Security high on agenda as Australian Internet of Things makers get organised

Collaboration, security focus eyed as IoT researchers and vendors seek strength in numbers

Security was flagged as a key area of investment for the Internet of Things Alliance Australia (IoTAA) – an industry body with more than 200 members from over 100 organisations and industry groups – as the body was launched this week as an independent not-for-profit entity by founding organisation the Communications Alliance.

Members of the IoTAA, which is being hosted at the University of Technology, Sydney (UTS), are organising around six key work streams including spectrum availability; network resilience; industry verticals; data sharing and privacy; and the fostering of IoT startups. “A lot of countries are already ahead of us when it comes to IoT,” federal shadow minister for communications Jason Clare said in launching the new entity.

“If we don't turn this around we will miss out on a lot of new jobs, more investment and new businesses.” Delivering on this vision, however, will require the IoT industry to collectively fill out a security story that has so far been found to be missing a number of chapters as IoT vendors are left to their own devices in building security into their products.

This has led to deficiencies in IoT devices and, more problematic, created security issues within the businesses that are adopting them. A number of recent efforts have aimed to stem the rising tide of IoT security and formalise the process by which it is implemented, with ICSA Labs launching an IoT security testing program and others working to better define and standardise methodologies for evaluating IoT risk.

“The potential for abuse of systems with IoT, and so many connected devices, is fairly obvious,” says Jamie Chard, chief technology officer with Freestyle Technology, a utility-focused developer of IoT technologies that last month announced it would establish a new R&D facility in suburban Glen Waverley that is expected to employ 150 people and generate exports worth up to $200m in the next few years.

While emerging IoT-related standards have embraced encryption and authentication technologies to secure communications from devices, the ability to use over-the-air (OTA) updates to patch IoT equipment in the field – crucial to fix new security issues as they are discovered – varies based on devices' sophistication and internal capabilities.

“A lot of the devices that we are dealing with are not even embedded Linux devices,” Chard explains. “They are very low-level electronics on the meters themselves: because of price points, they are often relatively cheap and simple devices that just don't have the memory and capability in them. And if your device doesn't accept OTA updates, then it is what it is.” Use of a central platform for managing and updating devices was “a key part” of making IoT work en masse, Chard added, noting that many devices were being deployed with de facto control structures by the fact that inter-device traffic is frequently routed over secure wireless connections and through a central management gateway.

“That really does lock down the communications a lot,” Chard says. “They're not just generally visible like any computer on the public Internet; it's much more like a tree network where anything that's outside the domain, trying into it, has to talk through the gateway to get to the devices.” Those comments mirror opinions from some experts that existing security best practice, if applied well to IoT deployments, are adequate to manage new risk from IoT deployments.

Yet while such management could improve visibility of traffic to and from devices, it will do little to address intrinsically insecure designs that often – as NICTA offshoot Data61 recently demonstrated with the development of a hack-proof, high-security drone operating system – just need to be gone over by appropriately skilled security specialists.

Getting IoT device makers to put such specialists into oversight roles, especially in the deployment of consumer-focused devices with little central control, remains a big challenge as IoT expands outside of the rigorously controlled utility sector where Freestyle and others have made their names. “If you're in a home environment where you're trying to put together lots of different, small devices and they need to talk to one another,” he said, “then you need to have rigorous standards in place and a lot of attention to security so you can't compromise the systems – especially if you allow devices to join without any vetting.” “There's a lot of potential for things to go wrong, and the industry has got quite a bit to work through.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Traffic managementInternet of Things (IoT)IT SecurityIT managementIoTcyber security

More about Communications AllianceICSALinuxNICTATechnologyUTS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts