Blog

By Mark Walker, Director, Technology Policy at CableLabs

This past August, the Open Connectivity Foundation (OCF) published a blog on the suggested core security capabilities for device manufacturers laid out by National Institute for Standards and Technology (NIST), and how the OCF Specification includes and will continue to build upon these capabilities. As these capabilities are included in the OCF Specification, each OCF-certified device has been developed and maintained with security in mind. This security-by-design approach to device development allows the Internet of Things (IoT) to continue to evolve and helps prevent future security and interoperability challenges.

Last month, the OCF submitted comments to NIST in response to draft NISTIR 8259 (“Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers”). These comments range from support of different features to suggestions on how to continue developing these and other capabilities. The OCF supports NIST’s work in IoT security and specifically its development of a core cybersecurity feature baseline for the IoT. More broadly, the OCF urges NIST to work with global governments to help ensure harmonization of IoT security policy to accelerate the promised benefits of an IoT. The OCF also made clear that it has already implemented nearly all of the identified features in its specification and in the associated open source implementation.

The OCF is currently working through how to implement “cybersecurity event logging” and believes the industry would benefit from further guidance from NIST in this area. More generally, the OCF expressed its support for NIST’s flexible approach to implementing the identified cybersecurity features, the recommendation that IoT manufacturers use established IoT platforms, and the need to clearly communicate cybersecurity information to customers. However, the OCF suggested that NIST separate the core baseline of cybersecurity features (Section 4) from the business practice guidance (Sections 3, 5, 6, and 7) and place this latter guidance in a separate, standalone document.

By providing these comments and suggestions, the OCF is actively accomplishing its mission to work with government and industry organizations in order to develop a more reliable, secure IoT for all verticals around the world. As we have said before, developing IoT security cannot be brought by a single actor in the industry. Engaging with government organizations and contributing to industry-led security reports, such as the C2 Consensus, showcases the OCF’s leadership as well as its ability to help build a security framework that anyone can follow, no matter the size of the project. The OCF is here to enable every organization to make the IoT a reality.

OCF’s full comments can be found here.

Today, everyone must go through arduous certification and testing programs to create certifiable platforms that are both secure and contain working code. To address this complicated process, the OCF certification program continues to evolve and improve. One of the ways in which it continues to grow involves the testing and certification of modules for inclusion in devices whether they are a server or client. An OCF-capable module is not a complete end-product. However, it is designed to meet all the OCF certification requirements and functionality that can be included as part of an end-product. In this case, the modules we are referring to are sensors and actuators. As a result, the OCF recently began the process of certifying sensors and actuators to address the market demand for lower cost devices in the network.

… [Read More]

By Mark Walker, Director, Technology Policy at CableLabs

One of the main pillars of the Open Connectivity Foundation (OCF) is security. Security is foundational to the sustained growth and adoption of IoT. Without sufficient security, connected devices pose a risk to end users and networks alike, providing ready fodder for nefarious actors to exploit.  As a foundation of more than 400+ members, the OCF is continuously and tirelessly striving to create secure, reliable, and interoperable IoT for all. One of the many ways in which we are doing this is working with other organizations and providing our expertise and input to help drive increased IoT security, including the recent C2 Consensus on IoT Devices Security Baseline Capabilities, released by the Council to Secure the Digital Economy (CSDE) and spearheaded by the Consumer Technology Association (CTA).

… [Read More]

This is the second part in a two-part series highlighting IoT security issues and how the OCF addresses them. This blog will cover the suggested security capabilities laid out by NIST that the OCF specification includes and will continue to build upon, ensuring a secure, interoperable IoT around the world.

During the Open Connectivity Foundation (OCF) face-to-face meeting this summer in New Orleans, Louisiana, Michael Fagan, a cybersecurity specialist from the National Institute of Standards and Technology (NIST), spoke to OCF members about NIST’s ongoing work to improve the security of Internet of Things (IoT), including the development of a core set of security capabilities applicable to all IoT devices.  NIST’s mission includes promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

To help drive increased IoT security, NIST develops guidance for industry and the public sector in the form of reports and other publications and through its National Cybersecurity Center of Excellence (NCCoE), which leverages a collaborative model to develop practical solutions to pressing cybersecurity issues.  In particular, NIST is currently developing a report (“Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers,” NISTIR 8259 (Draft)) that provides guidance to manufactures on the core set of security capabilities that should be included in all devices. These capabilities range from logical and physical device identification to the ability for IoT devices’ software and firmware to be updated via a secure, controlled, and configurable mechanism.

So how is the OCF going to implement these capabilities? We already have. Of the six core IoT baseline capabilities identified in the draft NIST report, OCF currently supports five, with plans to cover the remaining one in the near future. These capabilities include:

… [Read More]

This is the first of a two-part series highlighting IoT device security issues and how the OCF is addressing them.

When people talk about the Internet of Things (IoT), they are referring to the ability to add internet connectivity to a system of interconnected devices. Each device, or “thing,” comes out of the box with a unique identifier and the ability to automatically transfer data over a network. However, allowing devices to connect to the internet opens them, and the network, up to a variety of serious vulnerabilities if they are not suitably protected. Because IoT is a relatively new market, many product designers and manufacturers are more interested in getting their new products to market quickly rather than taking the necessary steps to build lasting security into their products from the beginning.

Since the IoT has grown exponentially over the past few years, security has been under the microscope, especially after high profile instances where a common IoT device was used to break into and attack the larger network. For instance, cybercriminals hacked a casino through its internet-connected thermometer in an aquarium in the lobby of the casino. Then, the hackers exploited a vulnerability in the thermostat to get a foothold into the network. Once there, they managed to access the high-roller database of gamblers and pulled it back across the network, out the thermostat, and up to the cloud. This is just one of many examples underscoring how employing security measures is crucial to making sure networks with IoT devices connected to them are safe.

The Open Connectivity Foundation (OCF) is dedicated to ensuring secure interoperability for consumers, businesses and industries by delivering a standard communications platform, a bridging specification, an open source implementation, and a certification program allowing devices to communicate regardless of form factor, operating system, service provider, transport technology, or ecosystem. Our aim is to get industry consolidation around a common, interoperable approach to connect all future devices for the IoT. The member companies involved in OCF believe that secure and reliable device discovery and connectivity is a foundational component in enabling the IoT. The good news is that this is already underway.

The OCF Specifications are the answer to the as-yet-unsolved secure interoperability issue the IoT industry faces today. The Specifications provide the secure communication structure which is a standard model for applications and services to interact with IoT resources. They map to multiple transports and bridge to other IoT ecosystems. Finally, they leverage existing industry standards and technologies, provide connections between devices, between devices and the cloud, and manage the flow of information among devices.

OCF-Certified products give end users choice in purchasing. Consumers aren’t dependent on one particular brand to ensure the products all work together, right out of the box. With the knowledge that security has been built into OCF-certified devices during manufacturing, consumers can rest easy knowing their network is secure from any vulnerabilities. This combination of ease and security offers an IoT experience that simply improves everyday life.

In the second blog in this two-part series, we’ll be examining the suggested security capabilities laid out by the National Institute of Standards and Technology (NIST) that the OCF Specification includes and will continue to build upon, ensuring a secure, interoperate IoT around the world.