Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Smart Card Alliance Forms IoT Security Council

If an IoT device is basically an embedded device with some connectivity, then one of the earliest IoT devices is the smart card. The driving force behind smart card standards is the Smart Card Alliance (SMA), an organization comprising more than 200 worldwide members from finance, government, telecommunications, transport, healthcare and retail. Many of its members involved in chips and services for smart cards are also pursuing new opportunities in the IoT market. 

If an IoT device is basically an embedded device with some connectivity, then one of the earliest IoT devices is the smart card. The driving force behind smart card standards is the Smart Card Alliance (SMA), an organization comprising more than 200 worldwide members from finance, government, telecommunications, transport, healthcare and retail. Many of its members involved in chips and services for smart cards are also pursuing new opportunities in the IoT market. 

A Business Insider report from 2014 claims, “The Internet of Things will be the largest device market in the world. We estimate that by 2019 it will be more than double the size of the smartphone, PC, tablet, connected car, and the wearable market combined.” It also adds that the IoT “lacks a common set of standards and technologies that would allow for compatibility and ease-of-use.” Perhaps more importantly it also lacks a commonly adopted set of standards specifically for security.

It is against this background that the Smart Card Alliance has decided to form an Internet of Things Security Council, and to use its considerable influence to provide guidance and insights. 

“The Smart Card Alliance has a proven track record in bringing industries together to move technologies forward. We’ve had positive impacts in many markets, propelling the use of EMV chip, NFC for mobile devices, contactless fare payment in transit systems, and secure PIV identity cards in government. The Alliance aims to do the same with IoT,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The Internet of Things Security Council will provide a single forum where all industry stakeholders can network, share implementation experiences, and discuss applications and security approaches, as well as provide best practices and education to the industry to promote security and privacy.”

If the IoT is to be secure, and be able to receive, handle and transmit personal data securely, every single device will need to have an identity that can be authenticated. This is a problem already solved by the smart card industry. “Embedded chip security is needed to protect the ‘identity’ of each device, to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate,” Vanderhoof wrote in his monthly SMA letter. 

“A principle behind the security of smart chips is that the chips not only control how the devices perform under normal conditions, but also control how the devices react when they are attacked or tampered with in any way, including self-destruction, to prevent tampering. Applying those techniques – already proven and implemented for protecting and managing the identity of persons – will deliver a secure platform for the billions of connected devices.”

But while the SMA has considerable influence, it also has one particular drawback – it comprises vendors who are simultaneously seeking new markets for themselves. Cesare Garlati, chief security strategist the Prpl Foundation (another organization seeking to provide security to the IoT), told SecurityWeek, “The risk when vendors are involved is quite high, especially when they’re not running the group as a full time job – and it mainly comes down to the ability to execute.” He suggests that “any cross-industry consortium that wants to be successful should have a focus – instead of ‘addressing the IoT space’ – which could mean anything – pick one aspect (hardware/software, etc) and have a razor sharp focus.”

Another organization that could play a major part in the security of the IoT is The Global Identity Foundation , which seeks identity standardization around ‘Identity 3’ – which itself grew out of proposals first formulated by the CISO-centric Jericho Forum. Identity 3 is the only serious option for a global, open identity standard; and as such is ideally suited to provide an identity methodology for the IoT.

CEO Paul Simmonds has similar concerns to those of Garlati. He told SecurityWeek, “The problem with all these groups is the focus of the group defines the ‘solution’. Thus, as the Smart Card Alliance, the solution seems to be to embed SmartCard technology into IoT. They need to think outside their niche to the bigger picture with an open mind that their focus may not be the answer, or may be a small part of the whole picture.”

While it is a welcome sign that many different organizations are now seeking to formulate security standards for the IoT, it would be even better if all could combine and work together.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.

ICS/OT

A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

ICS/OT

Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.

ICS/OT

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.

ICS/OT

Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot...