IoT Security: Confusing And Fragmented
By Brian Moyer, Semiconductor Engineering
Regulations and compliance are inconsistent and often inadequate, but adding better security boosts cost and impacts performance and power.
Security regulations for Internet-of-Things (IoT) devices are evolving around the world, but there is no consistent set of requirements that can be applied globally — and there may never be.
What exists today is a patchwork of certification labs and logos. That makes it difficult for IoT-device designers to know where to get their security blessed. Unlike in data centers, where there is a range of ISO and SAE standards, as well as a long list of best practices, there is nothing comparable in the IoT world.
One need look no further than the constant stream software updates required to patch security holes in devices. “It’s been very undisciplined in terms of how these rollouts have happened,” said John Hallman, product manager for trust and security at OneSpin Solutions. “We’ve just started to blindly accept all the new terms that come with an update because nobody wants to read the fine print of all the disclaimers for an upcoming release or the release notes with the software patch or firmware update. We’ve lost the sense of discipline that catches these updates as they come out, and the attackers are just playing on that lack of discipline and can slip into these updates.”