feature article
Subscribe Now

Setting Sensible Standards for IoT

GlobalPlatform Takes on the Daunting Task of Governing the Ungovernable

“The majority of meetings should be discussions that lead to decisions.” – Patrick Lencioni

Setting standards must be lonely work. You meet, you discuss, you weigh options, and you write up prescriptions. And then you wait, hoping the industry will follow your lead and take your advice. If they do, great. And if not? Well, there’s always another hill to climb. 

One group that’s been doing this work for 20-odd years is GlobalPlatform, a little-known but busy group of industry experts that has successfully navigated the treacherous and uncharted waters of smartcard security, media copy protection, connected cars, mobile authentication, and more. Like many nonprofit consortia, it’s made up of member volunteers from across the industry. They meet, they debate, they write up recommendations, and oftentimes the world follows their example. 

Its latest endeavor is called IoTopia, a set of four guidelines for making IoT devices more secure, more reliable, easier to connect, and easier to deploy in large numbers. It’s a daunting task, given that the term “IoT” encompasses just about everything smaller than a refrigerator (oh, wait – fridges are IoT devices, too) produced by every conceivable manufacturer. If GlobalPlatform achieves its goals, it’ll be utopia for IoT. 

As Kevin Gillick, GlobalPlatform’s Executive Director, describes it, IoTopia has “four pillars.” These cover security, to make devices more hack-proof; device intent, to make devices talk to each other more fluidly when they’re networked together; onboarding, to streamline the task of bringing up new devices; and lifecycle management, which encompasses firmware updates, maintenance, and eventual device retirement. Like the ones holding up the Parthenon, these are massive pillars. GlobalPlatform members have their work cut out. 

The problem – okay, just one of the problems – facing the IoTopia group is defining standards that can span the world’s wide and varied array of devices. How can you define security measures that work for both a thermostat and a connected car? Or firmware updating policies that are applicable to smart TVs, sprinkler timers, and industrial robots? There’s a fine line between throwing out general platitudes and handcuffing developers with overly specific rules. 

“We want to establish clarity between levels of security,” says Gillick. “What is low security, what is high or substantial security?” The group isn’t trying to write detailed security specs or create code libraries, but rather to define a framework that any device could fit into. A medical pacemaker, for example, would (one hopes) be classified as a high-security device that takes advantage of all the security-related principles that GlobalPlatform defines. The medical device maker can add their own additional criteria, of course, and probably will. 

GlobalPlatform stops short of requiring specific tests to show compliance, on the grounds that no test could suit all devices. It does encourage tests and testing labs; it just leaves the specifics up to the device manufacturers and the appropriate compliance labs.  

One of IoTopia’s big pillars is onboarding, which seems like a non-issue and an odd choice for scrutiny by a standard-setting body. But Gillick makes a good point: “Onboarding is the biggest challenge for customers right now. It’s bad enough at home with a new smart watch. Now imagine the IT guy in a large organization. One study shows that IT departments will need to increase staffing by 5× just to deal with new devices and new types [of devices], all with different processes because there is no single industry agreement on how to do this.” 

No less an authority than NIST says it’s identified at least 20 different specifications, standards, and procedures regarding new device onboarding. If you’re in a large organization that buys from a broad range of vendors – a government department, let’s say – you’re likely to encounter all 20+ different methods, making setup and configuration a miserable experience. Gillick doesn’t think the world will ever standardize on just one golden standard, but he and the other members would like to see the mess reduced to a manageable few. “It could be a major coup” for GlobalPlatform, he says. 

But how can you possibly fix the current situation? By fiat? By writing a meta-layer standard and forcing its adoption? By encouraging companies to coalesce around a few existing procedures (or a new one)? By a mandate from customers? Without guidance, the market will do what it always does, and de facto standards will eventually surface. Gillick says GlobalPlatform doesn’t yet know how this will play out, but it’s determined to have a hand in the process. “We can’t wave a magic wand or make a declaration, but we can put forward the best choices built through industry collaboration.”

Among the other challenges facing GlobalPlatform is noise: the noise of other groups working in parallel to rationalize the IoT world. “The IoT associations du jour appear like mushrooms and make proclamations, but the evidence of output isn’t there. We don’t want the market to fracture and make it too difficult to set standards. The industry can’t wait any longer for that leadership.”

Having said that, GlobalPlatform isn’t above collaboration. The group is happy to coordinate with other deliberative bodies, provided they bring some specific expertise. “If they’re advancing some meaningful technology, we’ll partner with them with an MOU [memorandum of understanding]. We’ve done it before. But we’re a community of security experts.” In other words, we know what we’re doing, and we’ve done this successfully before. 

“We’re moving the ball down the field,” says Gillick, “and giving people something they can work with. It’s not prescriptive. It’s not, ‘you must do this’ or ‘you must agree to third-party testing.’” 

In the end, GlobalPlatform wants to save developers time. “Your money should be invested in differentiating your service, not recreating a readily available underlying security research or development.” It’s a case of all for one and one for all. If IoTopia achieves its goals and becomes widely adopted, maybe all those lonely meetings will have been worthwhile. 

One thought on “Setting Sensible Standards for IoT”

Leave a Reply

featured blogs
Nov 25, 2020
It constantly amazes me how there are always multiple ways of doing things. The problem is that sometimes it'€™s hard to decide which option is best....
Nov 25, 2020
[From the last episode: We looked at what it takes to generate data that can be used to train machine-learning .] We take a break from learning how IoT technology works for one of our occasional posts on how IoT technology is used. In this case, we look at trucking fleet mana...
Nov 25, 2020
It might seem simple, but database units and accuracy directly relate to the artwork generated, and it is possible to misunderstand the artwork format as it relates to the board setup. Thirty years... [[ Click on the title to access the full blog on the Cadence Community sit...
Nov 23, 2020
Readers of the Samtec blog know we are always talking about next-gen speed. Current channels rates are running at 56 Gbps PAM4. However, system designers are starting to look at 112 Gbps PAM4 data rates. Intuition would say that bleeding edge data rates like 112 Gbps PAM4 onl...

Featured video

Synopsys and Intel Full System PCIe 5.0 Interoperability Success

Sponsored by Synopsys

This video demonstrates industry's first successful system-level PCI Express (PCIe) 5.0 interoperability between the Synopsys DesignWare Controller and PHY IP for PCIe 5.0 and Intel Xeon Scalable processor (codename Sapphire Rapids). The ecosystem can use the companies' proven solutions to accelerate development of their PCIe 5.0-based products in high-performance computing and AI applications.

More information about DesignWare IP Solutions for PCI Express

featured paper

Simplify your isolated current & voltage sensing designs

Sponsored by Texas Instruments

Learn how the latest isolated amplifiers and isolated ADCs can operate with a single supply on the low side, and why this offers substantial benefits over traditional solutions.

Click here to download the whitepaper

Featured Chalk Talk

Thermal Bridge Technology

Sponsored by Mouser Electronics and TE Connectivity

Recent innovations can make your airflow cooling more efficient and effective. New thermal bridges can outperform conventional thermal pads in a number of ways. In this episode of Chalk Talk, Amelia Dalton chats with Zach Galbraith of TE Connectivity about the application of thermal bridges in cooling electronic designs.

More information about TE Thermal Bridge Technology