Practical advice for securing the IoT

May 13, 2015


Practical advice for securing the IoT

Note: The Trusted Computing Group will be presenting a class at the upcoming Embedded TechCon, June 8-10 in San Francisco on the topic of How (and Why...

Note: The Trusted Computing Group will be presenting a class at the upcoming Embedded TechCon, June 8-10 in San Francisco on the topic of How (and Why) to Make the IoT Trusted.

How can we secure the Internet of Things (IoT)? This topic has stirred considerable debate recently, with internationally renowned security technologist Bruce Schneier and other important figures proclaiming that the IoT is “indefensible” or worse. However, the Trusted Computing Group (TCG), a global security standards organization, is taking a more constructive approach to IoT security.

The TCG has released a draft document titled “TCG Guidance for Securing IoT.” This document describes a practical, scalable approach to IoT security, helping readers to identify which security problems they must address and describing how these problems can be addressed using TCG’s security standards (TPM, self-encrypting drives, or SEDs, TNC network security, etc.) and the many products that implement these standards. While TCG has identified some areas where enhancements to these standards will be needed to address advanced IoT needs, many IoT security problems can be addressed today using the existing products and standards.

To solicit broad review and ensure that the document adequately meets people’s needs, TCG has placed the document into a Public Review period. Comments on the document should be sent to [email protected]. Any feedback received by May 20, 2015 will be considered during the subsequent development of this guidance document and of other TCG specifications, which will be enhanced to address IoT security needs.

What do you think of this “open source” approach to standardization? Should more standards bodies seek public comment on their standards before adopting them? Is this an effective way to ensure that the standards actually meet industry needs? And are standards really needed for the IoT?

Standards are now more important than ever. The purpose of IoT is to enable remote data gathering, analysis, and control. Without standards, interoperability will be impeded. And security standards are essential to keeping the IoT from becoming the disaster that some experts are predicting. The hardware security approach advocated by TCG has proven to be an effective way of securing systems, avoiding the pitfalls and vulnerabilities of software security.

Steve Hanna is a Senior Principal at Infineon Technologies. He is a member of the Technical Committee in the TCG and a member of the Security Area Directorate in the Internet Engineering Task Force. Hanna has previously participated in other networking and security standards groups such as the Open Group and OASIS. He is the author of several IETF and TCG standards and published papers, an inventor or co-inventor on 41 issued U.S. patents, and a regular speaker at industry events. He holds a BS degree in Computer Science from Harvard University.

Steve Hanna, Infineon Technologies