“The majority of meetings should be discussions that lead to decisions.” – Patrick Lencioni
Setting standards must be lonely work. You meet, you discuss, you weigh options, and you write up prescriptions. And then you wait, hoping the industry will follow your lead and take your advice. If they do, great. And if not? Well, there’s always another hill to climb.
One group that’s been doing this work for 20-odd years is GlobalPlatform, a little-known but busy group of industry experts that has successfully navigated the treacherous and uncharted waters of smartcard security, media copy protection, connected cars, mobile authentication, and more. Like many nonprofit consortia, it’s made up of member volunteers from across the industry. They meet, they debate, they write up recommendations, and oftentimes the world follows their example.
Its latest endeavor is called IoTopia, a set of four guidelines for making IoT devices more secure, more reliable, easier to connect, and easier to deploy in large numbers. It’s a daunting task, given that the term “IoT” encompasses just about everything smaller than a refrigerator (oh, wait – fridges are IoT devices, too) produced by every conceivable manufacturer. If GlobalPlatform achieves its goals, it’ll be utopia for IoT.
As Kevin Gillick, GlobalPlatform’s Executive Director, describes it, IoTopia has “four pillars.” These cover security, to make devices more hack-proof; device intent, to make devices talk to each other more fluidly when they’re networked together; onboarding, to streamline the task of bringing up new devices; and lifecycle management, which encompasses firmware updates, maintenance, and eventual device retirement. Like the ones holding up the Parthenon, these are massive pillars. GlobalPlatform members have their work cut out.
The problem – okay, just one of the problems – facing the IoTopia group is defining standards that can span the world’s wide and varied array of devices. How can you define security measures that work for both a thermostat and a connected car? Or firmware updating policies that are applicable to smart TVs, sprinkler timers, and industrial robots? There’s a fine line between throwing out general platitudes and handcuffing developers with overly specific rules.
“We want to establish clarity between levels of security,” says Gillick. “What is low security, what is high or substantial security?” The group isn’t trying to write detailed security specs or create code libraries, but rather to define a framework that any device could fit into. A medical pacemaker, for example, would (one hopes) be classified as a high-security device that takes advantage of all the security-related principles that GlobalPlatform defines. The medical device maker can add their own additional criteria, of course, and probably will.
GlobalPlatform stops short of requiring specific tests to show compliance, on the grounds that no test could suit all devices. It does encourage tests and testing labs; it just leaves the specifics up to the device manufacturers and the appropriate compliance labs.
One of IoTopia’s big pillars is onboarding, which seems like a non-issue and an odd choice for scrutiny by a standard-setting body. But Gillick makes a good point: “Onboarding is the biggest challenge for customers right now. It’s bad enough at home with a new smart watch. Now imagine the IT guy in a large organization. One study shows that IT departments will need to increase staffing by 5× just to deal with new devices and new types [of devices], all with different processes because there is no single industry agreement on how to do this.”
No less an authority than NIST says it’s identified at least 20 different specifications, standards, and procedures regarding new device onboarding. If you’re in a large organization that buys from a broad range of vendors – a government department, let’s say – you’re likely to encounter all 20+ different methods, making setup and configuration a miserable experience. Gillick doesn’t think the world will ever standardize on just one golden standard, but he and the other members would like to see the mess reduced to a manageable few. “It could be a major coup” for GlobalPlatform, he says.
But how can you possibly fix the current situation? By fiat? By writing a meta-layer standard and forcing its adoption? By encouraging companies to coalesce around a few existing procedures (or a new one)? By a mandate from customers? Without guidance, the market will do what it always does, and de facto standards will eventually surface. Gillick says GlobalPlatform doesn’t yet know how this will play out, but it’s determined to have a hand in the process. “We can’t wave a magic wand or make a declaration, but we can put forward the best choices built through industry collaboration.”
Among the other challenges facing GlobalPlatform is noise: the noise of other groups working in parallel to rationalize the IoT world. “The IoT associations du jour appear like mushrooms and make proclamations, but the evidence of output isn’t there. We don’t want the market to fracture and make it too difficult to set standards. The industry can’t wait any longer for that leadership.”
Having said that, GlobalPlatform isn’t above collaboration. The group is happy to coordinate with other deliberative bodies, provided they bring some specific expertise. “If they’re advancing some meaningful technology, we’ll partner with them with an MOU [memorandum of understanding]. We’ve done it before. But we’re a community of security experts.” In other words, we know what we’re doing, and we’ve done this successfully before.
“We’re moving the ball down the field,” says Gillick, “and giving people something they can work with. It’s not prescriptive. It’s not, ‘you must do this’ or ‘you must agree to third-party testing.’”
In the end, GlobalPlatform wants to save developers time. “Your money should be invested in differentiating your service, not recreating a readily available underlying security research or development.” It’s a case of all for one and one for all. If IoTopia achieves its goals and becomes widely adopted, maybe all those lonely meetings will have been worthwhile.
One thought on “Setting Sensible Standards for IoT”