Australian IoT tick is to certify a device can be secure, not that it is: IoTAA

Since there is no such thing as an always secure device, Internet of Things Alliance Australia has said a certification tick will ensure a device can be secure if used in recommended ways.

How IOT network standards can influence security

The Internet of Things Alliance Australia (IoTAA) is in the midst of designing a security framework for Australia's IoT ecosystem that will certify products used in endorsed ways.

"The biggest piece of work we are currently doing in the IoT Alliance is actually designing a security framework for IoT and we now have the support of Prime Minister's Industry 4.0 Taskforce ... to create a certification process for devices, networks, and all suppliers in the IoT ecosystem -- which is tough," IoTAA principal consultant Geof Heydon said at the Hitachi Vantara conference on Wednesday.

"[With] the idea of having a tick mark on everything that says, 'This can be operated in a secure way if used the way it is recommended', which is a lot different to saying, 'This is a secure device', because there is no such thing."

Heydon said even getting default usernames and passwords changed would make a significant impact.

An April threat report found almost 37 percent of all passwords used in IoT were set to "admin", and another 16 percent to "root".

"There are so many devices with poor security of default credentials; it just makes it so easy to launch massive scanning efforts and automatically add vulnerable devices to your botnet and use that as DDoS service for hire," Symantec researcher Dick O'Brien told ZDNet at the time.

"You can't have hard-coded credentials in devices like that; you need to be able to make it apparent that the end user has to change the password on it. Hopefully greater awareness is going to seep into the market in the coming year."

Heydon also said many businesses are currently balancing risk and benefits with IoT, and drew an analogy with a pitch to an embryonic car industry a century ago.

"We've got this great business model, everyone is going to have one, but two or three people are going to die each day, but the benefits will outweigh that, so don't worry," he said.

"We are facing that today. Every business is analysing that sort of risk and reward all the time."

Brad Surak, chief product and strategy officer at Hitachi Vantara, said enterprises need to be thoughtful about IoT and the data it creates, and the lack of proper data governance early on for the internet should serve as a warning.

"All of personal data now is in the hands of all kinds of hackers because the governance around it lagged the innovation on the technology, and we ran headlong into implementing the technology because we could, and then once the problems occurred, we go back and try to fix it," he said.

"And I think while governments have the opportunity to get out ahead of [IoT], they're probably not going to. They're starting to, but they're going to be slower than the progression of the technology."

Surak also said he thought the IoT category was being overhyped.

"I've been working in IoT for the last 10 years, when I thought it was the new thing when SAP got into it. Then I went to GE and found out it was actually the old thing and it had been around for 40 years, just that it had been rebranded." he said.

"My view is we've overhyped the category -- we being the software vendors in general have overhyped the category. It's much like the cloud was in the early days -- everyone knows they need to go there, and everyone's not exactly sure what they need to do to get there."

According to Surak, IoT is an evolution, much like the cloud before it.

"At the end it has to be anchored in outcomes, and business model transformation. That's the key piece that is often times hard to connect to people who geek out on the technology and hear all these use cases about connected devices and this kind of cool stuff," he said.

For Heydon though, economics will see cheaper and cheaper devices and things connected to the internet.

"Many people in the industrial world see IoT starting with people like GE taking jet engines and putting sensors all over the engines. The interesting part about that is its sensors and what [was] being sensed 20-30 years ago, were very expensive, and so there were a lot of learnings from the industrial perspective when those devices were very expensive, and what was being sensed was very important," he said.

"But what's happened is we've been on this absolutely relentless journey of making the communication components less expensive, the sensor electronics less expensive, the data analytics and computing required less expensive, and the only thing that is pushing it the other way is security.

"The net effect is that as we project further forward into the future, we can sense more and more low-cost things."

While the present day use cases see sensors costing a handful of dollars used on devices worth a couple hundred of dollars, they will be reduced down to items costing only a few dollars, then only a few cents, Heydon said.

"It's not unreasonable to think a piece of paper, if we ever still have it for any reason, will have a sensor in it. Certainly anything that is only a couple of dollars will have a sensor in it because it is so easy to do, over time," he said.

"That is a relentless journey."

Earlier this year, IoTAA released its security guideline for IoT development.

The guideline stresses the importance of incorporating security into the core design of IoT solutions, but not just at the device end. The devices need to be supported by good end-to-end architecture, as the development environment for IoT spans many languages, operating systems, and networks, the IoTAA said.

A second version of the guideline was released this month.

Last week, the not-for-profit body released a data best practice guide for B2C providers.

It recommends IoT providers ensure ecosystem partners -- which may include telcos and cloud platform providers -- adopt appropriate security processes and practices such as taking "appropriate measures" to ensure the protection of personal and private customer data from attack during storage and transmission; provide regular security updates; deploy new software and hardware relating to authentication, identification, and data access controls; ensure ongoing compliance with regulatory, product, and service security certification requirements; and develop strategies to limit reasonably anticipated loss or damage when data breaches or data corruption have occurred.

IoTAA has previously called for a trust framework for data sharing to help with the creation of smart cities.

Related Coverage