Pay no attention to the curtain developed by the man.
Eclipse, the open source development environment and organization supported by many including the Java community, has launched its IoT initiatives’ frameworks and industry services. (The url is http://iot.eclipse.org/frameworks.html.) The stated mission of the IoT Working Group is to foster “the creation of extensible services and frameworks that enable IoT applications on top of open APIs.” The Kura and Mihini frameworks are all about the transport layer associated with gateways and transmission. The focus on services starts with the smart home and smart grid using Eclipse Scada. From the protocol standpoint it is supporting MQTT, CoAp, OMA and ETSI M2M. In the end of course, it will deliver a development environment.
In the upfront discussion the group talks about the elephant in the room, without directly looking at the beast. We have a lot of legacy in the IoT world, which was built for a purpose on generally available devices. The result is a lot of custom work that probably has been tested for task- oriented quality assurance but not for security.
Again and again, I am being told about software shivs that bring in their own OS after a denial of service attack and once on this OS the hard drive might as well be a dictionary to the customer’s systems. Often there are unintended consequences, for example in some cases the infrared system on your smart TV has been used as an entry point to find out your Wi-Fi SSID and password.
While it would be easy to say encryption and locking down ports is the right way to go, the larger issue is not knowing what we don’t know. When I studied penetration testing, I was part of a very open group of security thought leaders who understand that the veil of secrecy worked to the advantage of the attackers. It was pointed out in a recent article in Bloomberg news that attackers often figure out ways to exploit a system in days while it takes months for the penetration to be discovered.
While it seems obvious that the industry needs to gather together and learn to breach ourselves like we are the hackers, the problem is that the incentive is to congratulate ourselves on defeating an attack, and therefore we aren’t as relentless as our opponents.
The Eclipse foundation effort, the W3C effort on the Web of Things, and several other initiatives are all worth the time of the IoT community to get involved. Getting the incentives right is the next big problem.
While it is late in job reviews to do this, I would like to suggest that the chief security or information officer be allowed to add objectives to participate in the security dialogue wherever it is appropriate for your organization.
The frameworks are going to help developers get to market more rapidly with a stable, replicable solution. One thing that I constantly harp about on the value of open source is the reduction of cost on quality assurance that comes from using a common framework.
Another strategy that makes sense to me is to rely on the web to be the framework, and for the W3C WOT aims “to accelerate the adoption of web technologies as a basis for enabling services for the combination of the Internet of Things with rich descriptions of things and the context in which they are used.”
When combined with the security expertise of OWASP, the web has a legitimate role in managing devices that allow developers to stay focused. Additionally, I think we are all trained to see our browser as the configuration user interface thanks to Wi-Fi.
At the end of the day, no one can stop you from going it alone, but my sincere hope is that you join some part of the community.
Edited by Maurice Nagle