GlobalSign Blog

13 Jun 2017

Defining and Applying an IoT Security Policy

There is no question that IoT security is one of today’s top concerns. It impacts us as consumers, manufacturers, businesses of all sizes and government entities as well. Compounding the concern is that there is a lot of confusion in the marketplace with very little guidance, standards or policies defined and enforced today. While there are quite a few IoT security frameworks in various stages of development, they are very industry specific and mostly just suggested best practices.

Recently, Microsoft published an interesting document, 'Cybersecurity Policy for the Internet of Things'. The document positions the critical need for developing cybersecurity policies for the IoT as the risk of cyber-attacks exponentially grows with the continued merger of physical and digital domains. Microsoft goes on to suggest a public-private collaboration to develop policies and guidelines that will address and improve IoT security.

Security Concerns of the IoT User Community

In the document, Microsoft looks at IoT cybersecurity from a user perspective focused on three distinct user communities: consumers, enterprises and governments. The reasoning is that these three user communities all have differing IoT cybersecurity concerns. It is suggested that policymakers understand the concerns of each user group so that security concerns are addressed without limiting IoT innovation.

Consumers

Increasingly, we are using more and more connected devices in our daily lives – from wearables to home automation to automobiles and more. Consumer IoT usage is defined by using shared hardware with limited computing power, engaging with data through a cloud-based app, and sharing potentially sensitive data to get value from the connected device. Because data is personal to the user and sometimes sensitive in nature, consumers are concerned about the security of their private and sensitive information.

Enterprises

Improving business processes, enhancing user experiences and resolving business challenges with innovation are what’s driving IoT adoption in the Enterprise. While vulnerabilities that could expose privacy have always been a concern in the enterprise, the IoT security challenge is at a much greater scale. Areas of security concern include: a dependence on data integrity and availability, increased threat vectors such as DDOS attacks, managing security updates and regulatory compliance. Securing the IoT ecosystem and ensuring interoperability is extremely important.

Governments

The role of IoT continues to grow as governments apply the usage of more connected devices to improve services to its citizens. For Governments, IoT security concerns do not differ that much from the enterprise but there are specific security government security requirements that must be met. Resilience to threats on government infrastructure and ensuring duration and predictability of IoT security are also important.

Securing the IoT Ecosystem Depends on Key Roles

In each one of these user communities, there are unique IoT ecosystems. These ecosystems are supported by the manufacturers and integrators, developers, deployers and operators. Microsoft further discusses how each of these roles enhances IoT security and can further help policymakers understand the complexity and security responsibilities of the IoT ecosystem.

Addressing security is critical throughout each role – including manufacturing more secure devices, developing more secure platforms and systems, connecting and installing devices and software with security best practices, and ensuring the integrity of upgrades and maintenance in operations.

In all of these roles, authentication, encryption and integrity play a critical role in keeping the IoT ecosystem secure. We fully agree with Microsoft here as Digital Certificates are a foundation for IoT security. Read this blog to learn more: 'IoT Security Starts with Identity'.

Advancing IoT Security through Policy

Establishing well defined and universally adopted policies and guidelines will enable more secure IoT ecosystems. Microsoft is suggesting that governments work together with industry standards and certifying bodies and the private sector to establish the necessary guidelines to encourage the use of good IoT security practices to ensure security, privacy and safety. As Microsoft recommends, governments can:

  • Serve as catalysts for the development of good IoT security practices.
  • Build cross-disciplinary partnerships that encourage public-private collaboration and inter-agency cooperation.
  • Support initiatives that improve IoT security across borders.

One of the examples Microsoft highlights for collaboration between the public and private sector is Plattform Industrie 4.0. In this example, private and public sector organizations are working to create an IoT framework which includes IoT security for industrial manufacturing. GlobalSign was part of a multi-vendor IoT security demo at the most recent Hannover Messe Expo that included Plattform Industrie 4.0 and the Industrial Internet Consortium (IIC). The live demo showed how to secure communications in multi-vendor, distributed manufacturing environments.

Collaboration like this is necessary to establish the standard guidelines and policies to advance IoT security. We simply cannot rely on disparate groups establishing their own frameworks as this will continue to add to the confusion of how we secure the IoT.

We highly suggest that you read Microsoft’s Cybersecurity Policy for the Internet of Things. It would be great to hear about your IoT security concerns and get your comments on who should be setting and enforcing IoT security guidelines and policies.

Share this Post