Home IoT devices and systems need to manage security with minimal – and potentially no – consumer intervention, and without the consumer having any specialist knowledge of security or IT principles. This is in contrast to other IoT environments which are more formally managed and directly regulated, such as enterprise and transportation. One key challenge in the consumer environment is that home IoT solution providers cannot assume a reliable or sufficient level of users’ understanding of security governance.
It is also challenging to manage and maintain a complex system of devices available on the market using a variety of proprietary interfaces and protocols in the home environment. Interoperability between IoT devices is a key aspect of not only hub architectures like this one but any IoT deployment implementing multiple devices. Good interoperability assists with security management across the IoT ecosystem and reduces effort required of the home IoT administrator. It also further opens the IoT marketplace for consumers by avoiding vendor or ecosystem lock-in. The issue of incompatibility and security was highlighted recently by McKinsey [ref 20], as being one of the major restrictions on the growth of the IoT market. While this document does not specifically address the issues related to interoperability, it is worth highlighting the work that needs to be done in this area to support adoption of IoT security, hub architectures like this one and consumer value-add.
Market actors must push to get consumers thinking about security in the home IoT space. Consumers already think about safety in other market areas – such as automotive, housing and toys. In the IoT market, solution providers can incorporate good security practices and certifications in their product development and provisioning. Retailers can opt to sell solutions that meet minimum security expectations or can prove compliance by means of certification. These actions will support the incorporation of security into the consumer purchasing process – similar to the form that reviews, and word of mouth come into play – and potentially stimulate the home IoT marketplace. While not all consumers will adopt a security-minded purchasing process, there is value to both the consumer and wider IoT ecosystem in providing security-minded options for consumers.
The IoT Security Foundation is publishing this home IoT architecture as part of a series of Hub-based architectures with the following intentions:
- Reduce/manage complexity of IoT systems by narrowing implementation options
- Demonstrate by example what a good home security regime looks like
- Demonstrate how to support security in IoT with minimal reliance on users
- Explain the benefits of such an approach including achieving security goals, maintaining system hygiene and resilience, managing extensions and life-cycle provisioning
- Helping to foster growth and demand in the home IoT marketplace by making security a part of the purchasing process
This document is intended for OEMs designing devices or smart hubs – as “the Hub” is a key element of the architecture – Service Providers and Retailers, or anyone with responsibilities for architecting, designing, planning and procuring home IoT products (broadly referred to as solution providers). Specifically, consumers and end users are not the intended or expected target audience for this document.
The Hub-based architecture does not prescribe a single IoT device, deployment or sub-architecture. Instead it focuses on supporting a minimum expectation of security and trust in home IoT environments. This is achieved through implementation of a collection of security and trust tools in home IoT and networking solutions. Importantly, it does not rely on the end user having in-depth knowledge of these topics.
In practice, a hub architecture provides selected points for IoT device and network management that can make use of existing infrastructure, as well as provide flexible solutions for individual home IoT deployments. ‘Plug and play’ Hub devices should support baseline security for the home environment.
For small homes, the architecture may comprise a single hub; larger homes will probably have of a number of hubs for scalability and redundancy. Related devices and solutions that may comprise a central part of the Hub architecture and support the security features described in this document include a router, network management tools such as a firewall or gateway, network access controls, a protocol bridge, or any other device that naturally lends itself to such a role within a network.
Whilst perfect security is likely to remain elusive, this architecture is considered to be a good approach to achieving common security goals of confidentiality, integrity and availability.
Security is not static, it requires a series of on-going processes that need to be managed over the combined life-cycles of system elements including services, devices and networks. This hub architecture supports a layered approach to the security challenge and provides management controls over the lifecycle of the home IoT deployment. As a result, it may also support a number of specific compliance requirements or best practice standards for organizations providing home IoT solutions. For example, a hub-based architecture can help mitigate risk associated with cyber security and data protection regulations such as the European General Data Protection Regulation (GDPR) and Network and Information Systems (NIS) Directive or support adoption of the USA’s Cybersecurity Information Sharing Act (CISA).
Views: 0
