According to the research conducted by the Institute for Information Industry (III), the number of smart home worldwide was about 55.4 million in 2016 and is expected to quadruple to 230 million in 2021 with over 15% of household penetration, representing tremendous business opportunities.
Search Results for: UPnP-arch-DeviceArchitecture-v2.0.pdf/wp-content/uploads/2016/03/OCF-UPnP-Certification-Testing-and-Licensing-Application.pdf
III (Institute For Information Industry) forms Smart Home Task Force in accordance with international IoT standards and tap into global smart home market
Women in IoT: Betty Zhao
By OCF Staff and Betty Zhao, Standard Operation Manager, Haier U+
Serving on the Open Connectivity Foundation’s (OCF) Board of Directors as an alternate and Standard Operation Manager for Haier U+, Betty Zhao has made and continues to provide great contributions to the IoT industry. At Haier U+, a smart home ecosystem solutions provider, Betty is responsible for the company’s participation and involvement in IoT standards, helping to facilitate both the operation and promotion of the standards that Haier U+ employs. It is clear that Betty’s work at Haier makes a global impact, as the company has grown to 21 industrial parks and 24 overseas plants…. [Read More]
Enabling Internet of Things
The OCF technologies allow your offerings to go beyond verticals
OCF is establishing a single solution that addresses interoperability across multiple vertical markets to ensure that manufacturers and developers have the greatest opportunity to maximize interoperability and increase market share. OCF brings together companies from diverse markets including automotive, consumer electronics, enterprise, healthcare, home automation, and wearables.
In addition to data models for smart home, automotive, and healthcare, the Open Connectivity Foundation has built an efficient, and scalable communication stack.
OCF has based their specification on standard deployed technologies like REST and Secure CoAP. By doing this, OCF has achieved a reliable, secure communication stack with secure onboarding on a local network, or on a remote network by means of cloud services. The secure communication is agnostic of both the physical layer and the application or vertical and it can be used by third parties to convey their own data models. This leaves more time to differentiate and innovate on application levels in each specific vertical domain. It also allows for the choice of which physical layers are used in deployments. If your organization wants to get a head start by adopting OCF technologies without the application level data models, please contact OCF Staff.
In addition to the OCF specifications, OCF sponsors IoTivity, the open source project that implements the OCF specifications. Having a mature open source implementation means that developers can re-use existing solutions, rather than spending time re-inventing the common infrastructure. This means developers can concentrate on the development of application of the vertical and thus speed up the adoption of what really counts: the application.
The Countdown Has Started on Secure IoT Compliance
By Kyle Haefner, Lead Security Architect, CableLabs
Bruno Johnson, CEO, Cascoda
Joe Lomako, Cybersecurity Lead, TÜV SÜD UK test lab
Internet of Things (IoT) security, like global warming, is one of the few things that can be said to have global awareness, global initiative, and a growing but disjointed global consensus. Governments of the world have recognized that IoT security is a priority problem. In response, they’ve developed security baseline guidance, and drafted and passed legislation to increase IoT security. Manufacturers have realized that building security and privacy into devices adds real value to their brand. This is since consumers are increasingly aware of the importance of security and privacy in the devices they own and, as such, will make purchase decisions based on enhanced security and privacy features.
The challenges facing the industry now lie in navigating a patchwork of regulations that are currently vaguely defined with no clear guidance for certification of compliance. The countdown timer for compliance has already started.
Requirements and Provisions to Be Considered
Legislators in North America and Europe have been developing standards for IoT security. For example, the European Telecommunications Standards Institute (ETSI) has updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market. ETSI adopted a Delegated Act of the RED, activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy.
The update mandates cybersecurity, personal data and privacy protection for devices that can:
- 3d: communicate over the internet, either directly or via any other equipment;
- 3e: process personal data, traffic data or location data;
- 3f: enable users to transfer money, monetary value or virtual currency.
These provisions become mandatory on 1st August 2024, at which point manufacturers of radio connected devices must be compliant or face potential action.
In the U.S., the National Institute for Standards and Technology (NIST) has released a three-pronged approach split between manufacturers, federal agencies and consumers.
For manufacturers, NIST provides guidance in the form of the NISTIR 8259 series. NISTIR 8259A is the IoT device cybersecurity core baseline that focuses on capabilities such as device identification, device configuration, data protection, logical access to interfaces, software update and a catch-all for logging and cybersecurity state awareness. NIST 8259B covers non-technical requirements such as documentation, information queries from customers, information dissemination, and education and awareness.
For federal agencies, NIST provides guidance in SP 800-213A on the use and management of IoT devices. This publication provides detailed requirements similar to categories in NISTR 8259A, however with more specific requirements under each device capability.
For consumers, NIST, in coordination with the Federal Trade Commission (FTC), has been assigned by President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity to provide criteria on consumer IoT device labeling. This aims to give manufacturers guidance and standards on how to label consumer devices in terms of their capabilities both physical and cyber.
Additionally, the U.S. Federal Communications Commission (FCC) in June of 2021, released a notice of proposed rulemaking and notice of inquiry with the focus of improving the adoption of cybersecurity best practices in consumer electronics.
While there has not been an official call for a cybersecurity certification in the U.S. similar to the RED in Europe, judging by releases from NIST, FTC and the FCC, signs are beginning to point in that direction.
The primary requirement categories seen in Figure 1. below.
Figure 1. IoT Security Landscape
These legislations cause challenges for manufacturers, operators, and installers of IoT devices.
The Secure Device Lifecycle
A secure device lifecycle is the foundation of all secure device ecosystems. Manufacturers, operators, and installers of IoT devices will need to build upon this foundation to comply with the guidelines and regulations listed above. Stakeholders should be incorporating the secure device lifecycle into their business plans and processes now.
A secure IoT device lifecycle involves both hardware, software, and the ecosystem infrastructure required to support the device and associated services. Secure device lifecycle management shown in Figure 2. below encompasses all of the processes from the manufacture of the device where cryptographic identity is fused at the factory①, to provisioning operational credentials onto the device②, configuration at deployment site③, ongoing secure updates during normal operation④, and finally secure data wipe⑤ at decommissioning⑥.
Figure 2. The OCF Secure Device Lifecycle
Challenges for Manufacturers
For manufacturers, the timeline for meeting the EU’s RED provisions is short, especially given that the average hardware time-to-market is one and a half to two years – and this is without ongoing supply chain issues. Additionally, developing embedded devices with protections for keying material can take extra time and some manufacturers will need to retool their production lines to accommodate the extra steps of burning key material to the chips.
Challenges for Operators
Consumers expect that their smart devices are manageable wherever, whenever and on any device. To meet this expectation, manufacturers should ensure that their ecosystem offering includes secure communication both proximally, but also to the cloud and over multiple IP segments. Operators should build out and refine security technologies such as Public Key Infrastructure (PKI) to authenticate, authorize and account for devices within their ecosystems – and do so in a way that creates simple and seamless user experiences.
Challenges for Installers
Depending on the use case, the installation process can include a mix of the system integration, application engineering, and the IT administration function. As with manufacturers and operators, installers need to develop suitable technical training and management processes to allow for the appropriate provisioning of secure devices. The provisioning process ensures access rights and privileges for individual users so as to ensure a seamless user experience while maintaining security.
Answering the Call
For several years, manufacturers, vendors and internet operators have been working through various standards organizations to build secure IoT specifications that bring much of the best practices of running secure connected systems into the domain of secure connected and constrained systems.
There are now mature internationally recognized secure IoT communications standards that can help support the requirements set forth by the EU RED and the US NIST. By using such protocol standards, many of the challenges related to IoT security can be overcome.
However good the communications standard, organizations at every level of the IoT supply chain still need to implement appropriate management processes and ensure that their workforce has sufficient training to facilitate a seamless transition to a more secure world.
Governments are moving at an increasing pace to protect the security of networks from vulnerable and insecure devices – as can be seen with the above directives and guidelines coming from both the EU and US. Specific requirements directly tied to legislation are at best poorly defined and vague, and yet at the same time specific deadlines for conformance have already been set. This puts manufacturers in a difficult position in determining conformance of product lines with lead times that can stretch into multiple years.
The best option right now is to plan to build devices that can meet a majority of the requirements established in ETSI and NIST. It is impossible to foresee what legislation will require, but it is easy to guess that it will be based at least in part on currently established IoT security baselines. Manufacturers must not delay; the clock is ticking.
First published on Cyber Defense Magazine
References
“EN 303 645 – V2.1.0 – CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements.” 2020. ETSI. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
“Executive Order on Improving the Nation’s Cybersecurity.” 2021. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
“Federal Communications Commission FCC 21-73 Before the Federal Communications Commission Washington, DC 20554 In the Matter of.” 2021. Federal Communications Commission. https://docs.fcc.gov/public/attachments/FCC-21-73A1.pdf
“NIST Internal or Interagency Report (NISTIR) 8259A, IoT Device Cybersecurity Capability Core Baseline.” 2020. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259a/final
“NIST Internal or Interagency Report (NISTIR) 8259B, IoT Non-Technical Supporting Capability Core Baseline.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259b/final
“NIST Special Publication (SP) 800-213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-213a/final
“OCF – Specifications.” n.d. OPEN CONNECTIVITY FOUNDATION (OCF). Accessed March 3, 2022. https://openconnectivity.org/developer/specifications/
About the Authors
Kyle Haefner, PhD is a Lead Security Architect at CableLabs. He also chairs the Core Security work group of the Open Connectivity Foundation (OCF).
Bruno Johnson is the CEO of Cascoda. He also chairs the Marketing and Communications work group of the Open Connectivity Foundation (OCF).
Joe Lomako heads the cybersecurity team in TÜV SÜD’s UK test lab. He has a 25-year background in IoT and wireless connectivity compliance and certification.
TÜV SÜD JOINS THE OPEN CONNECTIVITY FOUNDATION (OCF)
TÜV SÜD is a global leader in Testing, Inspection and Certification (TIC). It recently joined the Open Connectivity Foundation (OCF) to help the organization’s membership advance trust, interoperability and secure communication between IP connected IoT devices and services.
As a trusted partner for safety, security and sustainability solutions, TÜV SÜD works with manufacturers of IoT and connected devices helping them achieve compliance with multiple mandatory global requirements including cybersecurity. This experience will be valuable to the ongoing work program of OCF. This promotes collaboration between stakeholders across the IoT ecosystem to deliver an ISO/IEC-based Secure IP Device Framework, an open-source reference implementation and an industry-recognized certification program. As a Gold member of OCF, TÜV SÜD will be eligible to participate in work groups; lead working groups and lead and participate in task groups.
Chris Guy, CEO of TÜV SÜD UK quoted “Connectivity is now the norm but with increased connectivity comes increased vulnerability, therefore security is paramount. We’re excited to be contributing to an organisation whose mission is to promote efficient interoperability and strong IoT security”.
Mark Trayer, OCF Chair comments: “OCF welcomes TÜV SÜD as a valued expert in IoT security. We look forward to benefiting from their expertise as they work collaboratively alongside OCF’s 500+ strong membership to enhance OCF’s trusted open internet protocol (IP) framework, which dynamically aligns with baselines for IoT security and privacy regulations, offering peace of mind and enriched experiences”.
Learn more about OCF membership.
ABOUT TÜV SÜD
TÜV SÜD is a global, trusted partner of choice for safety, security and sustainability solutions. Over the last 150 years, we have added value to our partners and customers through a comprehensive portfolio of testing, certification, auditing and advisory services.
ABOUT OCF
The Open Connectivity Foundation (OCF) is a global, member-driven technical standards development organization. Its 500+ members are working to enable trust, interoperability and secure communication between IP-connected IoT devices and services.