Executives from the Internet of Things (IoT) and security industries gathered in Chicago last week for the Smart Card Alliance’s 2016 Security of Things conference, where they provided insights and perspectives on security, privacy and authentication in the rapidly growing IoT ecosystem.
The two-day event featured 40+ speakers, with keynotes, panels and track sessions on the most important aspects of security related to a cross-section of different IoT markets. Experts leading the first-day keynotes kicked off the event with a big-picture look at IoT security, while speakers separated into technology and applications track sessions gave attendees a deep dive into where IoT security is today, its challenges and the necessary next steps to move towards a more secure IoT environment.
Security by Design
Throughout the event, speakers agreed that to effectively provide security that is on-par with the large and complex scale of the IoT, security needs to be built into the design of IoT devices.
“Security is not something you tack on at the end,” said Maarten Bron, director of innovations at UL Transaction Security. “It’s something that needs to be built in from the initial designs of the products and services.”
Speakers also focused on the importance of securing valuable data generated by connected devices. Craig Spiezle, executive director of the Online Trust Alliance (OTA), said that while it may seem benign now, as data continues to grow exponentially, it could potentially be harmful in the future if steps aren’t taken to improve security and privacy of the entire IoT ecosystem.
Rethinking Security Practices for IoT
Christopher Williams, information transaction assurance for Exponent, made a clear distinction between IoT security and IT security, emphasizing they should not be treated the same. He said that while lack of IT security can cause inconvenience, such as stolen bank credentials, the lack of security in the IoT can present a physical threat to consumers and the industry, for example a hacked connected car.
Panelists Nathaniel Gleicher, former director of cybersecurity policy for the National Security Council and current head of cybersecurity strategy at Illumio, and Christopher Caen, publisher at ReadWrite, agreed with this distinction, and led a robust discussion about how the practice of building a perimeter, a common and effective practice for IT security, isn’t a successful tactic for protecting data or devices in the IoT.
One solution, according to Imran Hajimusa, vice president of business and technology at Verifone, is to ensure data is secured both on and off the device. To do this, Hajimusa suggested the industry needs to consider securing the ecosystem as a whole, not each individual endpoint.
Not Starting from Scratch
Throughout the event, speakers pointed to several existing technologies that can help secure IoT devices and how they talk to the network – smart card technology, biometrics, the secure element, the trusted execution environment, and others – but there is no one-size-fits-all solution. Instead, Sami Nassar, vice president and general manager of NXP Semiconductors, suggested a layered, decentralized, updatable security approach that is still unobtrusive to the consumer will be the most successful.
Eric Ridvan Üner, chief technology officer at Redwall Technologies, recommended smart card technology as part of the IoT security design because it can be used in almost every link of the chain of trust to make data more secure. Üner said, “As someone who spends their day looking for ways to hack IoT devices, smart card technology has made it much harder to hack these credentials.”
Speakers also suggested that repurposing best practices and considering lessons learned from other industries, such as the payments industry, could help to get the IoT industry on the right track towards stronger security.
Getting Involved and Next Steps
Randy Vanderhoof, executive director of the Smart Card Alliance acknowledged that while IoT security needs to be looked at holistically, focusing on securing the endpoints of the network first provides the building blocks possible to secure the IoT.
“It’s going to involve coming together as an industry, including different perspectives from stakeholders across every vertical industry touched by the IoT to make the secure connected world a reality,” Vanderhoof said.
The Smart Card Alliance launched its Internet of Things Security Council last April to serve as a forum for stakeholders to promote security awareness, encourage the widespread adoption of security standards, and define best practices that will help protect and maintain privacy of IoT devices and the data they generate.
“We welcome and encourage broad participation from IoT technology firms and device manufacturers to join the IoT Security Council to share their voice and take an active role in bringing security to IoT,” Vanderhoof added.