feature article
Subscribe Now

Setting Sensible Standards for IoT

GlobalPlatform Takes on the Daunting Task of Governing the Ungovernable

“The majority of meetings should be discussions that lead to decisions.” – Patrick Lencioni

Setting standards must be lonely work. You meet, you discuss, you weigh options, and you write up prescriptions. And then you wait, hoping the industry will follow your lead and take your advice. If they do, great. And if not? Well, there’s always another hill to climb. 

One group that’s been doing this work for 20-odd years is GlobalPlatform, a little-known but busy group of industry experts that has successfully navigated the treacherous and uncharted waters of smartcard security, media copy protection, connected cars, mobile authentication, and more. Like many nonprofit consortia, it’s made up of member volunteers from across the industry. They meet, they debate, they write up recommendations, and oftentimes the world follows their example. 

Its latest endeavor is called IoTopia, a set of four guidelines for making IoT devices more secure, more reliable, easier to connect, and easier to deploy in large numbers. It’s a daunting task, given that the term “IoT” encompasses just about everything smaller than a refrigerator (oh, wait – fridges are IoT devices, too) produced by every conceivable manufacturer. If GlobalPlatform achieves its goals, it’ll be utopia for IoT. 

As Kevin Gillick, GlobalPlatform’s Executive Director, describes it, IoTopia has “four pillars.” These cover security, to make devices more hack-proof; device intent, to make devices talk to each other more fluidly when they’re networked together; onboarding, to streamline the task of bringing up new devices; and lifecycle management, which encompasses firmware updates, maintenance, and eventual device retirement. Like the ones holding up the Parthenon, these are massive pillars. GlobalPlatform members have their work cut out. 

The problem – okay, just one of the problems – facing the IoTopia group is defining standards that can span the world’s wide and varied array of devices. How can you define security measures that work for both a thermostat and a connected car? Or firmware updating policies that are applicable to smart TVs, sprinkler timers, and industrial robots? There’s a fine line between throwing out general platitudes and handcuffing developers with overly specific rules. 

“We want to establish clarity between levels of security,” says Gillick. “What is low security, what is high or substantial security?” The group isn’t trying to write detailed security specs or create code libraries, but rather to define a framework that any device could fit into. A medical pacemaker, for example, would (one hopes) be classified as a high-security device that takes advantage of all the security-related principles that GlobalPlatform defines. The medical device maker can add their own additional criteria, of course, and probably will. 

GlobalPlatform stops short of requiring specific tests to show compliance, on the grounds that no test could suit all devices. It does encourage tests and testing labs; it just leaves the specifics up to the device manufacturers and the appropriate compliance labs.  

One of IoTopia’s big pillars is onboarding, which seems like a non-issue and an odd choice for scrutiny by a standard-setting body. But Gillick makes a good point: “Onboarding is the biggest challenge for customers right now. It’s bad enough at home with a new smart watch. Now imagine the IT guy in a large organization. One study shows that IT departments will need to increase staffing by 5× just to deal with new devices and new types [of devices], all with different processes because there is no single industry agreement on how to do this.” 

No less an authority than NIST says it’s identified at least 20 different specifications, standards, and procedures regarding new device onboarding. If you’re in a large organization that buys from a broad range of vendors – a government department, let’s say – you’re likely to encounter all 20+ different methods, making setup and configuration a miserable experience. Gillick doesn’t think the world will ever standardize on just one golden standard, but he and the other members would like to see the mess reduced to a manageable few. “It could be a major coup” for GlobalPlatform, he says. 

But how can you possibly fix the current situation? By fiat? By writing a meta-layer standard and forcing its adoption? By encouraging companies to coalesce around a few existing procedures (or a new one)? By a mandate from customers? Without guidance, the market will do what it always does, and de facto standards will eventually surface. Gillick says GlobalPlatform doesn’t yet know how this will play out, but it’s determined to have a hand in the process. “We can’t wave a magic wand or make a declaration, but we can put forward the best choices built through industry collaboration.”

Among the other challenges facing GlobalPlatform is noise: the noise of other groups working in parallel to rationalize the IoT world. “The IoT associations du jour appear like mushrooms and make proclamations, but the evidence of output isn’t there. We don’t want the market to fracture and make it too difficult to set standards. The industry can’t wait any longer for that leadership.”

Having said that, GlobalPlatform isn’t above collaboration. The group is happy to coordinate with other deliberative bodies, provided they bring some specific expertise. “If they’re advancing some meaningful technology, we’ll partner with them with an MOU [memorandum of understanding]. We’ve done it before. But we’re a community of security experts.” In other words, we know what we’re doing, and we’ve done this successfully before. 

“We’re moving the ball down the field,” says Gillick, “and giving people something they can work with. It’s not prescriptive. It’s not, ‘you must do this’ or ‘you must agree to third-party testing.’” 

In the end, GlobalPlatform wants to save developers time. “Your money should be invested in differentiating your service, not recreating a readily available underlying security research or development.” It’s a case of all for one and one for all. If IoTopia achieves its goals and becomes widely adopted, maybe all those lonely meetings will have been worthwhile. 

One thought on “Setting Sensible Standards for IoT”

Leave a Reply

featured blogs
Mar 5, 2021
The combination of the figure and the moving sky in this diorama -- accompanied by the music -- is really rather tasty. Our cats and I could watch this for hours....
Mar 5, 2021
Explore what's next in automotive sensors, such as the roles of edge computing & sensor fusion and impact of sensor degradation & software lifecycle management. The post How Sensor Fusion Technology Is Driving Autonomous Cars appeared first on From Silicon To Softw...
Mar 5, 2021
Design companies often work with multiple PCB fabricators and each fabricator may have a different set of DFM rules. It is a customary practice followed by design companies to create a common... [[ Click on the title to access the full blog on the Cadence Community site. ]]...
Mar 3, 2021
In grade school, we had timed math quizzes. With a sheet full of problems and the timer set, the goal was to answer as many as possible. The key to speed is TONS of practice and, honestly, memorization '€“ knowing the problems so well that the answer comes to mind at first ...

featured paper

Using the DS28E18, The Basics

Sponsored by Maxim Integrated

This application note goes over the basics of using the DS28E18 1-Wire® to I2C/SPI Bridge with Command Sequencer and discusses the steps to get it up and running quickly. It then shows how to use the device with two different devices. The first device is an I2C humidity/temperature sensor and the second one is an SPI temperature sensor device. It concludes with detailed logs of each command.

Click here to download the whitepaper

Featured Chalk Talk

Bluetooth Overview

Sponsored by Mouser Electronics and Silicon Labs

Bluetooth has come a long way in recent years, and adding the latest Bluetooth features to your next design is easier than ever. It’s time to ditch the cables and go wireless. In this episode of Chalk Talk, Amelia Dalton chats with Mark Beecham of Silicon labs about the latest Bluetooth capabilities including lower power, higher bandwidth, mesh, and more, as well as solutions that will make adding Bluetooth to your next design a snap.

Click here for more information about Silicon Labs EFR32BG Blue Gecko Wireless SoCs