Three prominent chip makers and the European Union (EU) Agency for Network and Information Security (ENISA) have cooked up what they called a “common position” on Internet of Things (IoT) cybersecurity and privacy.
As is routine with standards frameworks, the collaborators--which include Infineon, STMicroelectronics and NXP Semiconductors--produced a five-page document that detailed a set of suggestions and challenges for EU cybersecurity policy makers, suppliers and partners.
What's different about this roadmap is its focus on the IoT, specifically the implied clarion call on the coming onslaught of security attacks targeting connected devices. And, it’s the unexpected terming of cybersecurity and privacy as a “market failure”--blaming the high cost of solutions for suppliers and buyers’ reluctance to pay a premium--that’s also a bit eyebrow raising.
IoT Security: Key Priorities
Standardization and certification, security processes and services, security requirements and implementation, and the economic impact of securing (and not securing) connected devices are the platform’s headliners. The paper also offers specific recommendations for the European Commission and the EU's member states to consider.
In that sense, what the nascent group says certainly will reverberate to MSSPs worldwide, particularly for their ability to implement the document’s precepts. Considering that IoT devices largely can’t yet protect themselves against security attacks, a common denominator is a pretty good jumping off point. Indeed, all three semiconductor companies agreed that a set of security and privacy principles is the right catalyst to spur IoT adoption and market growth.
“Currently there is no basic level, no level zero defined for the security and privacy of connected and smart devices,” the group said. “This is why we recommend effective baseline requirements for security and privacy in the networked architecture and value chain as a whole: from simple IoT devices to complex IoT systems like connected cars and factories.”
IoT Security Framework: Good for Everyone?
A particular note for MSSPs is the colleagues’ expectation that an “EU Trust Label,” based on defined requirements and evaluated by third-parties, would level the playing field for the entire industry. They didn’t say exactly how a badge will help that happen, just that it will.
Inasmuch as ENISA is actively looking looking for other semiconductor companies as well as application and service providers to sign on, perhaps it believes that strength in numbers will prevail in that regard.
Attention to IoT security and the inevitable jockeying for leadership among vendors is clearly heating up. This initiative follows Cisco’s new IoT Threat Defense, an architectural and services solution unwrapped last week, that’s essentially a package of existing products and services to help segregate critical systems in vulnerable industries.
Earlier this year, IT heavyweights AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic together vowed to solve the IoT’s most pressing security problems. Their association, called the IoT Cybersecurity Alliance, takes the position that IoT security lies in protecting all devices at the endpoint, network, cloud and application layer with built- in, always-on protection.