Steve Rogerson checks how the IoT industry is tackling the growing security crisis.

Did you know there are more IoT devices than people on the planet? I got that gem from Syed Hosain of Aeris during this month’s IMC-GCF Joint Task Force meeting on the eve of Embedded World in Nuremberg.

For those not aware, the IMC-GCF Joint Task Force was set up by the IoT M2M Council (IMC) and the Global Certification Forum (GCF) (www.iotm2mcouncil.org/imc-gcf-joint-task-force-on-iot-security) to provide practical guidance on navigating the various security regulations and standards that affect the IoT.

This growth in the number of IoT devices has drastically increased the attack surface for bad actors looking for ways into organisations or methods to disrupt infrastructure. Robin Duke-Woolley, CEO of Beecham Research, summed up this when he said: “Ten years ago, the IoT was not worth attacking. That is not the case now.”

Though the cost of complying with the regulations is high, the problem, Robin said, was that the cost of not complying could be much higher.

Syed Hosain, or Z (pronounced Zee) as he is known, said one of the difficulties was there were no standard IoT devices; they come in all shapes and sizes from a small sensor to an autonomous vehicle or large pieces of industrial equipment. And these all work in different ways. This means the security issues are different as well, and that is a moving target.

Later, during a panel at Embedded World, Z expanded his thoughts saying it was important to have security by design.

“You need to build in all the capabilities during the design stage,” he said.

Patrick Cao, vice president at Tata Communications, agreed: “Security needs to be built in from the beginning. But it is an evolving situation and new security threats will be developed, so the security also has to be upgradeable.”

This, said Z, was because IoT devices can stay live on the network for a very long time, for years. This means when looking at security you shouldn’t just consider new devices but all the old devices on the network, some of which might not even be upgradeable.

But wait a minute. We now have AI, this all-singing answer to all our problems, if we are to believe the hype. I don’t, but can it help here? Well yes, but as Z pointed out the attackers have the same AI tools that the good guys have, and they could use them for attacks much bigger than what we have seen so far.

“We have to be aware that large-scale attacks can happen,” said Z. “We have to be careful. We have to make sure we are not going to cause more problems by having AI in place.”

Regulations can help in that they can force people to adopt security. Without them, the cost of implementing defences can put many off; this is a competitive market and extra expenses must be avoided. However, if they are forced to implement them, then so are their competitors and that means no real effect on the pricing landscape. But for this to happen, the regulations need teeth.

As Z said, with no teeth, why bother?

“There have to be teeth to enforce the regulations,” he said, adding that regulations didn’t exist in a vacuum but were there to provide protection. Regulations tell you what needs to be done, and standards tell you how to do it. Or do they? In theory yes, but in practice it leads to a lot of head scratching and consultancy fees and mistakes and confusion and… I could go on. This is where the task force comes in. It hopes within a relatively short time to provide a map through the maze of standards and regulations that companies and engineers can use to make sure they comply with whatever is out there. Here’s hoping they succeed.