For many years, ecosystem fragmentation repeatedly has been cited as one of the main hurdles to global growth for the IoT market, and to the ability of IoT players to ensure consistently secure experiences for their users. The ioXt Alliance, a global and industry-wide consortium, is now trying to do something about that. Fierce Electronics recently spoke with Grace Burkard, director of operations at the ioXt alliance about the group’s efforts. The following conversation has been edited for length and clarity.
Fierce Electronics: The ioXt alliance is doing security standards for IoT product certification, and some other things. How would you describe the group’s mission?
Grace Burkard: ioXt is a standards organization, and we're trying to build confidence in Internet of Things products through a group that unites multiple stakeholders, and pursues international, harmonized and standardized security and privacy requirements for IoT. Our members take a security pledge, which includes things like they agree to use only proven cryptography, enable automatic security updates when available, use only unique passwords and credentials, so no universal passwords, and a few more things like that. We also have our product compliance programs, and public transparency of base requirements for IoT security with the details of our pledge right there on our web site. What ioXt is trying to do is increase IoT security by having thought leaders and security experts create our standard and our profiles.
FE: And what is a profile?
GB: ioXt has a base profile, which is pretty much like the minimum requirements for any type of IoT device and then we start getting into more specific devices such as a speaker profile, residential camera, network, lighting controller, mobile apps, VPN. So those profiles come with their own set of standards, and they build off each other a little bit. ioXt has eight security pledge principles that are like the overall umbrella and then you've got the individual standards that go under that. You can find those principles on the ioXt website.
FE: To some degree are you trying to bring some order to a fragmented market landscape, and one in which security has sometimes been of secondary consideration?
GB: Yes, exactly. Everybody thinks that security is just inherently built into smart products, when it's actually not. Some manufacturers will say, “Oh, we'll incorporate security when our customers ask for it.” However, the customers don't know to ask for it because they think it's already there. It’s our responsibility to show the industry that there's some education still needed here. We understand it can be very tedious to go around and figure out what all the certifications are that one product needs, and those can change based on industry and based on the vertical. They can be similar, but different enough that you would have to get several different certifications. So, part of the harmonizing that we do is to also work with other organizations (for example, the National Institute of Standards and Technology and other international standards groups), and map ioXt standards to cover parts of those other standards so ioXt members can be quickly updated with new requirements and recommendations, and become certified to meet these requirements.
FE: This notion of an umbrella for IoT standards is a good idea. Whose idea was it?
GB: Our founder Gary Jabara [Newport Beach, California, entrepreneur, and a former Deloitte partner] a few years ago was at an event over in Europe, and he and a few other people were together talking about IoT, and how fragmented it is and how tedious it is and how expensive it can be, especially if you have to go out and get tons of different certifications on top of everything else you have to do to get a product out there. And so they were just spitballing about what it would take to improve IoT as a business, and how the industry could come together and make this easier for all manufacturers. So that was about almost four years ago [The alliance was later founded in early 2019]. ioXt had the support of a lot of really big companies, like Google, Amazon, Comcast. T-Mobile, and Meta, that were willing to work together to figure this out. They contribute security experts and product experts that help create ioXt's profiles. They understand the threats and vulnerabilities out there and that they continue to evolve, so they participate in profile groups and continue to talk about new things that come up and what needs to be added to a profile as things change because we don’t want the profiles to be stagnant.
FE: So, you are trying to unite a fragmented ecosystem around security standards, but is it difficult to get all these companies to play nice with one another?
GB: I think for the most part, people from different companies are on the same page. Now, is there a discussion and debate around what the level of security should be for a particular requirement, what should be included and not be included? Yes. There are minimum requirements that everyone needs to meet, and then you can have more standards and requirements on top of that, but you don’t want to make it so that only a select few can achieve certification. I think for the most part everyone wants this effort and this industry to be successful, and they will talk about how these requirements will affect the rest of the industry. If they realize not everyone can do it, they may leave a requirement at a level where more companies can meet it, but with a plan to revisit it in the future.
FE: Are there a lot of companies out there that still need to be made aware of what the ioXt Alliance is doing?
GB: There are a lot of new things that are becoming smart that were dumb before. There are so many new toys and home products that are gaining this connectivity, and some of the companies may feel like security is just an inconvenience, or they are just unaware that there are all these security issues. I recently read a report on how medical devices need to start improving. For right now, ioXt is focused on home IoT, smart buildings, cellular IoT, such as phones, tablets, computers, and mobile apps, but the group starting to look and things outside of that–healthcare, wearables, autonomous cars, agriculture, industrial IoT. ioXt look at what’s out there in terms of standards, and what can be mapped into ioXt's requirements because we never want to recreate the wheel. ioXt doesn't want to do anything that would cause more fragmentation.