In the wake of the unprecedented Dyn DDoS attack, security researcher Brian Krebs issued a call for industry associations to tackle IoT security. The Smart Card Alliance issued a statement on Tuesday proposing that security be embedded in internet-facing systems and devices as much as it is in smart cards.
The Alliance says industry sources attribute the four-fold growth in attack size in the past year to the addition of IoT devices to botnets used by hackers. Gartner estimates that there will be 21 billion devices connected to the internet by 2020, and says it is critical to secure the “things.”
To that end, the Smart Card Alliance recommends security requirements include how communications with IoT devices are authenticated, how access is controlled, how data is protected, device lifecycle management, and impact on other systems. Embedded secure chip technology is necessary for devices in life-saving and critical infrastructure systems, according to the organization. This means essentially applying the same criteria to those devices as are currently applied to GSM mobile devices, payment chip cards, secure identity tokens, and e-passports.
Several dozen member companies of the Smart Card Alliance have also formed the Internet of Things Security Council to provide a forum for industry collaboration and encourage best practices and market adoption of secure IoT architectures.
“These recent attacks, one of which was more than four times the size of the largest reported attack last year, are comparable to the massive payments data breaches that have been in the spotlight over the past few years,” Randy Vanderhoof, executive director of the Smart Card Alliance said in a statement. “This is just the latest example of the IoT vulnerabilities that exist today, demonstrating why the security of things is so critical. To protect connected devices and their data, the IoT industry needs the attention, coordination and commitment to security that the payments industry is putting into securing payments.”