feature article
Subscribe Now

Setting Sensible Standards for IoT

GlobalPlatform Takes on the Daunting Task of Governing the Ungovernable

“The majority of meetings should be discussions that lead to decisions.” – Patrick Lencioni

Setting standards must be lonely work. You meet, you discuss, you weigh options, and you write up prescriptions. And then you wait, hoping the industry will follow your lead and take your advice. If they do, great. And if not? Well, there’s always another hill to climb. 

One group that’s been doing this work for 20-odd years is GlobalPlatform, a little-known but busy group of industry experts that has successfully navigated the treacherous and uncharted waters of smartcard security, media copy protection, connected cars, mobile authentication, and more. Like many nonprofit consortia, it’s made up of member volunteers from across the industry. They meet, they debate, they write up recommendations, and oftentimes the world follows their example. 

Its latest endeavor is called IoTopia, a set of four guidelines for making IoT devices more secure, more reliable, easier to connect, and easier to deploy in large numbers. It’s a daunting task, given that the term “IoT” encompasses just about everything smaller than a refrigerator (oh, wait – fridges are IoT devices, too) produced by every conceivable manufacturer. If GlobalPlatform achieves its goals, it’ll be utopia for IoT. 

As Kevin Gillick, GlobalPlatform’s Executive Director, describes it, IoTopia has “four pillars.” These cover security, to make devices more hack-proof; device intent, to make devices talk to each other more fluidly when they’re networked together; onboarding, to streamline the task of bringing up new devices; and lifecycle management, which encompasses firmware updates, maintenance, and eventual device retirement. Like the ones holding up the Parthenon, these are massive pillars. GlobalPlatform members have their work cut out. 

The problem – okay, just one of the problems – facing the IoTopia group is defining standards that can span the world’s wide and varied array of devices. How can you define security measures that work for both a thermostat and a connected car? Or firmware updating policies that are applicable to smart TVs, sprinkler timers, and industrial robots? There’s a fine line between throwing out general platitudes and handcuffing developers with overly specific rules. 

“We want to establish clarity between levels of security,” says Gillick. “What is low security, what is high or substantial security?” The group isn’t trying to write detailed security specs or create code libraries, but rather to define a framework that any device could fit into. A medical pacemaker, for example, would (one hopes) be classified as a high-security device that takes advantage of all the security-related principles that GlobalPlatform defines. The medical device maker can add their own additional criteria, of course, and probably will. 

GlobalPlatform stops short of requiring specific tests to show compliance, on the grounds that no test could suit all devices. It does encourage tests and testing labs; it just leaves the specifics up to the device manufacturers and the appropriate compliance labs.  

One of IoTopia’s big pillars is onboarding, which seems like a non-issue and an odd choice for scrutiny by a standard-setting body. But Gillick makes a good point: “Onboarding is the biggest challenge for customers right now. It’s bad enough at home with a new smart watch. Now imagine the IT guy in a large organization. One study shows that IT departments will need to increase staffing by 5× just to deal with new devices and new types [of devices], all with different processes because there is no single industry agreement on how to do this.” 

No less an authority than NIST says it’s identified at least 20 different specifications, standards, and procedures regarding new device onboarding. If you’re in a large organization that buys from a broad range of vendors – a government department, let’s say – you’re likely to encounter all 20+ different methods, making setup and configuration a miserable experience. Gillick doesn’t think the world will ever standardize on just one golden standard, but he and the other members would like to see the mess reduced to a manageable few. “It could be a major coup” for GlobalPlatform, he says. 

But how can you possibly fix the current situation? By fiat? By writing a meta-layer standard and forcing its adoption? By encouraging companies to coalesce around a few existing procedures (or a new one)? By a mandate from customers? Without guidance, the market will do what it always does, and de facto standards will eventually surface. Gillick says GlobalPlatform doesn’t yet know how this will play out, but it’s determined to have a hand in the process. “We can’t wave a magic wand or make a declaration, but we can put forward the best choices built through industry collaboration.”

Among the other challenges facing GlobalPlatform is noise: the noise of other groups working in parallel to rationalize the IoT world. “The IoT associations du jour appear like mushrooms and make proclamations, but the evidence of output isn’t there. We don’t want the market to fracture and make it too difficult to set standards. The industry can’t wait any longer for that leadership.”

Having said that, GlobalPlatform isn’t above collaboration. The group is happy to coordinate with other deliberative bodies, provided they bring some specific expertise. “If they’re advancing some meaningful technology, we’ll partner with them with an MOU [memorandum of understanding]. We’ve done it before. But we’re a community of security experts.” In other words, we know what we’re doing, and we’ve done this successfully before. 

“We’re moving the ball down the field,” says Gillick, “and giving people something they can work with. It’s not prescriptive. It’s not, ‘you must do this’ or ‘you must agree to third-party testing.’” 

In the end, GlobalPlatform wants to save developers time. “Your money should be invested in differentiating your service, not recreating a readily available underlying security research or development.” It’s a case of all for one and one for all. If IoTopia achieves its goals and becomes widely adopted, maybe all those lonely meetings will have been worthwhile. 

One thought on “Setting Sensible Standards for IoT”

Leave a Reply

featured blogs
Nov 30, 2021
Explore the history of the chip design process, from the days of Integrated Device Manufacturers (IDMs) to EDA tools and today's era of democratized design. The post Just What Is Democratized Design Anyway? appeared first on From Silicon To Software....
Nov 30, 2021
The demand for smaller electronics devices can be achieved by high-density layers in multi-layer build-up substrates or multi-layered printed circuit boards (PCB). Vias are essential in the design... [[ Click on the title to access the full blog on the Cadence Community site...
Nov 29, 2021
Tell me if you've heard this before, but I'm looking for a Nordic word that has a sufficiently amorphous gestalt to make it confusing to explain in Norwegian....
Nov 8, 2021
Intel® FPGA Technology Day (IFTD) is a free four-day event that will be hosted virtually across the globe in North America, China, Japan, EMEA, and Asia Pacific from December 6-9, 2021. The theme of IFTD 2021 is 'Accelerating a Smart and Connected World.' This virtual event ...

featured video

See 400 GbE Running on a Speedster®7t FPGA from Achronix

Sponsored by Achronix

400GbE is required for next-generation, high-performance networking applications. In this video, Achronix demonstrates 400GbE connectivity on a Speedster7t FPGA integrated into a VectorPath™ PCIe accelerator card. The demonstration shows 400GbE traffic generated within the FPGA and transmitted across the FPGA’s 2D network on chip or NoC to the Ethernet subsystem. The 400GbE traffic is then looped back and checked within the FPGA fabric to compare to the original data stream.

Contact Achronix for a Demonstration of Speedster7t FPGA

featured paper

Using the MAX66242 Mobile Application, the Basics

Sponsored by Maxim Integrated (now part of Analog Devices)

This application note describes the basics of the near-field communication (NFC)/radio frequency identification (RFID) MAX66242EVKIT board and gives an application utilizing the NFC capabilities of iOS and Android® based mobile devices to exercise board functionality. It then demonstrates how the application enables use of memory and secure features in the MAX66242. It also shows how to use the MAX66242 with an onboard I2C temperature sensor, demonstrating the device's energy harvesting feature.

Click to read more

featured chalk talk

Industrial CbM Solutions from Sensing to Actionable Insight

Sponsored by Mouser Electronics and Analog Devices

Condition based monitoring (CBM) has been a valuable tool for industrial applications for years but until now, the adoption of this kind of technology has not been very widespread. In this episode of Chalk Talk, Amelia Dalton chats with Maurice O’Brien from Analog Devices about how CBM can now be utilized across a wider variety of industrial applications and how Analog Device’s portfolio of CBM solutions can help you avoid unplanned downtime in your next industrial design.

Click here for more information about Analog Devices Inc. Condition-Based Monitoring (CBM)