The third meeting of the International Standards Organization’s (ISO) Special Working Group (SWG) on (Internet of Things) recently took place in Chongqing, China. The purpose of the SWG is essentially to assess what has been done to date related to IoT standards and provide guidance to ISO about the ISO so that the existing standards might be evolved to meet the needs of the IoT – as appropriate.
In the area of security, this may mean that the world’s most widely adopted security standard, ISO 27000 family of management and operational standards, gets an update to accommodate new security requirements associated with the IoT.
Auditing and standards will be critical to the IoT because they enable technical interoperability, and from a risk management perspective the enable business interoperability.
Without standards the effort to get independently developed IoT systems working together will be a much more difficult processes involving and infinite number of point-to-point relationships which simple to do not scale.
Without standards, the IoT will evolve slower, will be more expensive and will ultimately possess lower quality and higher risk. The higher risk part will start with the business risks we discuss in this chapter, but extend to the operational risks we discuss in the next chapter and to an unlimited range of technical risks that we do not attempt to address.
The reason the IoT will be unmanageably risky without standards is due to the additional complexity that will come without standards. Already the IoT will be the most complex and intricate thing every created by mankind, with billions and billions of (literally) moving parts connected by ubiquitous and heterogeneous (many different types of) networks. From a risk management and security perspective, no standards mean each IoT system will need to have individual and unique security investments and assessment.
If each IoT system has individual and unique security, then each interface or connection between each system will have to be established through slow bi-lateral processes. Such a system would be uncontrollably expensive and violate one of the most common business requirements of the IoT – that it possess financial justification: that the IoT creates value not destroy it.
The alternative to security standards in the IoT is an expensive, bilateral system of security and risk management. Or managers, owners and users simply accept unknown risk – the worst type of risk management decision of them all, and in many cases a option counter to regulation and law.