International Security Standards and the Internet of Things

By on

The third meeting of the International Standards Organization’s (ISO) Special Working Group (SWG) on (Internet of Things) recently took place in Chongqing, China.  The purpose of the SWG is essentially to assess what has been done to date related to IoT standards and provide guidance to ISO about the ISO so that the existing standards might be evolved to meet the needs of the IoT – as appropriate.

 In the area of security, this may mean that the world’s most widely adopted security standard, ISO 27000 family of management and operational standards, gets an update to accommodate new security requirements associated with the IoT.

 Auditing and standards will be critical to the IoT because they enable technical interoperability, and from a risk management perspective the enable business interoperability.

 Without standards the effort to get independently developed IoT systems working together will be a much more difficult processes involving and infinite number of point-to-point relationships which simple to do not scale.

Without standards, the IoT will evolve slower, will be more expensive and will ultimately possess lower quality and higher risk.  The higher risk part will start with the business risks we discuss in this chapter, but extend to the operational risks we discuss in the next chapter and to an unlimited range of technical risks that we do not attempt to address.

 The reason the IoT will be unmanageably risky without standards is due to the additional complexity that will come without standards.   Already the IoT will be the most complex and intricate thing every created by mankind, with billions and billions of (literally) moving parts connected by ubiquitous and heterogeneous (many different types of) networks.  From a risk management and security perspective, no standards mean each IoT system will need to have individual and unique security investments and assessment.

 If each IoT system has individual and unique security, then each interface or connection between each system will have to be established through slow bi-lateral processes.   Such a system would be uncontrollably expensive and violate one of the most common business requirements of the IoT – that it possess financial justification: that the IoT creates value not destroy it.

 The alternative to security standards in the IoT is an expensive, bilateral system of security and risk management.  Or managers, owners and users simply accept unknown risk – the worst type of risk management decision of them all, and in many cases a option counter to regulation and law.

Leave a Comment

Similar articles

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. The ways in which they exact their ...
Read Blog
These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward. As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab ...
Read Blog
Security evolves to meet the needs of the age. Keys, for example, were created to secure homes and possessions. Encryption, the elements of which stretch back for thousands of years, filled the need to secure messages over a long distance. Security – as both a concept and an industry — is relatively simple to understand ...
Read Blog