Qualcomm Technologies joined the IoT Cybersecurity Alliance formed earlier this year (see 1702080045) by AT&T, IBM, Nokia, Palo Alto Networks, Symantec and Trustonic, said the Qualcomm subsidiary in a Wednesday news release.

IoT is advancing so rapidly it will generate "a whole new spectrum of data analytics" and other services that will transform how companies operate, but few have a strategy to take advantage of it, ABI Research said in a Tuesday news release. “From the creation of application enablement platforms and innovative management services, to artificial intelligence and machine vision applications, we will experience transformative data governance and exchange services between all intertwined verticals," industry analyst Dimitrios Pavlakis said. Only a few companies like Bosch, Ericsson and Gemalto are taking advantage of the transformation, he said.

Citing an AT&T cybersecurity report based on a survey of 5,000 global enterprises, CableLabs said in a Thursday blog post that 85 percent of enterprises have IoT device deployments in the works, but only 10 percent of those feel confident they could secure them in case of a cyberattack. On what the cable industry is doing to secure devices, Ron Ih, Kyrio Security Solutions director-business development, said the most important IoT security trend this year is the use of digital certificates and public key infrastructure to better secure the onboarding process when a device is authenticated and added to a network. With digital certificates that are issued and signed by a reputable source -- a certificate authority or root of trust -- devices exchange digital certificates to cryptographically authenticate each other’s identity and origin, said Ih. In addition to increasing security, digital certificates improve the customer experience by eliminating the need to enter a PIN, he said. Cryptographic signatures within the certificates can’t be forged or recreated without the proper private key at the source, said Ih. On the main challenges facing the IoT today, Ih said most device makers don’t have security experts and are “unprepared to manage security complexities.” Device makers deal with millions of devices per year, work with firmware and small footprint applications and have limited computing power and storage, he said: Security can be limited to what’s deemed essential to reduce costs and delivery times. In contrast, security companies have traditionally operated in the world of enterprise computing and networking with large corporations that have information technology staff specializing in security. The two create a “large mismatch” between what a device maker needs and what a security company is equipped to provide, “resulting in the two parties talking past each other,” the expert wrote. Device security ends up being omitted or left as an afterthought “because it currently takes too much effort and cost to understand and implement it,” said Ih. Tackling IoT security effectively requires addressing the time required to implement security, he said. On what companies can do to improve product security, Ih suggested leveraging security as an “opportunity to improve customer experience and revenues. Consumers don’t buy security for security's sake," he said. "They buy products that make their lives easier and more convenient."

The National Institute of Standards and Technology drafted updates to security and privacy guidelines for government systems, which also can be applied to private-sector IoT devices, said a Tuesday news release. For the first time, privacy is "fully integrated" into revisions to special publication 800-53, security and privacy controls for information systems and organizations, it said. For instance, NIST said the publication suggests how to minimize data collection of traffic-monitoring cameras. Comments on draft revisions are due Sept. 12.

5G Americas predicts 5G could be deployed in “non-standalone versions” as early as 2019, with deployment continuing through 2030. “5G is being designed to integrate with LTE, and some 5G features may be implemented as LTE-Advanced Pro extensions prior to full 5G availability,” Rysavy Research reported for the group. Another big story of the year is that LTE is quickly becoming the industry standard, the group said. “A previously fragmented wireless industry has consolidated globally on LTE,” 5G Americas said. “LTE is being deployed more quickly than any previous-generation wireless technology.” 5G Americas also sees the IoT as “poised for massive adoption.” Industry is “in the nascent stages of the transformation that ubiquitous connectivity is enabling,” 5G Americas said. “Early examples ... include virtual and augmented reality, autonomous driving, smart cities, wearable computers, and connected devices.”

The Massachusetts-based Industrial Internet Consortium and China-based Edge Computing Consortium signed a memorandum of understanding to advance interoperability and portability of the industrial IoT, said a joint Wednesday news release. Activities will include identifying and sharing industrial IoT best practices, developing test beds and R&D projects, and working on standardization. The groups said they will meet Aug. 30 in Beijing.

Legislation requiring the government to buy IoT devices with certain minimum security standards was introduced today by a bipartisan group including Sens. Steve Daines, R-Mont., Cory Gardner, R-Colo., Mark Warner, D-Va., and Ron Wyden, D-Ore. In a Tuesday joint news release, they said the Internet of Things Cybersecurity Improvement Act would mandate vendors ensure their devices are patchable, rely on industry standard protocols, don't include hard-coded passwords that can't be changed and don't have any known vulnerabilities. It would instruct the Office of Management and Budget "to develop alternative network-level security requirements for devices with limited data processing and software functionality" and direct the Department of Homeland Security to issue guidelines on vulnerability disclosure policies for contractors. The release said the bill has endorsements from the Atlantic Council, Cloudflare, Center for Democracy & Technology, Mozilla, Symantec, TechFreedom and others.

NTIA scheduled its next multistakeholder meeting on IoT security upgradeability and patching for Sept. 12 from 10 a.m. to 4 p.m., said a Federal Register Tuesday notice. Participants have been meeting since October to draft guidance on consumer outreach and communications and ways to incentivize companies to make IoT software upgrades (see 1610190051 and 1707180006). The meeting will be at the American Institute of Architects, 1735 New York Ave. NW.

Forty-six organizations and individuals filed comments with NTIA on how to prevent botnets and other automated threats, with many backing more government-industry collaboration (see 1707280030). Google and Alphabet's Nest Labs said they use security practices for their connected devices such as security by design, strong authentication and password practices, encryption, network security, automatic software updates and bug bounty programs. Microsoft described the work its digital crimes unit does with public and private sector partners to disrupt botnet operations and what the company does to improve hardware and software security. The Information Technology Industry Council said new IoT device makers such as startups may not be using best practices for secure device development and other cybersecurity approaches. ITI said barriers to the movement of global data could impede cyberthreat information sharing, citing as problematic 2013 changes to the Wassenaar Arrangement export control rules (see 1702130031). ACT|The App Association said law enforcement plays a vital role in preventing and mitigating attacks, requiring "close coordination" between U.S. and foreign governments and upfront forensic analysis. It said DOJ's position on law enforcement access to data stored abroad isn't aligned with U.S. law and "guaranteed rights" and this undermines the international rule of law, calling for more streamlined processes. NCTA said NTIA should push for a more "holistic approach" to fighting such threats, including application of artificial intelligence and adoption of mutually agreed norms for routing security. USTelecom supports principles for cybersecurity policymaking: private sector leadership and market-driven innovation; a dynamic flexible approach to security; shared responsibility among internet and communications stakeholders, government and consumers; and "active partnership against bad actors, not top-down government requirements."

Samsung announced the Artik Cloud Monetization system in a Monday news release as a way for connected device makers and service providers to monetize IoT data. Artik allows manufacturers to shift their operating model from selling hardware to selling products connected to digital applications, enabling new business models such as hardware as a service, Samsung said. The system gives device makers a way to recoup costs of an ecosystem of third-party devices, apps and services, which to date they had to absorb themselves or factor into products’ retail cost, it said. Artik includes a brokering, metering and payments system and is part of a long-term Samsung strategy to develop secure IoT products and services, wide-scale interoperability and a platform “for an entire IoT ecosystem to thrive,” said James Stansberry, Samsung global head-Artik. Stansberry compared the model to the smartphone market that’s driven by open systems, interoperability and “support from innovative applications.”