UL, MIPI Bolster IoT Security

　　UL (formerly Underwriters Laboratories) and the MIPI Alliance are the latest groups to expand security initiatives for the Internet of Things. They join groups such as the IoT Security Foundation, picking up the pace on what looks to be a never-ending journey toward a safer IoT.

　　UL hopes to roll out by the end of the year a software security standard for IoT gateways and a set of best practices for software security in consumer IoT products. Its aims to ramp up its first initiatives in hardware security next year.

　　The MIPI Alliance put out a separate call for participation in a new security working group. It aims to draft a security framework this year for systems using MIPI interconnects across areas including automotive, mobile and IoT.

　　The efforts are among many that some experts say fall short. “Regulations are necessary, important and complex--and they’re coming. We can’t afford to ignore these issues until it’s too late,” said Bruce Schneier, a security expert and Harvard lecturer, in testimony to the U.S. Congress last November, following the Mirai attack.

　　“The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers…The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” Schneier said, noting consumers typically don’t want to pay more for security.

　　Indeed, only two companies have received certification for the initial UL 2900 cybersecurity standards the UL rolled out in April 2016, although many more products are now in the UL’s pipeline.

　　“Some industries are fairly mature, with dedicated cybersecurity teams that can respond quickly and others are more immature such as new, innovative consumer IoT companies that may have just one person responsible and looking for guidelines,” said Ken Modeste, a principal engineer leading UL’s security effort.

　　Meanwhile, UL is also expanding the 2900 suite to include a variety access control and building automation devices. It has 10 companies working on its consumer IoT best practices guidelines and details of its IoT gateway spec coming out within days.

　　“We see this as a long-term initiative that will take many years to accomplish some kind of cyber-supremacy over the risks out there,” he said. “This program can’t be a catch-all for 100 percent of the issues, but we can build a foundation,” he added.

　　“The request for the hardware part of security is becoming more prevalent, so our goal is to initiate it in the middle of next year. We have some hardware initiatives around payment terminals and automotive, and our goal is to find a way to address hardware overall,” Modeste said.

　　The hardware effort may try to create a certification program for how devices use password or encrypted keys to store and access data. “We welcome collaboration with players in this space, he said, noting a need for hardware expects across domains including automotive, FPGAs and microcontrollers.