Uber was once again in the news last week as it announced it will pay a $148 million settlement to all US states and the District of Columbia for waiting a year to report a data breach and taking active steps to hide it in the meantime.

Tony West, the taxi-booking app provider’s chief legal officer, placed this in a positive light: the settlement signals Uber will from now on “do the right thing.” The implication, of course, is that Uber could have avoided this settlement if it had done the right thing at the time of the breach by informing affected customers and drivers.

But what does the phrase mean? It is an emotive and subjective phrase, requiring context and a common frame of reference for all parties to make a judgement. Consider the case of security in IoT.

Doing the right thing in the context of deploying and using secure IoT technologies will depend on use cases. There are currently many guidelines and regulations to influence behaviours among IoT vendors and enterprises.

The GSMA launched its IoT Security Guidelines in February 2016, an industry-collaborated working document which recommends practical advice for mobile operators and the IoT communities in addressing common cybersecurity threats, and protecting data privacy issues related to IoT services. The European Union Agency for Network and Information Security (ENISA) then followed in November 2017 with a reference report, Baseline Security Recommendations for IoT in the Context of Critical Information Infrastructures. And the Industrial Internet Consortium’s (IEC) Industrial Internet Security Framework and the Internet of Things Security Foundation’s (IOTSF) IoT Security Compliance Framework have similar intentions.

Guidelines, in general, are essential foundations for enterprises to consider security in IoT, but fall short of galvanising the community of vendors, enterprises and users to adopt best practices at scale and speed.

Common platform
ARM’s Platform Security Architecture (PSA), announced in October 2017, is another example of a common reference framework that provides the hardware and software building blocks for the IoT value chain to incorporate when developing new products, solutions and services.

At the time of announcement, silicon partners including Silicon Labs, ST Microelectronics, Renesas, NXP, Nuvoton and Microchip were signed up to it. By February 2018, ARM added a new product, the integrated SIM (iSIM), to its Kigen product line, also based on its PSA at Mobile World Congress Barcelona, expanding the PSA to mobile operators.

The iSIM reflects ARM’s efforts to ensure even low cost, resource constrained IoT devices have remote management capabilities and security. By September 2018, ARM’s iSIM propositions were being adopted by Sprint and Vodafone Group as announced during MWC Americas.

That Sprint announced iSIM plans may be expected if we consider that there are synergies with parent SoftBank and ARM. Vodafone’s announcement, however, is a conscious decision which acknowledges it needs to secure all kinds of IoT devices at scale and at speed.

In order for the market to reach the GSMA IoT revenue forecast of $1 trillion by 2025, IoT vendors such as Sprint and Vodafone recognise the need to streamline the development efforts (for example by applying repeatable rules at the start of product design) and to leverage security expertise from third parties (particularly at the security threat modelling and analysis stage). With a common frame of reference, everyone in the value chain including enterprises, users and governments, works towards the same goal of deploying secure IoT projects.

For organisations on their IoT journeys, the wealth of guidelines could be a double-edged sword. Options are nice, but resource-constrained security teams have only so much time to consider them all. Regardless, buying from IoT vendors who adopt these various guidelines, be they ARM’s PSA, GSMA’s IoT Security Guidelines, or even IEC’s recommendations, the deciding factor for organisations is the assurance that the IoT supply chain adopt the same “do the right thing” philosophy.

– Yiru Zhong, lead analyst – IoT and Enterprise, GSMA Intelligence

The editorial views expressed in this article are solely those of the author and will not necessarily reflect the views of the GSMA, its Members or Associate Members.