IoT Standards in 2019: Semantics, Security and Social Issues
Security Is Still a Problem
If there is one area where there is universal agreement on the need for standards and the relative lack thereof, it’s security. Joe Weiss, a consultant with Applied Control Solutions and the managing director of ISA99, industrial automation and control system cyber security, summed it up best: “It’s 2019,” he said. “How can we be in this place? We haven’t made much progress with security at all. We’ve made lots of progress monitoring the networks and almost nothing about what we were supposed to do in the first place.”
There are several problems when it comes to security and ultimately the standards related to it. The first is cost, according to Bevan. “Manufacturers of fairly simple sensors have been trying to keep costs down by using cheap, low power microprocessors which are not capable of handling the load imposed by encryption,” he said. And providing adequate security simply isn’t easy, added IEEE’s Chandrasekaran. “Right now convenience is more important,” he said.
But the stakes are too high to settle for that, said James Stogdill, a technology consultant. An IoT system with poor security and no updates that is deployed everywhere is going to mean the Internet has “an unsecure substrate that is perpetually available to bad actors,” he explained.
Standards will help, of course, but Shelby believes a more sweeping attitude change toward security needs to happen. IIC’s Soley agrees, and stressed the group’s 26 test beds build security in first.
Time to Look Inward?
With such little consistency across the standards landscape, it can be hard to see the bigger picture, said Rob Van Kranenburg, founder of Council IoT. He’s concerned that a focus just on the technology standards could leave the industry vulnerable to poor choices in other areas. Specifically, Van Kranenburg would like to see a public debate on the COEL Standard specification. “The COEL Specification ‘provides a clear and robust framework for implementing a distributed system capable of capturing data relating to an individual as discrete events,’” he wrote in an email. “’It facilitates a privacy-by-design approach for personalized digital services, IoT applications where devices are collecting information about identifiable individuals and the coding of behavioral attributes in identity solutions.’ These specifications make everyday life readable to machines (voice controllers in the home) and robots. This will lead to a further commodification of our everyday existence. Are we ready for this? Do we want that?”
Van Kranenburg wants to ask harder questions as part of his work with Council_IoT, but he also made the case for government to take a larger role in IoT standards development moving forward. This is a stance Bloor’s Bevan agrees with. He points to UL2900, a standard for device security developed by Underwriters Laboratories, that the FDA has recognized for use in medical devices. He see promise in this hybrid process. “A blended approach of bottom up development of standards and ratification and compliance legislation from the government is the way forward,” he said. Time will tell how it all works.