Every day some new product is introduced to the Internet of Things (IoT), adding to the broad diversity of choices that aren’t all the same. Many are limited in interoperability and well-known to be inexpensive—otherwise, they will be too expensive to deploy in large numbers. They also have security capabilities all over the map.
IoT Device Categories
The first class is composed of sensors/transducers that don’t communicate with the server but connect to an edge processor (gateway). These IoT devices employ communications standards such as Zigbee, NFC, Bluetooth, and RFID, which are portable, battery-operated, and require low power wireless technologies. They produce smaller data volumes and are the less expensive devices that probably have less security embedded.
The second class communicates directly to servers for data storage. They employ powerful processors and probably don’t run on batteries. These servers can support multiple sensor devices, as well as edge processor functions that support communication ports such as digital subscriber line (DSL), Fiber-to-the-home (FTTH), Wi-Fi, etc. IoT devices also subdivide into consumer and industrial categories. Some consumer devices will likely find their way into industrial applications.
IoT Security
IoT security has been fragmented in approach and varies wildly in implementation, which makes it difficult to implement IoT devices and networks that are all equally secure. Try managing the ever-expanding catalog of solutions and vendors with security in mind. Do all of the vendors deliver equally secure devices and edge processors? That begs the question—can we produce enforceable standards and device certifications pertaining to security?
Enhancing device-level security is critical. Enterprises will rely on a mix of vendor technologies including network taps, threat feeds, anomaly detection, security information and event management (SIEM), artificial intelligence (AI), and ML. This enhancement leads to producing an interoperable infrastructure that can work with a variety of tools and vendors.
ioXt Alliance Enters the Picture
For background, the ioXt Alliance is a group of manufacturers, industry experts, and government organizations that make IoT security top priority. Its mission is to “build confidence in IoT products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.”
120+ organizations helped create a program which they would follow to deliver secure IoT devices. Eight security principles were included in this program with rating levels for each. Guidelines were created for quantifying the need for security (scale ratings of one to four) and the appropriate security level of the channel or use of the product.
The eight principles are:
- No universal passwords should be deployed
- Secured interfaces should be delivered
- Employ proven cryptography
- Security should be by design and the default
- Only signed software updates are used
- The software updates should be automatically deployed, not on demand
- A vulnerability reporting program is created and continuously updated
- Devices and software should be labeled with a security expiration date
ioXt Device/Software Certification
IoT device manufacturers can obtain a formal certification of ioXt Alliance products by applying the eight principles through two forms of the ioXt Certification Program. The program measures a device against each of the eight principles with guidelines that quantify the appropriate level of security required for a specific device. When approved, an ioXt Certification Mark (below) notifies end-users, retailers, and ecosystem partners that a device is secure.
Here are two ways to get certified:
ioXt Self-Certification
The first certification method has the manufacturer entering device information directly into the ioXt certification portal which then measures the device’s security against the ioXt standards, while independent researchers validate the submission.
ioXt Authorized Lab Certification
If manufacturers want more sophisticated testing with the validation of a third-party expert, the manufacturer can use an ioXt authorized lab to perform the test plan and certify the results.
Is this Enough?
Not all security experts believe that the ioXt certification effort is sufficient. Creating the specifications and frameworks can deliver a good grasp of IoT security, and it’s enforcement that will make the effort successful. The ioXt standards will help manufacturers and using organizations "check the certification box,” according to ioXt Alliance. The standards and certification label will be meaningless unless the manufacturers are also held accountable if security is insufficient when the devices are deployed. The certification tactic is only as good as the liabilities that the manufacturers will accept. Read the fine print before you deploy the certified products.