Security was flagged as a key area of investment for the Internet of Things Alliance Australia (IoTAA) – an industry body with more than 200 members from over 100 organisations and industry groups – as the body was launched this week as an independent not-for-profit entity by founding organisation the Communications Alliance.
Members of the IoTAA, which is being hosted at the University of Technology, Sydney (UTS), are organising around six key work streams including spectrum availability; network resilience; industry verticals; data sharing and privacy; and the fostering of IoT startups. “A lot of countries are already ahead of us when it comes to IoT,” federal shadow minister for communications Jason Clare said in launching the new entity.
“If we don't turn this around we will miss out on a lot of new jobs, more investment and new businesses.” Delivering on this vision, however, will require the IoT industry to collectively fill out a security story that has so far been found to be missing a number of chapters as IoT vendors are left to their own devices in building security into their products.
This has led to deficiencies in IoT devices and, more problematic, created security issues within the businesses that are adopting them. A number of recent efforts have aimed to stem the rising tide of IoT security and formalise the process by which it is implemented, with ICSA Labs launching an IoT security testing program and others working to better define and standardise methodologies for evaluating IoT risk.
“The potential for abuse of systems with IoT, and so many connected devices, is fairly obvious,” says Jamie Chard, chief technology officer with Freestyle Technology, a utility-focused developer of IoT technologies that last month announced it would establish a new R&D facility in suburban Glen Waverley that is expected to employ 150 people and generate exports worth up to $200m in the next few years.
While emerging IoT-related standards have embraced encryption and authentication technologies to secure communications from devices, the ability to use over-the-air (OTA) updates to patch IoT equipment in the field – crucial to fix new security issues as they are discovered – varies based on devices' sophistication and internal capabilities.
“A lot of the devices that we are dealing with are not even embedded Linux devices,” Chard explains. “They are very low-level electronics on the meters themselves: because of price points, they are often relatively cheap and simple devices that just don't have the memory and capability in them. And if your device doesn't accept OTA updates, then it is what it is.” Use of a central platform for managing and updating devices was “a key part” of making IoT work en masse, Chard added, noting that many devices were being deployed with de facto control structures by the fact that inter-device traffic is frequently routed over secure wireless connections and through a central management gateway.
“That really does lock down the communications a lot,” Chard says. “They're not just generally visible like any computer on the public Internet; it's much more like a tree network where anything that's outside the domain, trying into it, has to talk through the gateway to get to the devices.” Those comments mirror opinions from some experts that existing security best practice, if applied well to IoT deployments, are adequate to manage new risk from IoT deployments.
Yet while such management could improve visibility of traffic to and from devices, it will do little to address intrinsically insecure designs that often – as NICTA offshoot Data61 recently demonstrated with the development of a hack-proof, high-security drone operating system – just need to be gone over by appropriately skilled security specialists.
Getting IoT device makers to put such specialists into oversight roles, especially in the deployment of consumer-focused devices with little central control, remains a big challenge as IoT expands outside of the rigorously controlled utility sector where Freestyle and others have made their names. “If you're in a home environment where you're trying to put together lots of different, small devices and they need to talk to one another,” he said, “then you need to have rigorous standards in place and a lot of attention to security so you can't compromise the systems – especially if you allow devices to join without any vetting.” “There's a lot of potential for things to go wrong, and the industry has got quite a bit to work through.”