If an IoT device is basically an embedded device with some connectivity, then one of the earliest IoT devices is the smart card. The driving force behind smart card standards is the Smart Card Alliance (SMA), an organization comprising more than 200 worldwide members from finance, government, telecommunications, transport, healthcare and retail. Many of its members involved in chips and services for smart cards are also pursuing new opportunities in the IoT market.
A Business Insider report from 2014 claims, “The Internet of Things will be the largest device market in the world. We estimate that by 2019 it will be more than double the size of the smartphone, PC, tablet, connected car, and the wearable market combined.” It also adds that the IoT “lacks a common set of standards and technologies that would allow for compatibility and ease-of-use.” Perhaps more importantly it also lacks a commonly adopted set of standards specifically for security.
It is against this background that the Smart Card Alliance has decided to form an Internet of Things Security Council, and to use its considerable influence to provide guidance and insights.
“The Smart Card Alliance has a proven track record in bringing industries together to move technologies forward. We’ve had positive impacts in many markets, propelling the use of EMV chip, NFC for mobile devices, contactless fare payment in transit systems, and secure PIV identity cards in government. The Alliance aims to do the same with IoT,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The Internet of Things Security Council will provide a single forum where all industry stakeholders can network, share implementation experiences, and discuss applications and security approaches, as well as provide best practices and education to the industry to promote security and privacy.”
If the IoT is to be secure, and be able to receive, handle and transmit personal data securely, every single device will need to have an identity that can be authenticated. This is a problem already solved by the smart card industry. “Embedded chip security is needed to protect the ‘identity’ of each device, to prevent unauthorized tampering with how these devices are designed to work, and to protect the privacy and security of the vast amount of data the devices generate,” Vanderhoof wrote in his monthly SMA letter.
“A principle behind the security of smart chips is that the chips not only control how the devices perform under normal conditions, but also control how the devices react when they are attacked or tampered with in any way, including self-destruction, to prevent tampering. Applying those techniques – already proven and implemented for protecting and managing the identity of persons – will deliver a secure platform for the billions of connected devices.”
But while the SMA has considerable influence, it also has one particular drawback – it comprises vendors who are simultaneously seeking new markets for themselves. Cesare Garlati, chief security strategist the Prpl Foundation (another organization seeking to provide security to the IoT), told SecurityWeek, “The risk when vendors are involved is quite high, especially when they’re not running the group as a full time job – and it mainly comes down to the ability to execute.” He suggests that “any cross-industry consortium that wants to be successful should have a focus – instead of ‘addressing the IoT space’ – which could mean anything – pick one aspect (hardware/software, etc) and have a razor sharp focus.”
Another organization that could play a major part in the security of the IoT is The Global Identity Foundation , which seeks identity standardization around ‘Identity 3’ – which itself grew out of proposals first formulated by the CISO-centric Jericho Forum. Identity 3 is the only serious option for a global, open identity standard; and as such is ideally suited to provide an identity methodology for the IoT.
CEO Paul Simmonds has similar concerns to those of Garlati. He told SecurityWeek, “The problem with all these groups is the focus of the group defines the ‘solution’. Thus, as the Smart Card Alliance, the solution seems to be to embed SmartCard technology into IoT. They need to think outside their niche to the bigger picture with an open mind that their focus may not be the answer, or may be a small part of the whole picture.”
While it is a welcome sign that many different organizations are now seeking to formulate security standards for the IoT, it would be even better if all could combine and work together.