feature article
Subscribe Now

Setting Sensible Standards for IoT

GlobalPlatform Takes on the Daunting Task of Governing the Ungovernable

“The majority of meetings should be discussions that lead to decisions.” – Patrick Lencioni

Setting standards must be lonely work. You meet, you discuss, you weigh options, and you write up prescriptions. And then you wait, hoping the industry will follow your lead and take your advice. If they do, great. And if not? Well, there’s always another hill to climb. 

One group that’s been doing this work for 20-odd years is GlobalPlatform, a little-known but busy group of industry experts that has successfully navigated the treacherous and uncharted waters of smartcard security, media copy protection, connected cars, mobile authentication, and more. Like many nonprofit consortia, it’s made up of member volunteers from across the industry. They meet, they debate, they write up recommendations, and oftentimes the world follows their example. 

Its latest endeavor is called IoTopia, a set of four guidelines for making IoT devices more secure, more reliable, easier to connect, and easier to deploy in large numbers. It’s a daunting task, given that the term “IoT” encompasses just about everything smaller than a refrigerator (oh, wait – fridges are IoT devices, too) produced by every conceivable manufacturer. If GlobalPlatform achieves its goals, it’ll be utopia for IoT. 

As Kevin Gillick, GlobalPlatform’s Executive Director, describes it, IoTopia has “four pillars.” These cover security, to make devices more hack-proof; device intent, to make devices talk to each other more fluidly when they’re networked together; onboarding, to streamline the task of bringing up new devices; and lifecycle management, which encompasses firmware updates, maintenance, and eventual device retirement. Like the ones holding up the Parthenon, these are massive pillars. GlobalPlatform members have their work cut out. 

The problem – okay, just one of the problems – facing the IoTopia group is defining standards that can span the world’s wide and varied array of devices. How can you define security measures that work for both a thermostat and a connected car? Or firmware updating policies that are applicable to smart TVs, sprinkler timers, and industrial robots? There’s a fine line between throwing out general platitudes and handcuffing developers with overly specific rules. 

“We want to establish clarity between levels of security,” says Gillick. “What is low security, what is high or substantial security?” The group isn’t trying to write detailed security specs or create code libraries, but rather to define a framework that any device could fit into. A medical pacemaker, for example, would (one hopes) be classified as a high-security device that takes advantage of all the security-related principles that GlobalPlatform defines. The medical device maker can add their own additional criteria, of course, and probably will. 

GlobalPlatform stops short of requiring specific tests to show compliance, on the grounds that no test could suit all devices. It does encourage tests and testing labs; it just leaves the specifics up to the device manufacturers and the appropriate compliance labs.  

One of IoTopia’s big pillars is onboarding, which seems like a non-issue and an odd choice for scrutiny by a standard-setting body. But Gillick makes a good point: “Onboarding is the biggest challenge for customers right now. It’s bad enough at home with a new smart watch. Now imagine the IT guy in a large organization. One study shows that IT departments will need to increase staffing by 5× just to deal with new devices and new types [of devices], all with different processes because there is no single industry agreement on how to do this.” 

No less an authority than NIST says it’s identified at least 20 different specifications, standards, and procedures regarding new device onboarding. If you’re in a large organization that buys from a broad range of vendors – a government department, let’s say – you’re likely to encounter all 20+ different methods, making setup and configuration a miserable experience. Gillick doesn’t think the world will ever standardize on just one golden standard, but he and the other members would like to see the mess reduced to a manageable few. “It could be a major coup” for GlobalPlatform, he says. 

But how can you possibly fix the current situation? By fiat? By writing a meta-layer standard and forcing its adoption? By encouraging companies to coalesce around a few existing procedures (or a new one)? By a mandate from customers? Without guidance, the market will do what it always does, and de facto standards will eventually surface. Gillick says GlobalPlatform doesn’t yet know how this will play out, but it’s determined to have a hand in the process. “We can’t wave a magic wand or make a declaration, but we can put forward the best choices built through industry collaboration.”

Among the other challenges facing GlobalPlatform is noise: the noise of other groups working in parallel to rationalize the IoT world. “The IoT associations du jour appear like mushrooms and make proclamations, but the evidence of output isn’t there. We don’t want the market to fracture and make it too difficult to set standards. The industry can’t wait any longer for that leadership.”

Having said that, GlobalPlatform isn’t above collaboration. The group is happy to coordinate with other deliberative bodies, provided they bring some specific expertise. “If they’re advancing some meaningful technology, we’ll partner with them with an MOU [memorandum of understanding]. We’ve done it before. But we’re a community of security experts.” In other words, we know what we’re doing, and we’ve done this successfully before. 

“We’re moving the ball down the field,” says Gillick, “and giving people something they can work with. It’s not prescriptive. It’s not, ‘you must do this’ or ‘you must agree to third-party testing.’” 

In the end, GlobalPlatform wants to save developers time. “Your money should be invested in differentiating your service, not recreating a readily available underlying security research or development.” It’s a case of all for one and one for all. If IoTopia achieves its goals and becomes widely adopted, maybe all those lonely meetings will have been worthwhile. 

One thought on “Setting Sensible Standards for IoT”

Leave a Reply

featured blogs
Sep 18, 2020
You might have noticed that Cadence has changed its website, its colours, its message. We have also changed the name of our user conference, what used to be CDNLive EMEA has become CadenceLIVE... [[ Click on the title to access the full blog on the Cadence Community site. ]]...
Sep 18, 2020
[From the last episode: We put the various pieces of a memory together to show the whole thing.] Before we finally turn our memory discussion into an AI discussion, let'€™s take on one annoying little detail that I'€™ve referred to a few times, but have kept putting off. ...
Sep 17, 2020
VITA, PICMG, COM-HPCTM, COM Express®, MicroSAM®, and MicroTCA® are all developing standards or updating with new additions and Samtec is moving along with them. Samtec’s involvement in standards has grown over the years, and there are no signs of that slowing down. B...
Sep 16, 2020
In addition to the Great Highland (Scottish) bagpipes, the Uilleann (Irish) bagpipes, and the Northumbrian (English) bagpipes, there are myriad other offerings spanning the globe....

Featured Video

Product Update: Family of DesignWare Ethernet IP for Time-Sensitive Networking

Sponsored by Synopsys

Hear John Swanson, our product expert, give an update on Synopsys’ DesignWare® Ethernet IP for Time-Sensitive Networking (TSN), which is compliant with IEEE standards and enables predictable guaranteed latency in automotive ADAS and industrial automation SoCs.

Click here for more information about DesignWare Ethernet Quality-of-Service Controller IP

Featured Paper

Dissecting The Truth of RF DAC Resolution; Is It 14-Bits or 16?

Sponsored by Maxim Integrated

This application note uses common data conversion theorems to analyze the impacts of resolution and sample rate in a band-limited signal generation application. The conclusion is that the SNR performance improvement, due to the 16-bit LVDS interface bus, provides improved signal-to-noise (SNR) over a 14-bit Interface bus.

Click here to download the whitepaper

Featured Chalk Talk

SLX FPGA: Accelerate the Journey from C/C++ to FPGA

Sponsored by Silexica

High-level synthesis (HLS) brings incredible power to FPGA design. But harnessing the full power of HLS with FPGAs can be difficult even for the most experienced engineering teams. In this episode of Chalk Talk, Amelia Dalton chats with Jordon Inkeles of Silexica about using the SLX FPGA tool to truly harness the power of HLS with FPGAs, getting better results faster - regardless of whether you are approaching from the hardware or software domain.

More information about SLX FPGA