IoT security finally gets much-needed attention
As the saying goes, the chain is only as strong as its weakest link. The Internet of Things (IoT) technology, in spite of all the amazing potential the industry makes it out to be, is not exempt from its own drawbacks. Now, industry leaders have finally realised, if the issue of security is one crucial roadblock that could bring IoT progress to a total halt, might as well deal with the problem now.
After plenty of talk, a wave of real action aimed at solving the IoT security problems is on the rise.
At least twice a week someone pings me with an idea for a guest article on how engineers must solve security problems if the Internet of Things is going to reach its potential. After plenty of talk on the topic, a wave of real action is on the rise.
The Intel-led Open Interconnect Consortium defining a high-level IoT software stack recently called for engineers to join its work on security. I know its rival, the Thread Group, is engaged in similar work. The IEEE is taking a different tack, organising an effort in which policy makers to join engineers.
Stanford University recently wrapped up a seminar on the topic. Another good reference is this list of the ten top attack sites for IoT.
Imagination Technologies recently announced is developing its own approach called OmniShield based on TCG concepts. It plans to offer new features such as support for multiple secure domains, but its APIs probably won't be ready until sometime next year.
Just yesterday, I got a note about the new Securing Smart Cities not-for-profit initiative. Security researchers at IOActive, Kaspersky Lab, Bastille and the Cloud Security Alliance created the effort to share information about cybersecurity challenges.
In the engineering toolbox, veteran embedded-systems consultant Larry Mittag recently noted Ubuntu's Linux distribution for IoT, Snappy, has enforced application isolation as part of its built in security. Separately, Max Maxfield reported on security tools for SoC and FPGA designers from Tortuga Logic and noted several IoT security sessions at the upcoming Embedded Systems Conference in Silicon Valley he is organising.
The Global Semiconductor Alliance recently released a report on IoT that called out security issues as noted in a story by my colleague Junko Yoshida. Ad today, IBM released the annual report from the Ponemon Institute on the state of Internet security generally.
The Ponemon study of 350 global companies across all industries said the average total cost of a data breach increased 23 per cent over two years to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased six per cent to $154. However, the cost in healthcare companies was as high as $363.
The higher costs of breeches may be due in part to wider use of forensic tools, the study said. But it also made it clear there's plenty of room for better tools. The study estimated a mean time to identify a data breech at 206 days with a range of 20-582 days. The mean time to contain one was 69 days with a range of 7-175 days.
As big as these data breeches in the headlines are, they may be just the top of the iceberg for a society moving into a world of networked things. The good news is work on the standards and tools is clearly underway, and the efforts have plenty of headroom.
- Rick Merritt