The future of IoT: Taming security's wild west

TechSec 2017 panel discusses regulation and standardization in the Internet of Things
 - 
Wednesday, March 29, 2017

DELRAY BEACH, Fla.—A lot is being done when it comes to ensuring that IoT devices are cybersecure, integrated and valuable to end users. Five panelists at a TechSec Solutions session explored exactly what the industry is doing to rein in the technology.

Paul Ragusa, editor of Security Systems News and the panel’s moderator, asked each of the panelists to say what the term IoT means to them.

“The Internet of Things is a broad [term],” Dorrier Coleman, co-founder and CTO of TEQ Charging, said. “The internet of things is any embedded device that wants to talk to something else, and that’s going to become so broad that it’ll almost be meaningless.”

For Neil Lakomiak, director of business development and innovation with UL, “It’s connecting components, connecting products, connecting systems together, sharing data—and it isn’t new. It’s been going on for quite a long time … we’re just seeing a lot more of it now.” Aspects of IoT, such as computing power and memory, are more inexpensive and available, and it’s becoming more scalable with the cloud.

Software is becoming more prominent in hardware, Lakomiak noted. “We evaluate products and systems for safety, performance and reliability. When software becomes the more predominant aspect of these products, it’s something we’re going to be paying much more attention to and setting our own standards and programs as a result.”

Jon Lewit, communication committee chair for ONVIF and the director of technology leadership with Pelco, agreed that the technology has been around for a while. “From an ONVIF perspective, we’re looking to create a standard to help streamline the way that we connect those devices together,” he said.

“What does the Internet of Things mean to me? One word: opportunity,” Mitchell Klein, executive director of the Z-Wave Alliance said. “[IoT is] not about the Internet and … it’s not about things. What this whole IoT thing is is all of the different verticals—which one do you want to participate in?”

Jim Coleman, president of Operational Security Systems Inc., said, “We live in an industry where ‘how much does it cost?’ has become more important today than it was when I started in the business.” End users seeking lower costs can create vulnerabilities, he added. “We have to worry about doing the right thing, and sometimes doing the right thing for a manufacturer means is has to cost a little bit more.”

Interoperability is a key word right now, Ragusa noted, “But with interoperability comes some risk.” He asked the panel how IoT relates to cybersecurity.

“I think that there’s a misunderstanding in the whole IoT community; IP is not necessarily always the right thing,” Klein said. “That said, interoperability is obviously critical going forward. The exposure is not necessarily in the platform you use, but in how the particular platform is deployed.”

In regard to interoperability and the Internet of Things, Dorrier Coleman said that devices do not need access to the entire Internet. “A security camera is never going to want to watch a YouTube video, and if it does that, something very wrong is going on,” he said, adding that manufacturers can help devices identify this behavior.

Lakomiak said that connected systems also need to accomplish their main task. “It’s great that things can talk to one another. But, when you hook all of these things, these systems, these devices‚ together—do they actually work harmoniously together? Are they doing all of the things that were intended to be done?”

Jim Coleman addressed how aspects, such as low-security passwords, create cybersecurity challenges. “Just simple cyberhygiene—without getting into public key infrastructure and that kind of complexity—goes a long way. While we’re learning, we haven’t quite had full immersion yet.”

Lewit agreed that poor cyberhygiene, specifically low-security passwords, is a main cause of cybersecurity issues.

Lewit said that there are three main components in security: product manufacturers, internal company processes, and the end users. “The real solution involves all three of those working together. I think, what we can do from a standards perspective is help highlight some of the best practices in the industry, and that’s one of the things that ONVIF has been trying to [do],” he said.

“The first real substantial push forward that we covered was within the profile Q specifications that came out, where we covered some of the basic elements of password security and user authentication and encryption transmission,” Lewit continued.

UL has developed new cybersecurity standards for products and systems, Lakomiak pointed out. “What we set out to do is provide some testable criteria that’s repeatable and reproducible around that. As we talked to the industry … we were actually learning that the bigger need is really education—training and education around cybersecurity,” he said.

Different technology platforms have different standards, Z-Wave’s Klein noted.

“The standards that we adopt are the standards of our customers, and they’re usually very different [across vertical markets],” Jim Coleman said.

“As integrators, you know who your customers are and what your business is,” Klein said. “It’s your responsibility to make sure that the types of products or the brands that you’re working with are utilizing the current best practices and best standards.”

Various regulations stand to impact the Internet of Things industry. Jim Coleman brought up the increased need and expense of insurance.

A large concern for insurance companies is water damage, Klein pointed out, and that devices for detection are relatively inexpensive. Insurance companies are looking to incentivize customers to have more monitored solution, he added, which will span across several areas.

Lakomiak said that incentives are needed for customers to consider cybersecurity. “It’s expensive—it’s vastly expensive—and, frankly, unless you’re customers are asking about it, it’s hard to justify the cost for your products. Then, of course, there are companies out there that do a lot to invest in cybersecurity, and they’re able to leverage that as a differentiator,” he said.

Ragusa asked the panelists for their key considerations when it comes to new projects with the IoT.

“What I always find of interest is the difference between … security and privacy. It seems as though there’s a heightened level of sensitivity to the cybersecurity, to the physical security, to data security, and yet, at the same time privacy does not seem to be a problem for most people. And, to me, they’re one and the same,” Klein said. “A question that I’d want to know with any project, before going in: how sensitive is your data?”

Education is key, according to Lakomiak. “From an end user, specifier, and integrator perspective, I think they just simply need to understand what the risks are, associated with connecting all of these things together,” he said. Companies should also understand the benefits to connecting systems, he added.

“There are different risk profiles based on the devices that you’re talking about. When you’re talking about systems, that risk profile is about the data, the security of the data that that system is storing,” Lewit said. “When you’re talking about devices, it’s not so much about the data … it’s about potentially turning all of those devices into an army of complicit bots.”

An attendee asked about cloud platforms, and whether there is value in cloud platforms for securing IoT. “I think that there is an almost irrational fear among end users to put security information in the cloud,” Jim Coleman said, adding that perceptions are changing and there can be less expense in the cloud while bringing more things together.