It should be obvious to just about everyone by now that the current state of affairs concerning the Internet of insecure things threatens the stability of the Internet. This wouldn't have been such a big deal 15 or 20 years ago, but we've now put all of our eggs in the Internet basket, and if it goes down, so does the world economy. Not only that, an undependable and unstable Internet would affect everything from major utilities -- phone, power and water -- to law enforcement and national defense -- in no matter what country you reside.
My idea is that to secure the Internet of things, we need to take a three pronged approach that includes oversight, open source and open standards.
Oversight:
We've already tried letting IoT device manufacturers make their own security decisions and we've seen how well that's worked. Short of government intervention, which would mainly serve to further Balkanize the Internet, what's needed is oversight. Perhaps the most efficient approach would be a certification program that would allow device makers to slap a "certified secure" sticker on their devices. There have already been several such programs launched, most notably from Underwriters Laboratory and ICSA Labs.
For this to be effective, however, the fewer certifications the better. Having a hodgepodge of certification agencies would mean varying degrees of protection, and open the door for vendors to effectively bypass meaningful security vetting by creating their own oversight agencies, which would be akin to the fox watching the hen house. My thought is for the IT industry -- companies that have skin in the game and understand the problem -- to come together to approve and support a single agency to handle IoT security certifications, sort of like was done last century with the "UL approved" label certifying the safety of electrical devices.
After that, a campaign could be launched to educate the public to look for this particular certification when purchasing an Internet facing device. Netflix, Hulu and Amazon Prime, for example, could stress the importance of the certification for web entertainment devices both on their websites and in the emails they send to subscribers announcing new content.
Open source:
Although I'm sure this will be controversial and that hardcore closed source folks will disagree, it should be a no-brainer that any device seeking certification should use open source software, as it would be impossible to certify embedded software without being able to study the code. Having the source code readily available would also help keep devices secure after the devices have been brought to market. With source code freely available for all IoT devices, security experts would be able to study the code to find hidden vulnerabilities, hopefully ahead of the black hats.
Open standards:
A key aid for the certification agency would be the implementation of open standards for different types of devices. For example, there could be a set of standards for kitchen appliances such as refrigerators and electric ranges, standards for heating and air conditioning, another for home entertainment devices and so on. Device manufacturers could be enticed to follow these standards with the promise that the certification process for devices using only established standards would be fast-tracked. The fee for certification could also be made lower for standards compliant devices, as they would require less study before approval.
The combination of open source software with open standards would also open the possibility for drop-in systems to be developed that device manufacturers could use out-the-box. This would further reduce the time to market for manufacturers, as well as simplify the process of applying security patches to devices once they are in the hands of consumers.
This would just be a start, of course, and there would be much to figure out -- best practices for device security and patching, how many years a device needs to be supported before its use has dropped to the point where it's no longer a likely hacker target and the like. But with this start, we should be able to quickly get on track to securing the Internet of things.
My idea is that to secure the Internet of things, we need to take a three pronged approach that includes oversight, open source and open standards.
Oversight:
We've already tried letting IoT device manufacturers make their own security decisions and we've seen how well that's worked. Short of government intervention, which would mainly serve to further Balkanize the Internet, what's needed is oversight. Perhaps the most efficient approach would be a certification program that would allow device makers to slap a "certified secure" sticker on their devices. There have already been several such programs launched, most notably from Underwriters Laboratory and ICSA Labs.
For this to be effective, however, the fewer certifications the better. Having a hodgepodge of certification agencies would mean varying degrees of protection, and open the door for vendors to effectively bypass meaningful security vetting by creating their own oversight agencies, which would be akin to the fox watching the hen house. My thought is for the IT industry -- companies that have skin in the game and understand the problem -- to come together to approve and support a single agency to handle IoT security certifications, sort of like was done last century with the "UL approved" label certifying the safety of electrical devices.
After that, a campaign could be launched to educate the public to look for this particular certification when purchasing an Internet facing device. Netflix, Hulu and Amazon Prime, for example, could stress the importance of the certification for web entertainment devices both on their websites and in the emails they send to subscribers announcing new content.
Open source:
Although I'm sure this will be controversial and that hardcore closed source folks will disagree, it should be a no-brainer that any device seeking certification should use open source software, as it would be impossible to certify embedded software without being able to study the code. Having the source code readily available would also help keep devices secure after the devices have been brought to market. With source code freely available for all IoT devices, security experts would be able to study the code to find hidden vulnerabilities, hopefully ahead of the black hats.
Open standards:
A key aid for the certification agency would be the implementation of open standards for different types of devices. For example, there could be a set of standards for kitchen appliances such as refrigerators and electric ranges, standards for heating and air conditioning, another for home entertainment devices and so on. Device manufacturers could be enticed to follow these standards with the promise that the certification process for devices using only established standards would be fast-tracked. The fee for certification could also be made lower for standards compliant devices, as they would require less study before approval.
The combination of open source software with open standards would also open the possibility for drop-in systems to be developed that device manufacturers could use out-the-box. This would further reduce the time to market for manufacturers, as well as simplify the process of applying security patches to devices once they are in the hands of consumers.
This would just be a start, of course, and there would be much to figure out -- best practices for device security and patching, how many years a device needs to be supported before its use has dropped to the point where it's no longer a likely hacker target and the like. But with this start, we should be able to quickly get on track to securing the Internet of things.
Tags:
ARTICLES