Sign up for our newsletter
Technology / Cybersecurity

Could one size fit all? oneM2M rallies for global IoT security standards

Fostering the global adoption of common security standards within the IoT space, oneM2M members have agreed on plans for a second release of the body’s specifications on the topic.

Companies came together last week at the 18th Technical Plenary meeting held in Philadelphia, PA, to draft the security Common Services Function (CSF) part of the final release, which is expected to be available in autumn 2016

The security CSF comprises sensitive data handling, security administration and security association establishment.

oneM2M said that functionalities comprised in the Security CSF include access control with identification, authentication and authorisation, and identity management.

White papers from our partners

In the oneM2M Architecture, the organisation has established that the Common Services Function (CSF) is an informative architectural construct, which conceptually groups together a number of sub-functions.

oneM2M said in the draft document: "Sensitive data handling functionality in the SEC CSF protects the local credentials on which security relies during storage and manipulation.

"Sensitive data handling functionality performs other sensitive functions such as security algorithms. This functionality is able to support several cryptographically separated security environments."

Members of the organisation include companies like AT&T, BT, Cisco, IBM Europe and Actility.

Olivier Hersent, CEO at Actility, told CBR: "The key security element on an IoT network is the ability to guarantee the confidentiality and integrity of application-specific data. Another fundamental point is being able to dynamically provision and authenticate devices and support roaming scenarios."

Matt Davies, Head of Marketing EMEA at Splunk, told CBR: "Industry wide standards should include securing the device, the communications, the data generated and patterns of user behaviour (to name just a few). These must not work alone – they need to be combined to get a complete view of the security landscape to prevent a multi-pronged, sophisticated attack."

oneM2M said that security administration functionalities enable services such as creation and administration of dedicated security environment supported by the Sensitive Data Handling functionality in the oneM2M architecture.

The alliance added that this will still enable post-provisioning of a root credential, protected by the security environment, and provisioning and administration of subscriptions related to M2M Common Services and M2M Application Services.

The body said that security association establishment functionality establishes security association between corresponding M2M Nodes, in order to provide services such as confidentiality and integrity.

Access control functionality authorises services and specific operations (for example, read/update) on resources identified and authenticated entities, according to provisioned access control policies and assigned roles.

While unique identifier of an entity is used for authentication and identity management, this functionality provides pseudonyms which serve as temporary identifiers that cannot be linked to the true identity of either the associated entity or its user.

Davies said: "Industry bodies need to provide real-time security threat assessments and possibly external threat feeds to ensure that any organisation delivering any kind of IoT-related service can be up to date with the most recent security threat patterns.

"If these industry bodies are to be successful then they may need to become security threat information brokers and share real-time threat assessments, data and alerts to ensure everyone is protected."

Dave Hrycyszyn, Director of Strategy and Technology at Head, told CBR: "The jury’s out on oneM2M. But it is worth saying that so far in the history of the Internet, security standards which win have tended to be open and to come from the Free and Open Source Software communities.

"They come from the people who actually need open standards and library code right now, because they are under pressure to get things done. They mostly have not started from technical committees dominated by vendors, which are typically very slow-moving."

As the search for common security standards accelerated, the IoT security market is forecasted to grow at 54.93% CAGR between 2015 and 2019, according to ReportsnReports.

The company said that the growing need for regulatory compliance has resulted in the unprecedented growth of this industry.

To calculate the IoT security market size, the research considered the revenue generated from the sales of IoT security software solutions used for network security and management.

The research found that the majority of organisations have not yet implemented IoT technology or a platform within their business, with mobile computing, Wi-Fi, and real time location tracking found to be crucial for organisations to implement IoT.

In the report, executives have also said that no major change is required in the security program handling the implementation of IoT, with organisations expecting system integration, and privacy issues and security concerns to pose challenges in the implementation of IoT solutions over the next three years.

ReportsnReports found that organisations expect IoT solutions to improve customer experience and increase resource optimisation, with the power and energy, logistics, and healthcare sectors expected to record significant implementation of IoT over the next two years.

Wieland Alge, GM EMEA at Barracuda Networks, told CBR: "Security is not a puzzle or a problem to be solved; it’s a mess. Messes can only be managed and mitigated. Without a zero trust environment, there is no secure foundation."
This article is from the CBROnline archive: some formatting and images may not be present.