IoT Alliance Australia releases security guideline for IoT development

IoT Alliance Australia has released its IoT security guideline as a first step towards building industry-wide security standards.
Written by Tas Bindi, Contributor

IoT Alliance Australia (IoTAA) has released its Internet of Things Security Guideline [PDF] in a bid to promote a "security by design" approach to IoT development in Australia. It is the first in a series of documents on IoT security and network resilience that IoTAA will be publishing in the coming months.

IoTAA believes the Internet of Things will contribute more than AU$120 billion to Australia's economy by 2025. However, according to the IoTAA, the proliferation of IoT means cybercriminals have more attack surfaces and personas that they can manipulate.

Growing reports of DDoS and data integrity attacks -- one of the most notorious examples being the Mirai botnet -- necessitates the development and deployment of industry-wide security and privacy standards, IoTAA said.

"IoT is everywhere, and we are already seeing the insecurity that it can bring. We really want the guideline to help industry players understand how to practically apply security and privacy for IoT devices," said Malcolm Shore, outgoing chair of the IoTAA Workstream on Cyber Security and Network Resilience.

The guideline stresses the importance of incorporating security into the core design of IoT solutions, but not just at the device end. The devices need to be supported by good end-to-end architecture, as the development environment for IoT spans many languages, operating systems, and networks, the IoTAA said.

There are also multiple parties surrounding a single IoT device such as the user, the manufacturer, the cloud vendor hosting the IT infrastructure, and third parties accessing the device via an API.

As such, understanding how IoT devices self-organise and share information is a necessary precursor to developing an appropriate trust framework, according to the guideline.

"For a route to be established, route information is transmitted from node to node (multi-hopping) until the desired destination is found. Throughout the route maintenance phase, nodes can add, delete, or needlessly delay the transmission of control information (selfish or misbehaving nodes). It is during route discovery or forwarding that malicious nodes can attack," the guideline states.

It also states that security needs to be considered in the context of how the device will be used, which means that different industries will require different approaches. Finding a universal solution applicable to all the routing attacks is also difficult, according to the guideline.

"Protocol designers must ensure protection from the known attacks, while minimising the impact on sensor and network performance," the guideline states. "There are five key issues to address: secure route establishment, automatic secure recovery and stabilisation, malicious node detection, lightweight or hardware-supported computations, and node location privacy."

Speaking with ZDNet, John MacLeod, Watson Internet of Things specialist at IBM, said that while engineers need to assume responsibility for the security of their devices, it's also important that security is kept in mind when writing applications that run inside IoT devices and gateways.

"There was an incident where somebody hacked into hundreds of thousands of security cameras around the world and conducted a big denial of service because the software that had been loaded into these security cameras was not secure enough and allowed itself to be replaced by malicious software," MacLeod said. "Connecting to a secure platform is an important aspect of security, but it's not in itself sufficient to guarantee the security of the device."

Arron Patterson, CTO APJ Commercial division at Dell EMC, explained to ZDNet previously that security is "difficult to bolt on afterwards".

"You really have to think about it at the beginning and make sure you're implementing policies and infrastructure that can respect those policies from the ground up," Patterson said.

"We've seen many many instances where datasets have been stolen or accessed and used. Once you've compromised someone's privacy and lost their trust, it's very difficult to get that back. These datasets are very valuable, there's a lot of intelligence that can be drawn from that around user behaviour and so forth, so it's well worth protecting.

"You really need to make sure that every time you collect a piece of information, you understand how you've collected it, what rights you have around it, what your consumer expects you to do with it."

The second version of the guideline will be released following consultation with the Communications Alliance and other stakeholders.

"A public consultation process will give a wider range of stakeholders the opportunity to review and add value to the document before publishing it as an industry guideline -- which can then be updated over time as new developments and potential risks become evident," said John Stanton, chair of the IoTAA Executive Council and Communications Alliance CEO.

At the Everything IoT Summit in October 2016, professor Jill Slay, director at the Australian Centre for Cyber Security at the University of New South Wales in Canberra, pointed to the importance of addressing the cybersecurity skills shortage before diverging further into a connected world, especially given the "exponential" rate at which cybercrime in Australia is growing.

Existing network security staff need to be upskilled, while a new generation of security professionals needs to be trained from the ground up, according to Slay.

"Just as we have a huge shortage of data scientists, we have an equivalent shortage of cybersecurity professionals, and even a greater shortage of those who deal with big data and cybersecurity," Slay said at the summit.

"Now we're at the stage where we're trying to train a new generation of people who might have equivalent vocational qualifications to understand what the Internet of Things looks like, what breaches to the Internet of Things look like, and how in their everyday jobs they can deal with it. But as soon as we do that, we're going to have a whole generation of hackers who do that too."

In September, the Office of the Australian Information Commissioner (OAIC) found that 71 percent of IoT devices and services used by Australians failed to adequately explain how personal information was collected, used, and disclosed.

OAIC conducted the review from April 11-15 this year, in unison with fellow international regulators through the Global Privacy Enforcement Network (GPEN), which comprises 25 participating data protection authorities.

When it comes to the collection, use, and disclosure of data, the OAIC also revealed in its sweep that 27 percent of businesses did not indicate whether personal information would be shared with third parties.

The OAIC found that some organisations did not make it clear what information would be collected, reporting that it was unclear whether a username, address, phone number, date of birth, phone, or browsing history was stored by over a third of the businesses whose privacy communications were looked into.

Overall, the global sweep found that about 72 percent of businesses did not clearly explain how a user could delete their personal data from the device or app, with 38 percent of devices also failing to provide easily identifiable contact details that customers could use if they had privacy concerns.

Editorial standards