Teaming Up to Secure the IoT

By Steve Hanna

The power of the collective gives the Internet of Things its potential and its security.

After years of Internet of Things (IoT) deployments, the technology has both proven its inherent value and emphasized the need for better IoT security. Due to the current weak state of IoT security, we have seen a series of attacks on IoT systems that seriously damaged privacy. Some recent examples include attacking baby webcams; critical infrastructure, as seen through the Colonial Pipeline; and banking systems, as seen through Mirai.

Accomplishing the needed level of IoT security will require all players—politicians, tech titans, IoT innovators and consumers—to come together in an unofficial coalition. Such a coalition is essential right now, because the IoT has become rather like the Wild West, a lawless world where only the toughest survive.

The Current Patchwork of IoT Security Standards
The current weak state of IoT security is not due to a lack of trying. Politicians, leaders and industry experts alike know that security is needed everywhere, especially in the IoT. Unfortunately, we have seen a patchwork of different standards and regulations emerge instead of the global set required for practical security. Because of this patchwork, it is a nightmare to develop products that work globally.

Now we have an innovator problem, because the best ideas will not get to market without security. IoT innovators face the challenge of building products that comply with this array of ever-changing standards. Meeting this challenge is possible when you have tens or hundreds of millions of dollars to devote to your implementation. For smaller IoT innovators, it's impossible.

Tech titans like Amazon, Apple, and Google rely on IoT innovators to create the countless number of products that make the IoT ecosystem robust and versatile. These tech titans create the platforms that enable the innovators to do what they do best: innovate. Until now, there has been a lack of interoperability between the tech titans, who share no standard platform, communications protocols or security requirements. This makes building IoT products even more of a headache for IoT innovators, since they must account for the requirements not just for one platform, but for several.

Uniting the IoT Industry
To clean up this mess, the tech titans and IoT innovators have come together for the benefit of all by creating the new "Matter" standard (see  Alliance for IoT Brand Matter Focuses on Standards). As Albert Einstein predicted, creating Matter required a tremendous amount of energy, but it was worth it. The Matter standard, under the Connectivity Standards Alliance, is expected to be released late 2021 or early 2022. With the Matter standard, all IoT products can use a single set of standard protocols to communicate. Security requirements for Matter are uniform and easy for both users and for innovators. The standard works in harmony with the worldwide effort to establish requirements for IoT security and privacy through legislation or regulation.

This standardization will provide IoT innovators, who do not have the capacity to fill the role of security expert, with a better way to implement long-term security without sacrificing time to market. They need a solid and well-secured platform to build upon, including hardware and pre-integrated software. IoT innovators also often need overall guidance on security, which Matter can provide.

Additionally, standardization will set IoT innovators up for the future, as it allows for patches and updates of devices to be done securely over the air. Further, it helps device makers to build in thorough IoT security from the get-go. In this way, they are preparing themselves as much as possible for changes to laws and regulations in the future, so they do not have to revise their products or be excluded from certain regions.

Subscription Models Drive IoT Security
While pushing for secured, high-quality IoT devices, we must still consider how to keep costs under control and keep companies accountable for long-term security upkeep. The increased use of subscription models in the IoT might just be the solution because it accomplishes two things. For consumers, it helps offset the upfront cost of smart devices. For device makers, it provides a monetary incentive to ensure the long-term security of their devices, since consumers can drop subscriptions and replace products if they fail.

Proof that the subscription model works can be seen through printers. The printer companies can make money because they establish an ongoing relationship between the device maker and the consumer. The consumer provides an ongoing revenue stream to the device maker by purchasing supplies, thus keeping the device maker accountable for providing that long-term product support. If the printer has flaws or provides anything less than a positive user experience, there is nothing stopping the user from buying a printer from a different brand, therefore cutting off the revenue stream.

This two-way relationship within the subscription model is the groundwork for a happy and successful consumer-device relationship for years, providing upfront affordability combined with accountability for security.

Semiconductors: The Foundation for IoT Security
So far, we have considered the essential roles that tech titans, IoT innovators, politicians and customers have to play in the standardization of IoT security, but none of it would be possible without semiconductors. Semiconductors provide the solid platform upon which IoT devices can be built. With security built into these semiconductors, IoT security can become truly universal.

Authentication, secured communication and secured firmware updates are the three pillars of IoT security, and they are all enabled by semiconductors. Specifically, implementing these features in hardware makes them efficient and affordable while protecting them from being undermined by software bugs. Software and services can then be built on top of the hardware. Placing security features in hardware makes this security easy for developers to adopt and easy for end users to employ in their home, no matter what kind of smart devices they own.

Thus, semiconductors enable innovation with security by equipping creative minds around the world with the platform, support and tools they need to come out with the next great IoT idea. Without the hardware platform and support, they would never be able to make it out of their garage and ultimately contribute value and depth to IoT ecosystems.

Creating a Robust IoT Market
All players in this unofficial coalition understand the importance of a robust IoT ecosystem, which is why they are taking the aforementioned actions to create a vibrant, creative and secured IoT market. A virtuous cycle of innovation may then be enabled.

Tech titans and IoT innovators are joining forces to standardize with the Matter standards, subscription models will promote long-term maintenance of security, regulations will require appropriate security levels and semiconductors will provide a hardware root of trust. Because of these changes, security and connectivity hurdles will no longer block the best innovations, but rather provide them with the means to reach the market. As a result, IoT devices will be able to bloom and grow, faster than ever.

After all, the beauty of the IoT is that anyone can come up with the next great idea. However, this is only made possible through the power of the collective. It is the power of the collective that gives IoT its potential, and it is the power of the collective that will give IoT its security.

Steve Hanna is a Distinguished Engineer at  Infineon Technologies, where he serves as a senior architect, a leader in networking and security, and an expert at catalyzing industry-wide change. He is a frequent speaker at leading conferences such as RSA and Interop, the author of numerous technical papers and standards including IETF RFCs 2730 and 5793 and Trusted Computing Group IF-IMC and IF-IMV, a member of IETF's Security Area Directorate and a holder of 43 U.S. patents. Steve's specialties include software architecture, technical leadership, security analysis, product creation, protocol and API design, standards development, invention, management, and mentoring.