IoT Security Groundswell Gathers

Date Published: May, 01, 2015

Author: Rick Merritt, SiliconValley Bureau Chief

After plenty of talk, a wave of real action aimed at solving the Internet of Things’s security problems is on the rise.

At least twice a week someone pings me with an idea for a guest article on how engineers must solve security problems if the Internet of Things is going to reach its potential. After plenty of talk on the topic, a wave of real action is on the rise.

The Intel-led Open Interconnect Consortium defining a high-level IoT software stack recently called for engineers to join its work on security. I know its rival, the Thread Group, is engaged in similar work. The IEEE is taking a different tack, organizing an effort in which policy makers to join engineers

IoT security was a hot topic at the recent RSA Conference. The Trusted Computing Group put out a white paper there about how to embed in resource-limited IoT nodes its approach to a hardware root of trust.

Stanford University recently wrapped up a seminar on the topic. Another good reference is this list of the ten top attack sites for IoT.

Imagination Technologies recently announced is developing its own approach called OmniShield based on TCG concepts. It plans to offer new features such as support for multiple secure domains, but its APIs probably won’t be ready until sometime next year.

Just yesterday, I got a note about the new Securing Smart Cities not-for-profit initiative. Security researchers at IOActive, Kaspersky Lab, Bastille, and the Cloud Security Alliance created the effort to share information about cybersecurity challenges.

In the engineering toolbox, veteran embedded-systems consultant Larry Mittag recently noted Ubuntu’s Linux distribution for IoT, Snappy, has enforced application isolation as part of its built in security. Separately, Max Maxfield reported on security tools for SoC and FPGA designers from Tortuga Logic and noted several IoT security sessions at the upcoming Embedded Systems Conference in Silicon Valley he is organizing.

The Global Semiconductor Alliance recently released a report on IoT that called out security issues as noted in a story by my colleague Junko Yoshida. Ad today, IBM released the annual report from the Ponemon Institute on the state of Internet security generally.

The Ponemon study of 350 global companies across all industries said the average total cost of a data breach increased 23 percent over two years to $3.79 million. The average cost paid for each lost or stolen record containing sensitive and confidential information increased six percent to $154. However, the cost in healthcare companies was as high as $363.

The higher costs of breaches may be due in part to wider use of forensic tools, the study said. But it also made it clear there’s plenty of room for better tools. The study estimated a mean time to identify a data breach at 206 days with a range of 20 to 582 days. The mean time to contain one was 69 days with a range of 7 to 175 days.

As big as these data breeches in the headlines are, they may be just the top of the iceberg for a society moving into a world of networked things. The good news is work on the standards and tools is clearly underway, and the efforts have plenty of headroom.

To read the full article, please click here.


Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More