Gartner, Inc. forecasted 6.4 billion connected things in use worldwide by the end of 2016 and reaching 20.8 billion by 2020 – illustrating a sizeable opportunity. Research conducted by the Ponemon Institute, which was published in June 2016, found that the average cost of a data breach, for companies surveyed, has grown to $4 million, a 29 percent increase since 2013 - making a case for a common security framework that enhances interoperability of the Internet of Things (IoT).
Competition between various open standards and closed company protocols have slowed IoT adoption and innovation. The Open Connectivity Foundation (OCF) Security Working Group is thinking past the rudimentary integration of similar devices. They are working on a common security framework that allows reliable interoperability between devices regardless of manufacturer, operating system, chipset or transport. By creating a standard that helps connected devices securely communicate with one another, the Group accelerates industry innovation that will ultimately benefit billions of people around the world.
Security is an ever-changing environment. The OCF Security Working Group is doing things differently. The forward looking Group has united to solve interoperability disputes. The result is a standardized flexible security framework that provides a foundation on which to build and adapts to the changing ecosystem. The OCF membership receives early access to specifications in draft mode and use of a unique certification testing tool to assure that interoperable products get to market faster and progress is not stalled. Additionally, through the formation of the OCF and the IoTivity open source community, a means for industry-wide communication of potential threats and fixes has formed.
Standards are necessary for the continued evolution and success of any industry. Without agreed upon standards for the secure interoperability of IoT innovations, the industry will not advance as fast as it can – standardization helps consolidate support for usage models.
Having a standardized protocol with which we are able to use above the transport layer when devices are turned on and are communicating with one another is critical. The Security Working Group will also advance testing standards as they uncover new scenarios.
The OCF Certification Program is in the initial stages. Security is an essential aspect to the OCF Certification Program and its associated working groups. The Certification Group tests devices with all available test cases that are developed from specifications including security. The Security Group is working closely with the Certification Group to supply test cases, improvements, and enhancements. Security testing will continue to evolve with additional testing introduced by the Security Group as a result of test cases that haven’t yet been identified.
One of the significant advantages of the OCF Certification Program is its test tool that is used in the certification test beds and is available to all OCF members. The test tool allows members to clean-up their implementation or device to enable it to be successfully tested and certified in the labs. The OCF Certification Group is providing robust test beds due to the global interest in the IoT. The Group is initially supporting the highest growth regions through test labs in the Americas, Europe, and Asia. As the business grows, the Group will open up additional labs while progressing in the automation of the testing process.
The OCF Security Working Group and, the newly formed, OCF Security Review Task Group welcomes any input or information that may lead to evaluations of either security specification holes or implementations that don’t adhere to security specifications. These implementation issues may have been missed during certification or products that go to market with post certification code that may breach certification. These issues and related guidance are then broadly communicated to the OCF membership and the industry through the IoTivity open source community.
From a consumer standpoint, in the event of the discovery of a potential vulnerability, manufacturers may offer firmware updates and consumers should look for those updates.
Protecting user data is a primary concern in the engineering of the OCF standards. The OCF restricts the use of immutable identifiers to only limited times when the device is joining a network at the request of the device owner. Storage of private and protected information has various levels of recommendations and requirements that cover data in transit. As the OCF Security Framework evolves, it will provide guidelines for the implementations that cover data at rest and data in use.
Membership in the OCF shows that a vendor is willing only to release products that meet or exceed rigorous security standards. Participating in a standards group that not only works as a holistic unit to define secure protocols, but also looks to constantly address potential exploits shows leadership. Members communicate to the market that they are proactively implementing features that protect user privacy as well as enhancing functionality of IoT products and services.
Many IoT risks have already been identified and are well publicized. As communication and security protocols grow in standardization and adoption, the tools to mitigate the risks become increasingly effective.