Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/23/2019
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

IoTopia Framework Aims to Bring Security to Device Manufacturers

GlobalPlatform launches an initiative to help companies secure connected devices and services across markets.

IoTopia, a new framework for IoT security, aims to standardize the design, certification, deployment, and management of connected services and services, GlobalPlatform reports.

This initiative marks the latest effort to build on IoT security by the industry standards body, whose members work to ensure its specifications align with current and emerging market requirements. GlobalPlatform has 2,600 industry representatives from 90 member companies, and people around the world rely on its certified secure elements, which have been integrated in chip-enabled credit cards, smartphones, smart TVs, and control units built into vehicles.

As the Internet of Things continues to expand, so, too, do GlobalPlatform's efforts to better secure it, says executive director Kevin Gillick. "We're progressing farther into this world of interconnected devices everywhere," he explains. "The same component technology and the same security mindset is logically extensible into this new space."

The IoT is the "wild, wild west," Gillick continues. Device makers are entering the ecosystem and creating connected products without bringing security into the picture. Part of GlobalPlatform's effort involves sharing standardization to bring products to market faster, at a lower price. It makes more sense, he says, for manufacturers to invest R&D into a service they can build their brands around rather than in their own security architectures and certifications.

"There is a lack of a common IoT security framework," he adds. Device manufacturers don't have security at the core of their competence; many avoid it because of the bias that adding more protection will increase cost and time to market. The idea behind IoTopia is to help these makers implement a framework that helps them move forward wihout bring security experts.

"We're seeing a lot of industry associations crop up around IoT who talk a lot about requirements, talk about security and use cases, but don't tell you how to implement it into technology," Gillick says. "Moving from words and speech to something actionable and adoptable is [a gap] no one has been able to close."

IoTopia is based on four pillars. The first is security by design, which includes capabilities and features that define how secure components and APIs can be used with existing "secure by design" standards. The second pillar is device intent. IoTopia uses Internet Engineering Task Force's manufacturer usage descriptions and uniform resource identifier to manage device permissions and access on networks, GlobalPlatform explains.

"We want to make sure we have in place a simple way to answer important questions about the device," Gillick says. "What is this thing? Who is responsible for it? How do I protect it, and how do I protect my business? Is it doing what it should be doing? … There's no systematic way to go about doing that."

The third pillar addresses autonomous, scalable, secure device onboarding (SDO), as IoTopia will offer an open, standards-based secure onboarding process to streamline network administration. The fourth focuses on device life cycle management, including a range of capabilities to manage devices throughout their life cycles aligned with international regulations.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10694
PUBLISHED: 2019-12-12
The express install, which is the suggested way to install Puppet Enterprise, gives the user a URL at the end of the install to set the admin password. If they do not use that URL, there is an overlooked default password for the admin user. This was resolved in Puppet Enterprise 2019.0.3 and 2018.1....
CVE-2019-10695
PUBLISHED: 2019-12-12
When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user�s username and password were exposed in the job�s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the ...
CVE-2019-5085
PUBLISHED: 2019-12-12
An exploitable code execution vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an integer overflow, resulting in heap corruption. An attacker can send a packet to trigger this vulnerability.
CVE-2019-5090
PUBLISHED: 2019-12-12
An exploitable information disclosure vulnerability exists in the DICOM packet-parsing functionality of LEADTOOLS libltdic.so, version 20.0.2019.3.15. A specially crafted packet can cause an out-of-bounds read, resulting in information disclosure. An attacker can send a packet to trigger this vulner...
CVE-2019-5091
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the Dicom-packet parsing functionality of LEADTOOLS libltdic.so version 20.0.2019.3.15. A specially crafted packet can cause an infinite loop, resulting in a denial of service. An attacker can send a packet to trigger this vulnerability.