IoT - All Articles - CISO Platform2024-03-28T23:15:04Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/IoTAre Cybersecurity Labels on IoT Devices a Wasted Efforthttps://www.cisoplatform.com/profiles/blogs/are-cybersecurity-labels-on-iot-devices-a-wasted-effort2021-10-05T22:38:09.000Z2021-10-05T22:38:09.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9643423901?profile=RESIZE_400x&width=400"></div><div><p><iframe title="YouTube video player" src="https://www.youtube.com/embed/Ohfip99riqo" width="560" height="315" frameborder="0" allowfullscreen=""></iframe></p><p class="graf graf--p">The U.S. is exploring the idea to establish cybersecurity labels on IoT devices and software, in hopes it will both inform consumers of risks and motivate manufacturers to improve the security for the flood of new products entering the market.</p><p class="graf graf--p">Internet-of-Things (IoT) devices number in the billions, some estimates are as high as 46 billion, and continue to emerge at a quickening pace with consumers and across industrial uses. Yet they often are weak when it comes to being hacked, which creates growing risks to consumers’ privacy, security, and even safety.</p><p class="graf graf--p">The U.S. has indicated a desire to adopt some kind of labeling and has kicked off discussions with manufacturers. The National Institute of Standards and Technology (NIST), within the U.S. Dept of Commerce, is leading the effort and is soliciting input from IoT manufacturers and the public.</p><p class="graf graf--p">Given the self-interest involved, I am somewhat skeptical of what the manufacturing industry will recommend or voluntarily implement when it comes to Cybersecurity Labels for IoT devices. The core problem is that the industry itself is not putting forth the effort to implement basic cybersecurity functionality into its product architecture and designs. This group is now being asked to develop a label standard to help consumers and I expect the results to be less than stellar.</p><p class="graf graf--p">On the upside, I do applaud the creative concept of security labeling as an out-of-the-box idea and involving the private sector, but this path has significant weaknesses when it comes to how the relevant content of the disclosures will be decided and the challenges for meaningful absorption by the consumer.</p><p class="graf graf--p">There are many efforts, by security, overseas governments, and academic organizations, which show promise but also have challenges.</p><p class="graf graf--p">The CyLabs team out of Carnegie Mellon University has developed a very comprehensive label, but I think it is far too complex for consumers to understand.</p><img class="graf-image" src="https://cdn-images-1.medium.com/max/800/1*-5GudKx0n3foercXmBN4Ng.png" alt="1*-5GudKx0n3foercXmBN4Ng.png" /><p class="graf graf--p">Symantec has developed a scaled-down version of what CyLabs proposes, but the data does not readily translate to something meaningful to the average consumer.</p><img class="graf-image" src="https://cdn-images-1.medium.com/max/800/1*SOvh0gWxQa-hF8ACGV6loA.png" alt="1*SOvh0gWxQa-hF8ACGV6loA.png" /><p class="graf graf--p">The city-state of Singapore strikes a balance between independent verification and self-reporting, but overall, it is overly simplistic to convey a meaningful risk picture.</p><img class="graf-image" src="https://cdn-images-1.medium.com/max/800/1*gquLbvHszu4j1HKgn0a_SQ.png" alt="1*gquLbvHszu4j1HKgn0a_SQ.png" /><p class="graf graf--p">I would rather the government foster the development of an independent rating scale that gives simple scores for compliance to basic hardening configurations, resistance to compromise, exposure risk to other systems, privacy, and trust of the vendor’s ethics consistency.</p><img class="graf-image" src="https://cdn-images-1.medium.com/max/800/1*8FF_MIb5DVWg7TtPUEjwWA.png" alt="1*8FF_MIb5DVWg7TtPUEjwWA.png" /><p class="graf graf--p">Combined with allowances to support the economics of manufacturers self-reporting, but with limited scores and only for some of the categories. An approved independent body would be required for the ratings of some categories and access to higher scores. Finally, the results must be presented in simple icons for consumers with perhaps some plain English that highlights the result</p><p class="graf graf--p">For comprehensiveness, labeling should be made a requirement to encourage competitiveness by vendors to deliver meaningful security for IoT products.</p><p class="graf graf--p">Label information must also be clear and meaningful to convey the risks to consumers. To make sure the ratings are consistent and not manipulated, independent verification will occur at a minimum in some areas, such as vendor trust, and for any area where a rating is higher than average.</p><p class="graf graf--p">I also caution letting the IoT manufacturing industry take the lead for any type of labeling, we risk either very complex labels, which won’t be comprehended by consumers, or overly simplistic labels that barely scratch the aspects necessary to understand the relevance of the security posture for the device or software.</p><p class="graf graf--p">IoT devices are easily compromised and then either used against the owner or are herded into botnets that can attack other systems on the Internet. Cybercriminals and hackers realize that the vast number of unsecured IoT devices is an excellent resource to leverage in pursuit of their goals.</p><p class="graf graf--p">If we are going to go down this path of security labeling, we must do it correctly for it to become a catalyst of enhanced security for these products.</p><p class="graf graf--p">A rational system must be proposed, where clear goals are defined which benefit consumers. Otherwise, it is a wasted effort and an unfortunate delay in addressing the systemic problem of IoT security.</p><p> </p></div>Classification of IoT Deviceshttps://www.cisoplatform.com/profiles/blogs/classification-of-iot-devices2017-02-18T09:00:00.000Z2017-02-18T09:00:00.000ZNagasaihttps://www.cisoplatform.com/members/Nagasai<div><p></p><p><span class="font-size-3"><a href="{{#staticFileLink}}8669812656,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669812656,original{{/staticFileLink}}" width="668" class="align-full" alt="8669812656?profile=original" /></a></span><span style="font-size:12pt;"><br /> A typical architecture of an IoT solution consists of constrained devices, gateways or border routers and the cloud platform. On a high level architecture perspective there are two types of devices: constrained devices and gateway-like devices.</span></p><p><span class="font-size-3">The <strong>gateway</strong>-like devices use powerful processors, extendable memories and no constraints on power source. They can route data to the cloud servers or aggregate/store data to deal with network latencies. Typically they run Linux operating system with application containers and provision for remote management.</span></p><p><span class="font-size-3">The <strong>constrained devices</strong> are end nodes with sensors/actuators that can handle a specific application purpose. They are usually connected to gateway-like devices, low power lossy network, and in-turn communicates with the IoT cloud platforms. Typically they communicate via low power wireless protocols like BLE, 802.15.4 (6LoWPAN, Zigbee, Thread, WirelessHART etc), LPWAN etc and mostly battery powered with low data rate.</span></p><p><span class="font-size-3"><a href="{{#staticFileLink}}8669812471,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669812471,original{{/staticFileLink}}" width="392" height="213" class="align-center" alt="8669812471?profile=original" /></a></span></p><p><span class="font-size-3">The constraints of these devices are</span></p><ul><li><span class="font-size-3">Code complexity (ROM/Flash), Size of state and buffers (RAM)</span></li><li><span class="font-size-3">Processing power</span></li><li><span class="font-size-3">Available power source and that has limits on reachability over time, if battery powered.</span></li><li><span class="font-size-3">User interface and accessibility in deployment</span></li><li><span class="font-size-3">Bitrate/Throughput</span></li><li><span class="font-size-3">Highly asymmetric link characteristics</span></li><li><span class="font-size-3">Cost</span></li><li><span class="font-size-3">Physical size</span></li></ul><p><span style="font-size:1.5em;" class="font-size-3">In order to simplify the overwhelming variety of constrained devices that could be connected to the internet, IETF has published an RFC 7228 that classifies the constrained devices into three categories as shown in the table below.</span></p><p style="text-align:center;"><span style="font-size:1.5em;" class="font-size-3">Classes of Constrained Devices</span></p><p><span class="font-size-3"><a href="{{#staticFileLink}}8669812500,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669812500,original{{/staticFileLink}}" width="556" alt="8669812500?profile=original" /></a></span></p><p><span class="font-size-3"><span style="font-size:12pt;"><strong>Class 0:</strong> Class 0 devices have constraints in memory(<<10KiB of RAM and <<100KiB of Flash) and processing capabilities. These devices has severe constraints to communicate securely with internet, so they typically pre-configured and are connected to </span><span style="font-size:12pt;">proxies, gateways, or servers for internet communication.</span></span></p><p><span class="font-size-3">An open source IoT OS like Contiki takes around 8-20 KiB of RAM and ~100 KiB of flash. </span><span style="font-size:12pt;">In table 1 and table 2, by Oikonomou, G et al, the code and memory footprint for various components of the Contiki operating system were listed. Table 1 consists of message generation and handling and does not include routing table processing or packet forwarding. So the complete stack (without security and routing) needs around 90 kiB of flash and 5.5 kiB of RAM. Enabling TCP increases the code by 11 KiB and RAM usage by about 600 bytes.</span></p><p style="text-align:center;"><span class="font-size-2">Table 1</span></p><p><span style="font-size:12pt;" class="font-size-3"><a href="{{#staticFileLink}}8669813064,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669813064,original{{/staticFileLink}}" width="334" class="align-center" alt="8669813064?profile=original" /></a></span></p><p></p><p><span class="font-size-3">As the number of nodes increases, the size requirements for the routing and neighbour tables increases in Contiki. As shown in Table 2, it takes from 5.5 KiB to 9 KiB of RAM size.</span></p><p style="text-align:center;"><span class="font-size-2">Table 2</span></p><p><span style="font-size:12pt;" class="font-size-3"><a href="{{#staticFileLink}}8669812886,original{{/staticFileLink}}"><img src="{{#staticFileLink}}8669812886,original{{/staticFileLink}}" width="353" class="align-center" alt="8669812886?profile=original" /></a></span></p><p><span class="font-size-3">From the above tables, minimal network stack takes up most of the resources of class 0 devices and it is tough to fit anything more like security layer and application layer protocols like MQTT, CoAP, EXI etc</span></p><p><strong><span class="font-size-3">Class 1: </span></strong><span style="font-size:12pt;">Class 1 devices can have low power IoT stack [UDP, CoAP, leight weigh security protocols like DTLS etc] but </span><span style="font-size:12pt;">quite constrained in code space and processing capabilities to employing a full protocol stack such as using HTTP, TLS, and related security protocols and data representations with out a gateway. </span></p><p><span style="font-size:12pt;" class="font-size-3"><strong>Class 2:</strong> Class 2 devices are less constrained and can perform at par with mobiles phones/notebooks in</span><span style="font-size:12pt;"> supporting most the protocol stacks. They have to be</span><span style="font-size:12pt;"> lightweight with energy-efficient protocols and less bandwidth consumption. Using Class 2 devices might reduce development costs and increase the interoperability.</span></p><p><span style="font-size:12pt;text-decoration:underline;">References:</span></p><p><span class="font-size-3">1. C. Bormann, M. Ersue and A. Keranen , “Terminology for Constrained Node Networks” <a href="https://tools.ietf.org/html/rfc7228">https://tools.ietf.org/html/rfc7228</a></span></p><p><span class="font-size-3">2. Eclipse IoT White Paper, "The Three Software Stacks Required for IoT Architectures"</span></p><p><span class="font-size-3">3. Oikonomou, G., Phillips, I., Experiences from porting the Contiki operating system to a popular hardware platform.</span></p><p></p><p></p></div>List of IoT Use Cases - CISO Platformhttps://www.cisoplatform.com/profiles/blogs/list-of-iot-use-cases2017-02-18T09:30:00.000Z2017-02-18T09:30:00.000ZN Katariyahttps://www.cisoplatform.com/members/NKatariya<div><p>This is a list of various use cases of IoT. Some of them have been detailed, because of current or potential challenges and usage trends.</p><p><span style="color:#0000ff;" class="font-size-3">1. Manufacturing</span></p><p>There are two types of systems: old systems with hardly any/nil instrumentation, and the relatively new ones with instruments which generate lot of data using automation systems, robots, NC machines, PLCs, digital gauges, cameras, sensors, wireless tools and others devices. These data can’t easily be combined and analyzed, creating a challenge that traditional manufacturing systems were not designed for.</p><p>In 2016, manufacturing operations accounted for a total IoT spend of $102.5 billion (on the mentioned total of $178 billion), according to the same IDC 2017 release. With current thrust of Make in India, and the appetite of the industry and start ups, this perhaps has the biggest potential in India.</p><p>Manufacturing has three areas of use cases:</p><p>a. Manufacturing operations</p><p>Operations of manufacturing include asset management, intelligent manufacturing, performance optimization and monitoring, planning, human machine interaction, end-to-end operational visibility and these cyber-physical systems IoT.</p><p>b. Production asset management and maintenance</p><p>This is the second largest IoT use case in manufacturing and in reality also consists of a range of potential applications. It includes production asset monitoring and tracking, from location to the monitoring of parameters in several areas such as quality, performance, potential damage or breakdowns, bottlenecks, the list goes on. On top of performance and optimization, there is of course also the dimension of maintenance (as a result and/or in a predictive way).</p><p>IoT-enabled systems can sense signs of warning, use real time data to create a maintenance timeline and preemptively service equipment. E.g. a gas turbine noise levels and frequency spectrum can be a great source of information on health of the blades and bearings.</p><p>c. Field service<br /> This covers manufacturing plant, warehouse, extended supply chain and customer (site).</p><p>Some examples of detailed use cases and the benefits IoT offers:<br /> • Production flow monitoring: optimize flow, eliminate waste and avoid unnecessary work in process inventory.<br /> • Remote equipment management, including setting specific limits and parameters to save energy and costs.<br /> • Condition-based maintenance alerts: optimize machine availability, minimize interruption and increase throughput.<br /> • Usage of data (product, customer sentiment and more) for quality monitoring, origin/sourcing of material and enhancement in function of outcomes.</p><p><span style="color:#0000ff;" class="font-size-2">2. Energy & Utilities</span></p><p><span class="font-size-2">a. Generation</span></p><p>i. Conventional<br /> ii. Renewable energy: solar, wind etc.</p><p>• Weather and demand to supply optimization and control – solar, wind being the infirm energy supply sources, but penetrating rapidly in the overall system and using free/renewable resource; has a high impact and attention requirement in planning and control in an overall system of energy generation to usage chain. IoT has a large potential to benefit these systems.<br /> • Monitoring, Ops and maintenance -large remote and generally unattended power plants, as well as distributed smaller systems will be better served with IoT systems.<br /> • Cost, bidding (short and long term), considering time of the day & seasonal, specific events – a large decision making input can come from large network of IoT sensors across the Globe, starting with weather data (and rapidly erratic one thanks to climate changes). Load demands in large industries as well as urban/rural areas can be assessed and managed when smart equipment with logical, machine learnt decision making systems are implemented.</p><p>Example: Peak demand: curtailment of peak to generator response; and optimized cost of generation with a mix of generators (and storage) could be greatly benefited from IoT.</p><p>b. Transmission & Distribution<br /> Two-way communications and smart devices extend your real-time capabilities to include distribution automation, demand response and distributed energy resources.</p><p>Applications allow you to accurately monitor, measure and predict your business performance. From billing data access and reporting—to powering solutions like phase detection, voltage imbalances, harmonics (with most energy efficient loads: lights, computers, variable drives etc. being the cause of harmonics).</p><p>Rural, remote applications including micro grids, supported by energy storage, multi sourced supply (including renewable energy) can make use of IoT for improving customer experience, supply-demand management (DSM), reduced costs and maintenance.</p><p>Example: Maximizing asset life and utilization<br /> Most transformers are over designed and right voltage, temperature, old condition, GIS data, e.g. can help optimize their capacities, location and thus reduce cost, maintenance, down time.</p><p>c. Smart grid and Smart metering<br /> Smart meter helps utilities to:</p><p>• Reduce operating expenses by managing manual operations remotely;<br /> • Improve forecasting and streamline power-consumption;<br /> • Improve customer service through profiling and segmentation;<br /> • Reduce energy theft; and<br /> • Simplify micro-generation monitoring and track/manage renewable power.</p><p>With built-in capabilities to enable auto shut-off, conservation voltage reduction (CVR), phase detection, and net metering (for solar e.g.). Consumers can enter an event, such as purchasing a new water heater, solar photovoltaic system, and compare usage before and after. Each piece of information empowers them to make some impactful decisions. Should they leave a light or computer on, considering that frequent switching is also not recommended? Small decisions with a potentially big return.</p><p>d. Ops & Predictive Maintenance</p><p><span class="font-size-2"><span style="color:#0000ff;">3. Oil, Gas and Coal:</span></span></p><p>a. Exploration – help in site survey, data analysis and improving success rates. Estimates of Return on investments will be possible considering, resource availability, cost of drilling, transportation, and even price bidding.<br /> b. Wells/mine and environmental metrics – from production trends to environment – all areas can be benefited. The current industry uses basic tools like excel.<br /> c. Optimization for improving profits – operations, maintenance and supply-demand can have high impacts, and considering the size of the energy market, investment in IoT has a very high potential return.<br /> d. Sale: Data analytics and Price strategy, forecasting with consumption trends – save the consumers from wild price fluctuations, including the very sensitive industrial users.</p><p><span style="color:#0000ff;">4. Govt. & Public Services</span></p><p>a. Smart cities</p><p>b. Traffic optimization<br /> Thousands of cross linked road, millions of vehicles, and drivers, airports, ports can be helped with weather data, signaling, movement optimization, and major event & VIP managements.</p><p>c. Public safety<br /> Use of visual monitoring and personnel movements data collected and learnt, can help decide deployment of vigilance personnel, roster duties. Emergency services such as Fire, ambulance, police, disaster management are in dire need of IoT help e.g. for traffic, location of victims, crime etc.</p><p><span style="color:#0000ff;">5. Mobility</span></p><p>a. Telematics and Fleet management<br /> It will help improving efficiency, productivity and reducing overall transportation and staff costs. Asset tracking is becoming used more and more by cities for waste management purposes by giving trash collectors the most efficient routes to collect the buildup of trash in urban environments.</p><p>b. Automatic vehicles<br /> Accident avoidance is a major incentive because the car can respond faster than a human. The ultimate manifestation is the overall reduction of vehicles. Driverless taxis can replace a family’s second car that sits idle all day. More vehicles can travel closer on the road at the same time and the computer can operate the vehicle more economically than most people.</p><p>c. Asset tracking and remote monitoring<br /> To allow an enterprise to easily locate and monitor key assets (e.g. raw materials, final products and containers) and to optimize logistics, maintain inventory levels, prevent quality issues and detect theft.</p><p>d. Condition based maintenance/predictive maintenance</p><p>e. Automobile<br /> i. Real time diagnostics<br /> ii. Remote vehicle management<br /> iii. In car connectivity and infotainment</p><p><span style="color:#0000ff;">6. Retail</span><br /> a. Automated checkouts<br /> b. Footfall analytics & promos<br /> c. Inventory optimization</p><p><span style="color:#0000ff;">7. Telecommunications</span></p><p>a. Network maintenance<br /> b. Connected Homes/cars<br /> c. Data monetization</p><p><span style="color:#0000ff;">8. Healthcare</span></p><p>a. Proactive and connected monitoring<br /> b. Early detection and diagnosis<br /> c. Remote measurements<br /> d. Wearables<br /> e. Health and fitness tracking<br /> f. Support for Disability<br /> Currently, over a billion people including children (or about 15% of the world's population) are estimated to be living with disability. IoT can offer them the assistance and support they need to achieve a good quality of life and allows them to participate in the social and economic life.</p><p><span style="color:#0000ff;">9. Insurance</span></p><p>a. Usage based insurance<br /> b. Telematics for insurance<br /> c. Insured asset management</p><p><span style="color:#0000ff;">References</span>:</p><p><a href="https://www.i-scoop.eu/internet-of-things-guide/internet-of-things-in-manufacturing/">https://www.i-scoop.eu/internet-of-things-guide/internet-of-things-in-manufacturing/</a></p><p><a href="http://www.slideshare.net/cloudera/top-5-iot-use-cases">http://www.slideshare.net/cloudera/top-5-iot-use-cases</a></p><p><a href="https://www.thingworx.com/ecosystem/markets/smart-connected-operations/smart-manufacturing/">https://www.thingworx.com/ecosystem/markets/smart-connected-operations/smart-manufacturing/</a></p><p><a href="http://www.rcrwireless.com/20160920/big-data-analytics/industrial-internet-of-things-tag31-tag99">http://www.rcrwireless.com/20160920/big-data-analytics/industrial-internet-of-things-tag31-tag99</a></p><p><a href="http://sensus.com/internet-of-things/smart-grid/">http://sensus.com/internet-of-things/smart-grid/</a></p></div>Survey of IoT Security Standardshttps://www.cisoplatform.com/profiles/blogs/survey-of-iot-security-standards2017-02-18T10:00:00.000Z2017-02-18T10:00:00.000ZArvind Tiwaryhttps://www.cisoplatform.com/members/ArvindTiwary<div><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">IoT security is being approached by many organizations and from different perspectives . In this post we give a birds eye view of the players.This is not intended to be comprehensive. We will supplement this in time with deeper dive at different layers of the ISO 7 layer model.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="http://www.cisoplatform.com/profiles/blogs/survey-of-iot-security-standards" target="_blank"><img width="750" src="{{#staticFileLink}}8669812466,original{{/staticFileLink}}" class="align-full" alt="8669812466?profile=original" /></a></span></p><p></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">FTC</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The US Federal Trade Commission has a mandate around products sold in the USA and they have a position paper . They approach the issue from a manufacturer liability and good practice point of view. <a href="https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices">https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Oct 21 2016 Dyn DDOS attack accelerated the FTC activity. In Jan 2017 they also launched a <a href="https://www.ftc.gov/news-events/press-releases/2017/01/ftc-announces-internet-things-challenge-combat-security">IoT Home Inspector</a> challenge for ideas on protecting smart homes.</span></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;">NIST</span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> The National Institute of Standards and Technology (NIST) under U.S. Department of Commerce publishes the FIPS standards applicable under the Federal Information Security Management Act (FISMA).NIST is actively developing a high level IoT guide covering organizational process and roles . See <a href="https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program">https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program</a>.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">IoT Security Foundation</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> A new organization tries to holistically address IoT security thru best practices guide and planned self certification schemes the <a href="https://iotsecurityfoundation.org/best-practice-user-mark/">Best Practice User Mar</a>k. They explicitly reject the idea that the manufacturer is solely responsible and are far more realistic about the roles of various players. For more check <a href="https://iotsecurityfoundation.org" target="_blank">https://iotsecurityfoundation.org</a></span></p><p></p><p></p><p><a href="{{#staticFileLink}}8669812873,original{{/staticFileLink}}"><img width="750" src="{{#staticFileLink}}8669812873,original{{/staticFileLink}}" class="align-full" height="155" alt="8669812873?profile=original" /></a></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="http://www.iiconsortium.org/index.htm">IIC Industrial Internet Consortium</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Industrial Internet Consortium works on use cases for industrial IoT and vouhts all the global heavy hitters as members. Its initiatives to securely connect, control and integrate assets and systems of assets with people, processes and data using common architectures, interoperability and open standard, <a href="http://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf">The Industrial Internet Security Framework (IISF)</a> is the most in-depth cross-industry-focused security framework comprising expert vision, experience and security best practices. I</span></p><p><span style="font-family:arial, helvetica, sans-serif;font-size:12pt;"> </span></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="https://prplfoundation.org/">Prpl Foundation</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Prpl Foundation works on next generation open source software from data centre to device. prplwrt complements open WRT with carrier grade features. They have a framework note for IoT security, a guide for critical areas in embedded computing and a 2016 report on Smart home security. See <a href="https://prpl.works/application-note-july-2016/">https://prpl.works/application-note-july-2016/</a>. Purple works is pragmatic about security and collaborating with CABA in evolving IoT security .</span> <br /> <span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="http://www.caba.org/">Continental Automated Buildings Association (CABA)</a> is an international not-for-profit industry association dedicated to the advancement of intelligent home and intelligent building technologies</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">( <span id="docs-internal-guid-1fec7675-928f-b085-a3db-cc84bae89b15"><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world">Top IT Security Conferences In The World</a> )</span></span></span></p><p></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="https://www.bitag.org/">Broadband Internet Technical Advisory Group (BITAG</a>)</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Broadband Internet Technology Advisory Group’s report studies the plague of IoT insecurity and makes recommendations to deal with it. It’s short, well-researched .<a href="https://www.bitag.org/report-internet-of-things-security-privacy-recommendations.php">The report</a> motivates its recommendations with over 150 informative references and footnotes on IoT risks, vulnerabilities and remedies. It covers the home segment.</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="https://www.owasp.org/index.php/About_OWASP#The_OWASP_Foundation">OWASP</a></span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Open Web Application Security Project is well regarded for their work. The top 10 threats issued by OWASP have been very well received. They approach cybersecurity esp at the web applications (HTTP, https) layer. Recently they have started a project for IoT. See</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project">https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;"><a href="http://www.ipso-alliance.org/about-us/">IPSO</a></span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The IPSO Alliance has been working for some time on data and functions for Smart Objects <a href="https://github.com/IPSO-Alliance/pub/tree/master/reg">IPSO Smart Object Guidelines</a> provide a common design pattern, an object model, that can effectively use the IETF CoAP protocol to provide high level interoperability between Smart Object devices and connected software applications on other devices and services.They have broadened work from smart objects to include security. See</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> <a href="http://www.ipso-alliance.org/ipso-community/resources/technical-advisory-board/security-privacy-identity-working-group/">http://www.ipso-alliance.org/ipso-community/resources/technical-advisory-board/security-privacy-identity-working-group/</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">AllSeen</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">AllSeen alliance includes AllJoyn and Open Connectivity Foundation. AllJoyn is an open source software framework that makes it easy for devices and apps to discover and communicate with each other. The The AllJoyn system provides a security framework for applications to authenticate each other and send encrypted data between them. <a href="https://allseenalliance.org/framework/documentation/learn/core/security2_0">The AllJoyn framework provides end-to-end application level security. </a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><span class="font-size-4"><strong><a href="https://otalliance.org/">OTA alliance</a></strong></span><br /></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The online trust alliance (OTA) works on consumer trust and online brand reputation, including privacy, identity theft and internet governance. They are a successor to efforts to combat spam emails thru Email Senders and Provider Coalition (ESPC). They have developed a <a href="https://otalliance.org/initiatives/internet-things">IoT trust framework .</a></span></p><p></p><p></p><p></p><p><strong><span class="font-size-4" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.ietf.org/">IETF</a></span></strong></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The Internet Engineering Task Force makes the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet. They are responsible for numerous standards around security including X.509 Public key etc. The following draft or RFC are among interesting ones to watch</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">OtrF</span></strong></span></p><pre><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.ietf.org/id/draft-pei-opentrustprotocol-03.txt">Open Trust Protocol (OTrP)</a>, a protocol to install, update, and delete applications and to manage security configuration in a Trusted Execution Environment (TEE)</span></pre><pre><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></pre><p></p><p></p><p><span class="font-size-4"><strong><span style="font-family:arial, helvetica, sans-serif;">MUD</span></strong></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">The draft <a href="https://tools.ietf.org/html/draft-lear-mud-framework-00">Manufacturers Usage Description</a> is a RFC intended to help reduce the vulnerability surface using a simple network policy ( whitelisting approach). It aims to reduce scope for malware injection and over the air firmware updates being hijacked. It also tries to cover devices no longer actively maintained by the original manufacturer.</span></p><h1><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://datatracker.ietf.org/doc/rfc7925/">DICE</a> Transport Layer Security (TLS) / Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things</span></h1><h1><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://datatracker.ietf.org/wg/ace/documents/">ACE</a> <b>Authentication and Authorization for Constrained Environments (ace)</b></span></h1><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">Author:</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;">Arvind Tiwary, Chair- IoT Forum</span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="https://www.linkedin.com/in/tiwaryarvind/">https://www.linkedin.com/in/tiwaryarvind/</a></span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"><a href="http://event.cisoplatform.com/guide-rsa-usa-2016/" target="_blank"><img width="750" src="{{#staticFileLink}}8669805055,original{{/staticFileLink}}" class="align-full" height="262" alt="8669805055?profile=original" /></a> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p><p><span class="font-size-3" style="font-family:arial, helvetica, sans-serif;"> </span></p></div>Legal Liability for IOT Cybersecurity Vulnerabilities (Black Hat Conference 2018)https://www.cisoplatform.com/profiles/blogs/legal-liability-for-iot-cybersecurity-vulnerabilities-black-hat-c2018-10-01T08:30:00.000Z2018-10-01T08:30:00.000ZShubham Guptahttps://www.cisoplatform.com/members/ShubhamGupta<div><p><span>There has been much discussion of "software liability," and whether new laws are needed to encourage or require safer software. My presentation will discuss how -- regardless of whether new laws are passed -- a tidal wave of litigation over defective IoT cybersecurity is just over the horizon. </span><br /> <br /> <span>The presentation will focus on a well-known example: Charlie Miller and Chris Valasek's 2015 Jeep hack. I'm lead counsel in the ongoing federal litigation over the cybersecurity defects Charlie and Chris exposed, and that are shared by 1.4 million Chrysler vehicles. As far as I know, our case is one of the first, and the biggest, that involves claims that consumers should be compensated for inadequate cybersecurity in IoT products. </span><br /> <br /> <span>This case is the tip of the iceberg. IOT products are ubiquitous, and in general their cybersecurity is feeble, at best. In the event of a cyberphysical IoT hack that causes injury, there are established legal doctrines that can be used to impose liability every company involved in the design, manufacturing, and distribution of an exploited IoT device or even its cyber-related components. Such liability could be crippling, if not fatal, for organizations that don't know how to properly handle and prepare for potential lawsuits.</span><br /> <br /> <span>Taking steps to minimize legal exposure before an accident happens or a lawsuit is filed—in the design, manufacture, product testing, and marketing phases of an IoT product—can be the difference between life and death for IoT companies. Knowing what steps to take and how to take them requires an understanding of the core legal principles that will be applied in determining whether a company is liable.</span></p><p></p><p><span class="font-size-5">Speaker</span></p><p></p><p><span><strong>IJay Palansky</strong><br /> <br /> Ijay Palansky is a partner at the law firm Armstrong Teasdale where he focuses on litigation and trial of large, complex, commercial cases, including consumer class actions and product liability cases. He is lead counsel in the ongoing federal class action lawsuit that followed on Miller & Valasek's Jeep hack. Although he has spent almost his entire career representing large corporate defendants, in this case he represents the plaintiffs - owners of the 1.4 million Chrysler cars and trucks that share the cybersecurity defects that Miller and Valasek exploited in their hack. My full bio can be found at <a href="https://www.armstrongteasdale.com/ijay-palansky/">https://www.armstrongteasdale.com/ijay-palansky/</a>.</span></p><p></p><p></p><p></p><p><span class="font-size-5">Detailed Presentation:</span></p><p><iframe src="//www.slideshare.net/slideshow/embed_code/key/yyd5ZYukQ0f6Ej" width="595" height="485" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/legal-liability-for-iot-cybersecurity-vulnerabilities" title="Legal Liability for IOT Cybersecurity Vulnerabilities" target="_blank">Legal Liability for IOT Cybersecurity Vulnerabilities</a></strong> from <strong><a href="https://www.slideshare.net/cisoplatform7" target="_blank">Priyanka Aash</a></strong></div><p></p><div><p><strong>(Source: Black Hat USA 2018, Las Vegas)</strong></p><p></p><p><strong><a href="http://www.cisoplatform.com/main/authorization/signUp?" target="_blank"><img src="{{#staticFileLink}}8669820464,original{{/staticFileLink}}" width="750" class="align-full" alt="8669820464?profile=original" /></a></strong></p></div><p></p><p></p><p></p><p><span> </span></p></div>Painful IoT Security Lessons Highlighted by a Digital Padlockhttps://www.cisoplatform.com/profiles/blogs/painful-iot-security-lessons-highlighted-by-a-digital-padlock2020-09-16T01:07:41.000Z2020-09-16T01:07:41.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669838467,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669838467,original{{/staticFileLink}}" class="align-center" alt="8669838467?profile=original" /></a></p><p>The first warning sign was “hackproof” in the <a href="https://www.kickstarter.com/projects/1686612613/360lock-1st-modular-smart-padlock-certified-by-blo" target="_blank">360Lock marketing materials</a>. As it turns out, with no surprise to any security professional, the NFC and Bluetooth enabled padlock proved to be anything but secure.</p><p><a href="https://www.pentestpartners.com/security-blog/360lock-smart-lock-review/" target="_blank">Straightforward penetration testing revealed</a> horrible logical and physical security for a padlock that promotes itself as “incorruptible” and “hackproof”!</p><p>Digital Transformation is a rush to connect our physical world to the global electronic ecosystem to enable better access, integration, and advanced capabilities. Internet of Things (IoT) devices are often at the forefront of this movement, turning normal devices into ‘smart’ devices. Sometimes even the best ideas fail when it comes to design and execution. </p><p>This padlock has several innovative features such as connectivity to mobile applications, an included RFID wristband and tag for easy unlocking, configurability to add access for others, and a detailed history log. What it lacks however, is actual security.</p><h3><strong>Security theater</strong></h3><p>Simple pentesting proved what was likely a foregone conclusion. The kickstarter funded lock is neither hackproof nor secure. Testers found that simple replay attacks could trick the logic to open the device. Additionally, crude brute-force methods were able to compromise the integrity of the lock mechanism. Pounding it with a hammer quickly defeated the padlock. </p><p>The results highlighted that the $40 lock is not robust and better served as a visual deterrent, casual locking device, or novelty item. </p><h3><strong>An industry problem</strong></h3><p>A massive quantity and vast diversity of smart devices are emerging. Most connect to the internet and require a high degree of security. Connectivity accentuates vulnerabilities. Sadly, many of the IoT devices consumers and businesses are embracing lack the necessary measure for security rigor, leaving users exposed and data vulnerable. </p><p>The 360Lock is not the only device that has poor security, but it does highlight two important points, emphasizing overall industry challenges. </p><p>First<a href="https://medium.com/@matthew.rosenquist/unhackable-product-claims-are-a-fiasco-waiting-to-happen-dc73e4f763ff" target="_blank">, never trust any product that claims to be ‘unhackable’</a>. Seasoned security professionals would never make such an outlandish assertion as to say a device is hackproof! The fact that 360Lock promoted their product in this way was the only indicator needed to instill great skepticism. </p><p>Second, this device’s weaknesses highlight the need for proper data transport security. Man-in-the-Middle (MitM) attacks, such as a replay attacks, are common tactics for hackers. Transactional security is absolutely critical to protect data and requests. Unfortunately, securing data in-transit between IoT devices on the edge and phones/PC/cloud-services requires the right expertise and tools. Most failures occur in how data protections are implemented and managed. As a rule, if a product manufacturer is not detailing their security, they likely do not have quality capabilities in place.</p><h3><strong>Painful lessons</strong></h3><p>Consumers must be wary and realize that even dedicated security products, such as padlocks, can be victimized by poor development decisions. Trendy features are no replacement for solid security and reliability. IoT devices are often much less secure than the marketing materials and salesperson will reveal. Look for reputable manufacturers who have committed to work with the best technology, security integrators, and verification practices. Every consumer and business is responsible for understanding the risks accompanying the benefits of new technology.</p><p></p><p>Interested in more? Follow me on <a href="https://www.linkedin.com/today/author/matthewrosenquist" target="_blank">LinkedIn</a>, <a href="https://medium.com/@matthew.rosenquist" target="_blank">Medium</a>, and <a href="https://twitter.com/Matt_Rosenquist" target="_blank">Twitter (@Matt_Rosenquist)</a> to hear insights, rants, and what is going on in cybersecurity.</p></div>We Don’t Want IoT Cybersecurity Regulationshttps://www.cisoplatform.com/profiles/blogs/we-don-t-want-iot-cybersecurity-regulations2020-09-21T22:30:00.000Z2020-09-21T22:30:00.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669833474,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669833474,original{{/staticFileLink}}" class="align-center" alt="8669833474?profile=original" /></a></p><p>It simply makes no sense to call for IoT devices to be certified safe-and-secure. Before you get bent out of shape, hear me out. </p><p>Regulations are unwieldy blunt instruments, best left as a last resort. Cybersecurity regulations are not nimble, tend to be outdated the day they are instituted, and become a lowest-common-threshold for an industry to follow. This stifles security innovation and the application of best practices. On the upside, regulations do force industries that have ignored basic security practices to meet a common standard. But history has shown those industries rarely go any farther than the regulatory requirements. All the data breaches we see in the news every week, almost all of those organization are compliant with regulations, yet they are losing data records by the billions. Compliance does not equal security!</p><p>Yet some are pounding the government drums, <a href="https://spectrum.ieee.org/computing/networks/make-iot-devices-certifiably-safeand-secure">advocating for IoT certification regulations</a>. I find their beliefs to be shortsighted and premature.</p><p>Regulations are definitely needed in some situations, but only for narrow applications to accomplish specific goals. Protecting privacy of children online, securing sensitive healthcare records, or requiring controls around credit card transactions are all codified to some extent in regulations.</p><p>I am a passionate security advocate, some would even go so far as to say a fanatic, but I don’t like this idea of requiring IoT devices to be certified safe and secure. It is simply too broad and undermines the economic model which is driving rapid innovation. </p><p>We don’t require such certification for phones, tablets, personal computers, or servers. So why would anyone think requiring certification for low powered IoT devices is a good strategy? </p><p>Certification adds significant costs and time to product development. IoT devices are emerging for a vast variety of uses and tend to be less expensive than fully-featured computing systems. The scale of validation is another problem as the number of IoT devices will soon exceed over 50 billion. The process to determine who will certify entirely new classes of devices and what criteria will be accepted is a political nightmare. Operationalizing such requirements will be expensive and a nightmare at such a massive scale. The bureaucracy and costs will add tremendous friction to the market, pushing out many companies and products. </p><p>There is no doubt IoT needs significantly more security, but recommending overly broad regulations is very premature and likely damaging to everyone that benefits from smart devices. There are many other options and solutions that could deliver much better protection at a lower cost and not catastrophically impede innovation, competitiveness, and healthy market cycles. Establishing standards, best practices, for design and validation is a great start. Driving the consumers, to recognize and value secure designs, creates a competitive advantage for manufacturers to challenge each other. Open bug bounties, public security research, and sharing of penetration testing certifications would drive better processes for the IoT industry.</p><p>If such practices fail to be adopted or are not sufficient, then we should discuss regulation. But first, we must pursue more optimized avenues to establish safety and security in partnership with the IoT industry, so the ecosystem can become more adaptable to evolving threats, support innovation, and be trustworthy for the benefit of all users. Let us not rush to a model of inflexible regulations, as they should only be considered as the last option.</p><p> </p><p> </p><p>Interested in more? Follow me on <a href="https://www.linkedin.com/today/author/matthewrosenquist">LinkedIn</a>, <a href="https://medium.com/@matthew.rosenquist">Medium</a>, and <a href="https://twitter.com/Matt_Rosenquist">Twitter (@Matt_Rosenquist)</a> to hear insights, rants, and what is going on in cybersecurity.</p></div>SUTL Cybersecurity and IOT free virtual conferencehttps://www.cisoplatform.com/profiles/blogs/sutl-cybersecurity-and-iot-free-virtual-conference2020-10-06T19:29:01.000Z2020-10-06T19:29:01.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669835291,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669835291,original{{/staticFileLink}}" class="align-center" alt="8669835291?profile=original" /></a></p><p>Why is the Sacramento region ripe for innovation in Cybersecurity?</p><p>Come join the online Sacramento Urban Technology Lab conference where a panel including Malcolm Harkins, Kimberley Owen, George Usi, Carmen Marsh, and myself will discuss why Sac is a growing region for cybersec!</p><p>October 15 2020, 1:00-5:00pm Pacific</p><p><a href="https://startupsac.com/register-now-for-sutl-showcase-2020-cybersecurity-and-iot/">https://startupsac.com/register-now-for-sutl-showcase-2020-cybersecurity-and-iot/</a></p><p><a href="{{#staticFileLink}}8669835291,original{{/staticFileLink}}" target="_blank"></a></p></div>Managing IoT Data SECURITY RISKShttps://www.cisoplatform.com/profiles/blogs/managing-iot-data-security-risks2020-11-24T17:41:06.000Z2020-11-24T17:41:06.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><a href="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" target="_blank"><img src="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" class="align-center" alt="8669838901?profile=original" /></a></p><p><strong><a href="https://eclipz.io/managing-iot-data-breaches#mid-header">We are surrounded!</a> </strong>Smart devices are everywhere and being integrated into all facets of our lives, from toothbrushes to automobiles. Entire cities are becoming ‘smart’, as are factories, governments, global retail, freight logistics, and all national critical infrastructure sectors. As individuals, we are becoming hubs for multiple connected devices in our homes and on our persons. Phones, watches, health monitors, medical devices, and clothing manufactures have joined in to develop connected apparel and accessories. Cameras, doorbells, appliances, televisions, thermostats, voice assistants, and light fixtures are just the beginning of the digitalization of our homes. These wonderful tools of the modern world, some no bigger than a coin, provide amazing capabilities and tremendous convenience; they connect and enhance our lives in amazing ways.</p><p>Unfortunately, they also introduce equitable risks. The aggregated risks from all the Internet-of-Things (IoT) devices, now approaching 50 billion in number, adds up to a big problem for everyone. </p><p>Sadly, the dark secret is that IoT and their close cousins Industrial IoT (IIoT) devices which we typically embrace, are very insecure. These systems are notoriously hackable; the data they create and share is often vulnerable to exposure, and the devices themselves can be leveraged as a platform by attackers to target more important systems in our lives. IoT insecurity represents one of the next great challenges for the technology industry that is struggling to preserve the trust of consumers from cyber threats which are easily finding ways to undermine the security, privacy, and safety of users.</p><p>Most IoT devices are miniature and very limited when it comes to the computing resources necessary for secure capabilities. It is difficult to know who owns or possesses them, if they have been hacked, and if they are acting in undesired ways. This makes IoT devices not very trustworthy. To compound the problem, IoT devices tend to share data over insecure networks like wireless and the Internet. This mix is a recipe that cybercriminals and hackers enjoy.</p><p>The functional backbone for IoT devices is all about gathering, processing, and sharing data. One of the primary challenges is to protect the data going to and emanating from the devices. Legacy technology largely fails when it comes to secure communications at this scale and difficulty. More comprehensive, effective, and sustainable capabilities are needed to keep pace with evolving threats.</p><p>Connecting IoT technologies to share data securely is difficult. Some standards exist for specific use-cases, such a web browsing, but most of the emerging IoT devices and services require a synthetization of architectures, algorithms, and compatibilities that current solutions don’t satisfy. That is why we are seeing a flood of IoT compromises and the future advances of hackers will only increase the victimization unless something extraordinary happens.</p><p><strong><em>Where there is innovation leadership, hope survives.</em></strong></p><p>Protecting digital data is important for everyone. Andy Brown, CEO of Sand Hill East, and I penned a joint article <a href="https://eclipz.io/managing-iot-data-breaches#mid-header">Managing IoT Data Breaches</a>, that was published in the Sept 2020 issue of Cybersecurity Magazine, describing the scale and complexity challenges of IoT data protection. Innovation is needed to safeguard data in the new digital landscape!</p><p> </p><p>After 30 years in the industry, I anticipated the future needs and realized the upswell of insecure devices would put everyone at risk if sensitive data could not be protected. I joined the <a href="https://eclipz.io/about">Eclipz team</a> as an <a href="https://eclipz.io/iab">Advisory Board</a> member to help advance and tailor the greatly needed capabilities into the commercial market for everyone’s benefit. The Board of Directors asked that I join a stellar executive team as the CISO to further help empower the best technology to make devices and the global digital ecosystem more trustworthy. </p><p><a href="https://eclipz.io/">Eclipz</a> is an elegant and robust capability to connect untrusted endpoints across insecure networks in ways that protect data from current and evolving threats. Eclipz is not a product unto itself, but rather an architecture and code integrated into everyday products and services, empowering them to communicate securely. That makes it ultimately scalable. It can be applied to protect a vast array of devices, infrastructures, and experiences across every market, making the technology and services people use more secure by protecting the flows of data. The explosion of IoT devices poses one of the greatest attack surfaces ever known and must be better secured. Eclipz technology can strengthen the foundations of IoT ecosystems for the benefit of the global digital community.</p><p><a href="{{#staticFileLink}}8669838901,original{{/staticFileLink}}" target="_blank"></a></p></div>