will most likely be developed outside the security industry. On the one hand, this phenomenon is nothing new. The entire shift to IP represents a migration to a standard that came from outside the industry, specifically, the Internet Engineering Task Force (IETF). Similarly, the major video standards in every modern surveillance system originated from within the larger context of the Moving Pictures Expert Group (MPEG). On the other hand, the cyber risks presented by this new generation of connected devices have the potential to undermine the core mission of security if they are not properly managed. This observation has given rise to the point of view that “all security is now cybersecurity.”

What Are Our Options?

The IoT landscape currently has a number of standards organizations and consortia vying for dominance. They each have their own distinct mission and, to some extent, have different target domains that they are aiming to standardize. The list that follows is not intended to be complete, but, rather, to present a sample of the most prominent (and promising) standards as of this writing.

Open Interconnect Consortium

The Open Interconnect Consortium (OIC) was formed by Intel with the goal of connecting “the next 25 billion devices for the Internet of Things.” The members of OIC are more than 50 of the biggest names in technology and consumer electronics. Its technical goal is to provide secure and reliable device discovery and connectivity across multiple OSs and platforms. OIC aims to deliver this by providing a “comprehensive communications framework to enable emerging applications in all key vertical markets.” Their “IoTivity” project is an open source framework that provides tools to developers to help realize this vision.

All of OIC’s specifications are online, with security being a central component of the model. The specifications in this area deal with trusted onboarding of devices, cryptography, protection of resources at rest and in transit, access control mechanisms, and device hardening.

All in all, OIC has produced a highly relevant set of standards for devices deployed in a physical security setting.

Google Weave

According to the Google Weave developer site, “Weave is a communications platform for IoT devices that enables device setup, phone-to-device-to-cloud communication, and user interaction from mobile devices and the web.” The goal of the framework is to provide a common language that all devices in an ecosystem can understand. In the case of access control applications, for example, a door lock can have defined states or actions such as “lock” or “unlock” which can be issued by a variety of other devices, such as smartphones, or remotely via the Weave cloud.

Weave stands out among other contenders for IoT standards by virtue of having built-in security features, such as verified boot, data encryption, and the availability of automated security patches. Weave also has a robust set of methods for controlling what types of access permissions various devices and users have, an essential aspect of managing large numbers of devices in an enterprise setting.

The Weave project also includes the Brillo OS, a stripped-down Android-based platform that is designed to run on the much smaller processor and memory footprints used by IoT devices. Assuming that this platform fits with a company’s development roadmap, it offers a significant bootstrapping opportunity for getting new IoT devices into production. Weave is also said to include libraries for other operating systems, so that the protocol and related discovery and security features can be available across heterogeneous environments.

Often confused with Nest Weave, Google Weave is intended to support connected devices broadly across the IoT space, not just in home automation applications. In this sense, it appears to be a more “industrial” set of standards that may be a better fit for security applications.

Allseen Alliance

The Allseen Alliance is a multi-industry consortium dedicated to enabling the interoperability of the billions of devices, services, and apps that compose the Internet of Things. Its goal is to foster adoption of the AllJoyn protocol, which was originally created by Qualcomm and subsequently transferred to the Linux Foundation for ongoing maintenance and promotion. Primarily focused on WiFi applications, the protocol enables communications between peer devices, as in a home automation network. With more than 200 members, it is seen as a strong contender for standards success, and it saw its first significant crop of new products at this year’s Consumer Electronics Show, including light bulbs, security cameras, audio systems, and environmental systems.

Like the OIC, Allseen is pursuing an open source model for “implementing common services and interfaces that solve a specific use case, such as onboarding a new device for the first time, sending notifications, and controlling a device.” AllJoyn describes its security framework as “flexible and capable of supporting many mechanisms and trust models.” However, it also says that, “AllJoyn security occurs at the application level; there is no trust at the device level.” For an industry, like physical security, that is seeking standards that have trust and security as built-in features, this sounds a bit too open-ended to be very helpful. Leaving security to the application layer may work well enough for products that have mostly “siloed” work flows, but not for a heterogeneous collection of cooperating security and building automation devices.

Thread Group

Backed by the popular IoT device maker Nest, the approximately 100-member Thread Group ambitiously describes its one and only goal as, “to create the very best way to connect and control products in the home.” As with the other IoT standards organizations, wireless communications between devices and to the cloud are major focal points of the initiative. Thread’s use of a mesh communications network makes it a natural for home automation applications, but it could serve equally well in larger facilities, depending on distance and construction techniques.

Information security is one of the cornerstone services of the framework, which features “a smartphone-era authentication scheme and AES encryption to close security holes that exist in other wireless protocols.” It intends to keep the user experience simple and familiar by using passphrases, yet providing a high level of security. How well this model extends to larger enterprise networks remains to be seen.

IEEE

The venerable IEEE has made an all-out effort to demonstrate its relevance to the IoT world and not lose out to newer standards organizations that could eclipse its central role in much of the standards-setting that has taken place in the electronics industry over the past 50 years. To that end, IEEE has launched project P2413, “Standard for an Architectural Framework for the Internet of Things” and created a new website landing area for all things IoT (iot.ieee.org).

With its hundreds of thousands of degreed engineers as individual members, IEEE has high visibility across every technology sector and is able to influence large numbers of new projects.

IEEE has also gone back through its existing body of standards and reclassified many of them (e.g., Ethernet) as “Internet of Things Related Standards” – helpful, at the nuts and bolts level, but not breaking new ground. It is also far less persuasive in many instances than the open source approach to standards that is used by the newer organizations in this space. Prescriptive specifications will always be needed, but open source code moves standards into real projects much more quickly.

One of the unique contributions IEEE has made will serve the interests of those who are still seeking a definition of IoT. The question is addressed – at length – in the May 2015 “Toward a Definition of the Internet of Things.”
With respect to security, there is not much here that is immediately actionable, but it may turn out that IEEE’s larger architectural project will have a longer-lasting impact on how we think of the IoT ecosystem as a whole.

The Rest of the Field

Without meaning to do a disservice to any organization active in this area, there are too many consortia and other industry groups to cover in anything less than a full-length book. Further complicating matters, new organizations come into existence almost monthly, and, unfortunately, disappear at nearly the same rate.

Some of these organizations are focused on very specific problems, such as data transport. The Oasis IoT group, for example, has been working on the telemetry transport protocols AMQP (Advanced Message Queuing Protocol) and MQTT (Message Queuing Telemetry Transport). While these protocols do not attempt or pretend to address the overall cybersecurity problem, they may find their way into security device applications and would, therefore, need to be secured within the larger context of systems integration or network security.

The IETF is also very relevant to the ongoing development of IoT standards, as with the “IPv6 over Low Power WPAN” standard that is being implemented to extend IP networking to very low-power devices. Again, securing a network using this protocol presents many of the same challenges as securing the IP networks in use today, and the standard does not speak to the layer of the problem.

The SIA Cloud, Mobility and IoT Subcommittee

The SIA Standards Committee formed the Cloud, Mobility and IoT Subcommittee to examine cybersecurity and many other issues related to the adoption of IoT in the physical security sector. The purpose of the group is to develop, discover, influence, and provide education around standards relevant to the challenges of combining these three technologies in security applications. The rationale for doing so includes the following principles:

• IoT devices will produce data that is useful to the physical security mission.
• Security systems can harvest this value only if the industry knows how to build secure IoT deployments that interoperate with security management tools.
• IoT devices will use communications standards originating outside the security industry; namely, from IoT vendors, consortia and large Silicon Valley players.
• IoT can enhance physical security, but only if cybersecurity risks are properly mitigated.

The SIA Standards Committee has an advisory and educational role in addition to its standards-making role. Therefore, given the significance of IoT and its dependence on technical standards, the group will continue to drive answers to the question of standards for IoT in security.

Where to from Here?

At this writing, there is nothing close to a set of broad answers for how IoT can be secured, although it remains clear that technical standards are a foundational part of the equation.

The IoT and technology community at large are wrestling with the same cybersecurity issues that confront the electronic security industry today.

What is clear is that we will not solve this problem within the security industry alone, and that some set of IoT standards will provide the basis for enough uniformity that we are not playing an impossible game of Whac-A-Mole.

---

Steve Van Till (steve.vantill@brivo.com) is president and CEO of Brivo Inc. (www.brivo.com). He serves as chairman of the SIA Standards Committee.