The IoT Security Foundation (IoTSF), which was established in 2015, recently celebrated the 10th edition of its conference, which provided a forum to discuss topics pertaining to cybersecurity from the increase of risks caused by more devices being connected to the importance of a security first mindset and the role regulation plays.
John Moor, Managing Director of the IoTSF spoke to IoT Insider in the wake of the conference in which he talked about an evolving security mindset, pertinent topics covered at the event and what upcoming trends he saw as influential in the IoT space.
“For those who are familiar with the Gartner Hype Cycle, IoT was trending, and everybody was talking about the innovation and everything we can do with data and connected systems,” explained Moor. “But very few people were looking at the security aspects .. We felt we needed more awareness, more momentum.
“We held a summit in 2015 at Bletchley Park, and we concluded that we can’t carry online. Something needs to be done. Out of that we looked at whether we needed more regulation, more standards … The answer was yes to all.”
As a result of this kind of thinking, the IoTSF was born, and it continues to go strong, as the latest iteration of its conference demonstrated.
The evolution of security
Nine years on from the IoTSF founding, cybersecurity has shifted from a nice-to-have to a must-have, reflected by the implementation of regulation like the Cyber Resilience Act and NIS2 Directive, but also in the conferences like the IoTSF’s that are directing their focus on cybersecurity and all its different aspects, taking on a more nuanced view.
“Quality control has moved to quality assurance,” said Moor. “That’s the analogy I would use with security; we need security assurance … We need to make sure we have a security culture and a security mindset.”
In explaining this mindset, Moor compared a “security” mindset and a “compliance” mindset, the key differentiation being that a compliance mindset seeks to tick the boxes while a security mindset is “baked in”.
On being asked whether he’d thought discussions around the kinds of challenges facing the cybersecurity landscape had evolved, Moor said: “The fundamentals of security stay the same. What changes is the technology and the means to defeat the mechanisms.”
Topics covered at the conference
Some of these technologies, which were discussed at the conference, include AI and quantum computing, both of which are expected to have significant impacts on IoT. Moor’s take on AI is something I’ve heard from several cybersecurity professionals: that it can be used as a tool for good, to protect against attacks, in the same vein that it can be used as a tool for evil – to carry out these attacks.
“One of the [other] areas we were trying to highlight [at the conference] is something called memory safety,” Moor added. “The UK has invested heavily, to the tune of £70 million plus, in something called digital security by design. That’s focused heavily on the memory safety issue.”
The issue in question is something that has existed since the 1970s, and is a great example of how challenges have been flagged to the IoTSF, who have taken note and responded accordingly by facilitating talks about it at its conference.
“I spoke to the program director [who] called me up and invited me to join the Advisory Board,” Moor shared. “And so I said, ‘Tell me about the challenges and why I should be interested?’ He talked to me about the provenance of pointers and insecure memory systems and it emerged that classical computing systems have issues of security in the way we do memory systems.”
Upcoming trends
As 2024 marches on and 2025 is right around the corner, understanding the influential trends in the coming year can be hugely beneficial to organisations, particularly in the context of cybersecurity.
“What are the trends? I call it, ‘It’s a Thing’. Like post-quantum technology, zero trust environments, security being a team sport,” Moore explained. “What we try to do is have those ongoing conversations and keep people ahead of the game. Understanding what the threats are, what the solutions are and what works best for them.”
Along the same vein, the IoTSF very recently published a report into the state of companies’ vulnerability disclosure policies, where it sought to use vulnerability reporting as a “barometer”, aka an indicator, of how sound companies’ cybersecurity practices were.
“Does a company have a vulnerability disclosure policy? Can you report vulnerabilities? And that will give you immediately an indicator about their posture on security,” Moor concluded.
The report is out now and can be viewed here.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.