IoT For All
IoT For All
On this episode of the IoT For All Podcast, Ryan Chacon is joined by the Director of Operations at the ioXt Alliance, Grace Burkard, to discuss the importance of global standards for IoT security. Grace introduces herself and the company before diving into more specifics of what the alliance offers. She describes how the certification process works and the importance of third-party testing. Grace then discusses who can join the alliance and the goals they have moving forward. She wraps up the podcast by talking high-level about the challenges she’s seen in the IoT industry regarding security.
Grace Burkard, Director of Operations at ioXt Alliance, spearheads ioXt’s overall efforts in setting baseline security requirements to build a safer IoT world. Through her work with stakeholders and various international regulatory organizations like PSA Certified and NIST, Grace plays a crucial role in harmonizing and standardizing security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.
Interested in connecting with Grace? Reach out on Linkedin!
ioXt Alliance is the Global Standard for IoT Security. Founded by leading technology and product manufacturing firms, ioXt is the only industry-led, global IoT product security and certification program. Through the ioXt Certification Program, IoT product manufacturers and developers can gain formal certification to the ioXt global standard. The certification profiles encompass ioXt Alliance’s Security Pledge, which is the result of industries working together to set security standards that bring security, upgradability, and transparency to the market and directly into the hands of consumers. The program measures a product by each of the eight ioXt principles with clear guidelines for quantifying the appropriate level of security needed for a specific product. Once approved, the ioXt SmartCert informs end-users, retailers, and ecosystem partners that a product is secure. Products with the ioXt SmartCert give consumers and retailers greater confidence in a highly connected world.
(01:44) Introduction to Grace and IoXt Alliance
(03:05) Services of IoXt Alliance
(05:39) How the certification process works
(09:25) Importance of third-party testing
(10:50) Who can join ioXt Alliance
(12:25) Challenges in the industry
(18:47) Goals for the alliance
- [Voice Over] You are listening to the IoT for All Media Network.
- [Ryan] Hello everyone, and welcome to another episode of the IoT for All Podcast, the number one publication and resource for the Internet of Things. I'm your host, Ryan Chacon. If you are watching this on YouTube, please give this video a like and subscribe to our channel if you have not already done so. If you're listening to this on a podcast directory, feel free to subscribe as well so you get the latest episodes as soon as they are out. All right, on today's episode, we have Grace Burkard, the Director of Operations at ioXt Alliance. They are a global standard for IoT security, they are founded by leading technology and product-manufacturing firms. ioXt is the only industry-led global IoT product security and certification program in the world. Very awesome organization, very great alliance that we're gonna dive into a bit more in this conversation. So we'll talk about what the organization and the Alliance does; what their mission is; what the certification process looks like; the importance of third-party testing, validation, and certifications when it comes to connected devices in the space. And we talk a lot about the challenges that they see from their side, the security side, and what it looks like in that side of the, on that side of landscape, as well as what're the goals for the Alliance moving forward, and how organizations, if you're listening to this, how you all can join, and what it's like being a member of the Alliance. So all in all, fantastic conversation. Grace is a great guest, I think you'll get a lot of value out of it. But before we get into this, any of you out there're looking to enter the fast-growing and profitable IoT market but don't know where to start, check out our sponsor, Leverege. Leverege's IoT solutions-development platform provides everything you need to create turnkey IoT products that you can white label and resell under your own brand. To learn more, go to iotchangeseverything.com. That's iotchangeseverything.com. And without further ado, please enjoy this episode of the IoT for All Podcast. Welcome, Grace, to the IoT for All Podcast, thanks for being here this week.
- [Grace] Yes, thank you for having me, I'm excited.
- [Ryan] Yeah, looking forward to this conversation. Let's kick this off by having you give a quick introduction about yourself to our audience.
- [Grace] Yes, My name is Grace Burkard. I am the director of operations for the ioXt Alliance. And that just pretty much means I wear a lot of different hats for the company, and I am involved in a lot of the day-to-day workings.
- [Ryan] Fantastic, so, speaking of the ioXt Alliance, tell us a little bit about what the Alliance does, kind of the objectives of the Alliance, what your overall mission is, kind of as an organization.
- [Grace] Yeah, absolutely, so, ioXt is the global standard for IoT security. We are an alliance of leading technology manufacturers, service providers, network operators, and retailers all working to improve the security of connected products. Our mission is to build confidence in the Internet of Things products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product-compliance programs, and public transparency of those requirements and programs. We have over 600 member companies in over 50 countries. And continuing to grow.
- [Ryan] That's awesome, so from a services perspective, like, what is it that you all offer to the the industry, you know, as an alliance?
- [Grace] Yes, so we do certification. And so, there're two methods of certification that we offer. And so, one is the third-party lab testing that everybody is well aware of, and then also self-attestation as well. So to get a little bit into that, with our third-party labs, which I'll give a shoutout to, they are DECRA, Bishop Fox, NowSecure, Onward Security, NCC Group, Bureau Veritas, and SGS Brightsight. They've all gone through rigorous verification testing to become an authorized ioXt lab. Their lab contracts and pricing are separate from ioXt pricing. But, they obviously do an outstanding job with their testing capabilities, and work closely with the manufacturers to ensure that their products will meet ioXt certification. Even if a product doesn't meet security requirements, they will provide recommendations on how to improve the product security, and be able to retest once the changes have been implemented.
- [Ryan] Gotcha, and is the services that you kinda mentioned earlier, are those kinda the main ways that you all help products, or help make IoT products more secure? Or are there other, kind of, means to doing that, or kinda what's the focus, there?
- [Grace] Yeah, so we have, obviously, our labs. And then when it comes to self-attestation, we have our technical support group who, it's very interesting, but very relatively simple process. So if you go through, you're just answering some test questions and providing evidence to support those claims. You'll see a score at the end, and then you submit it to our technical support, our technical support then goes through, combing through the evidence. It's on a pass/fail basis. And so, if you don't pass, then they're also working with you. And they're making sure, if it's not meeting those requirements, why is it not meeting those requirements? So we've got that. We have a regulatory monitoring program with one of our other labs, the Onward Security. They have what's called SecSAM, which does 24-hour monitoring for vulnerabilities. So yes, we have several tools. And it's a very handheld process, and we are more than happy to do that.
- [Ryan] And when we're talking about, like, the certification process, can you take us through what that means, how it works, just at a high level. 'Cause I know there're a lot of people out there listening and trying to understand what the value of standards and certifications like this are for the IoT space. But if you kind of maybe walk us through what the certification process looks like from the first, kinda, conversation through being certified, and the value there?
- [Grace] Yeah, absolutely, so, what we do is we'll have an initial call and walk you through our standards, and what we call our profiles. And I'm gonna back up just a little bit to explain our profiles a little. So we have a security pledge which focuses on eight core best practices that can be grouped into three categories: security, upgradeability and transparency. And so, we picked these three core areas to accommodate the differing values across different markets. For example, Europe tends to focus on transparency, while the US focuses more on security of devices and less on data privacy. Since we are looking to be the global security passport for manufacturers, we're committed to building a compliance program that can meet the needs of all the markets we operate in. So, these pledge items are the core of what we call the profiles. And so, when it comes to creating a security profile, we found that in each of these markets and devices, they have very unique extra security requirements that need to be addressed, right? A speaker is different than a camera, which is different than network lighting controller, which is different than apps. So on our first call, you know, we're going to walk through which profile makes sense for you and your device, right? Then we'll walk you through the portal and show you how to enter the information, what the portal looks like. If you're going to do self-attestation, we walk through the wizard. And if you're going to do labs, we'll walk through that process. And then, if you're working with the labs, there is actually a form on our website that you can go into and request a quote. Sends it to all of our labs, they will respond, and then you can go from there on picking who you'd like to work with. You send a device, and then testing takes anywhere from two to four weeks depending on their availability. Then they will enter their results back into the portal. And that then allows the manufacturer to go in and review if it... You'll see a scale, essentially, on where it meets. If it's going to meet minimum requirements, or is it going above and beyond, have you maxed out each level? And so, depending on what the manufacturer wants to do, some people will, if they don't max out, they'll go and change things, and then retest so that they do max out. If not, if you just meet minimum requirements, that's totally available as well. And with self-attestation, you're just entering all this information anyways. Both points will then get you to submitting it to ourselves. And then, like I said, we have our technical team that is reviewing. And it'll be both lab submission or self-attestation submission to see if it is pass/fail. And then- Yes, and self-attestation, you know, everybody asks, "Well, how long does that take?" And there's not a great answer, to be honest, because the process itself takes maybe 30 minutes. But depending on if you do or don't pass, like, if you don't pass, is it something small that needs to be changed? Is it something big that needs to be changed? How quickly can you make those changes? So we say anywhere from 30 minutes to four weeks. Okay. Very cool. And I know we kind of talked about this earlier, very high level, but if you could dive in a little bit more detail on the importance of just, and this is a general sense, just the importance of third-party testing, and validation, and certifications, in the IoT-connected-device kind of space when it comes to that security element of it? And this is not just for enterprise, necessarily, but this is also for the consumer side. Just talk about the overall importance of that in a general sense, not just directly, you know, connected to ioXt.
- [Grace] Yeah, and so, self-certification, an acceptable option with the right measures and protocols in place. But third-party testing is a good way to give end users, and enterprise, right, an extra dose of confidence and a way to actually get a leg up on competitors, right? So, you know, it's great to have ioXt certification regardless. But then, if you also go an extra step and get third-party, now you're going out to the world and saying, "Hey, look, it's not just me saying I have this. I've got third-party validation saying the same thing." And so, if you are in the industry and your competitor is just doing self-certification, you know, again, they've got the certification, so that is still a step up from not having ioXt certification, but I believe gives you one leg up from your competitors to take that extra step and go the extra mile.
- [Ryan] Gotcha, fantastic, also, one thought I had, so we've actually talked to a number of different alliances within the IoT space, and yours is definitely a bit unique from the sense that we have never talked to anyone that's focused on security. So for our audience out there, who can join the Alliance to certify products, and how can they do that?
- [Grace] Yeah, that's a great question. So, pretty much anyone and everyone can join. We've got everybody from module vendors to product manufacturers, retailers, government agencies, network operators, labs. I mean, you name it, we've got it. And we actually encourage membership, because it's free and takes about 60 seconds to sign up right from our website. We do, obviously, encourage with a work email, we're not accepting any personal emails. But yes, it's very quick and easy. And we especially encourage new members to go in and sign up for our work groups. And that's either, if you wanna participate in the actual creation of global security standards, but also if people just wanna come in and are interested to listen in. What's going on, where is the industry going when it comes to cyber security and standards that're coming out there? I mean, there's always new regulations and policies that we keep seeing based on world events, and so, we take, obviously, that, and then we'll incorporate that into standards, whether it's a new profile or if we need to update our current ones. So membership gives you access to all of that.
- [Ryan] Gotcha. Cool, very cool. Another question I had is around the challenges that you all see as an alliance in the industry. So if we're talking about just the constantly-changing landscape, and it may be, you know, this is obviously more towards the security side, cybersecurity, even, side of things, how do you view that as a challenge, kind of, in the work that you all do or just in general, as it relates to the industry and the kind of effort to kind of progress forward?
- [Grace] Yes, yes, we are seeing this, right? It's ever-changing, there's always something new. And one day it's this vulnerability, the next it's this, there's a new hack that's happened that's impacting everybody. So yes, each new vulnerability has the potential for major impact to the industry and any new security measures that may need to be implemented. So, when you think about Log4j, when that happened earlier this year, and the vast impact it had on a lot of devices across a lot of different markets. So with that, you know, one of the tools that I mentioned earlier was we have these partnerships to help with this. And one of them is the SecSAM program with Onward Security, so to help with the 24-hour vulnerability monitoring. We are working with other regulators in other countries, even, to make sure that we are aligned on new policies, and making sure that we're updating our profiles to align with those, and anything new that might be relevant. We also require annual firmware updates of the products that have been certified with ioXt. So it's just making sure that everybody's up to date. A lot of our firmware updates are free of charge. So we really wanna encourage people to have the latest updates available and certified so you're not lagging behind, right? But we see other, yeah, but we see other challenges as well, you know? We see lack of harmonized cybersecurity standards among industries and countries as well. So most standards are similar enough or have a few of the same elements, but just different enough to not co-recognize each other. Which means manufacturers have to spend a lot of time, and money, and effort To go and get multiple certifications. Yeah.
- [Ryan] What do you think about, like, the lack of standards in security space at times? What problems does that really cause, or challenges does that really cause for the industries? It kind of ties on to that last point where there're multiple that then they, you know, that's a big time suck. But, you know, just in general, if an industry is lacking those types of standards, I feel like that can create some headaches and some challenges for, not only the company's building's products, but also, potentially, the adopters and customers as well.
- [Grace] Oh, absolutely, and we're seeing this all over the place. You know, there are plenty of devices or products that have started out dumb and now they've turned smart, right? And so, some aren't really, maybe, thinking about security yet. Because, you know, who would wanna hack a light bulb, or a thermostat, or a fish tank? I dunno if you've heard about that one, but it it's crazy, the amount of products that're out there that're just not secured, and maybe don't have standards. It's very scary. And so, one of the things that we're looking at is just incorporating as many devices as possible. We have what we call our base profile. And so, this means that anything that doesn't have a specific profile that we already have, like I mentioned, residential camera, speaker, mobile app, network lighting controller, can certify against this base profile. And it will meet those core, base requirements to make something safe, or as secure as it possibly can be. Obviously, with all the security standards that're out there, hackers are getting used to them, they're coming up with more creative ways to hack things. So you can't ever guarantee security, but, with ioXt, we're definitely making it harder for them to get in, instead of just leaving it out there.
- [Ryan] Yeah, I mean, I think the more companies you work with and share insights and learnings like you would in an alliance, you are able to create better practices for preventing hacks and things like that. And if somebody's to choose between certain ways of going about it, it makes complete sense why you would go with something that has more backing, more support, more minds working on solutions to prevent hacking. But like you said, security is kind of a moving target, consistently. As you guys solve problems, hackers create new ones and it's just kind of the world, you know, that you live in. But that's the benefit of having these standards, is that you know that they've been tested, they've been tried, they're something that is up-to-date and a guideline to follow as opposed kinda taking this on your own and trying to figure out how to do it. Especially in a space like you talking about when we're, well, as we're talking about with connected devices, you know, who would ever hack a fish tank? But sometimes that's maybe where the path of least resistance is for hackers because they know they can get into your network by going through something that you probably think, "Ah, no one's gonna ever hack a fish tank." It's like, well, that's the easy way in. So the more this is out there, the more companies are adopting these standards and best practices, I think, the better secure we will be as an industry. But, at the same time, it's a process.
- [Grace] Yes, absolutely, I mean, hacking's not going away, right? And so, I think the more that we have standards to help, they're gonna change. It's not static, right? So I think the industry needs to be open to changing quickly, right, being fluid. And I'm just not seeing that as often as I should, right?
- [Ryan] Absolutely, so let me ask then. Kinda moving forward, what's the goals for the Alliance, like, you know, kinda future outlook?
- [Grace] Yeah, so the goal for the Alliance is to be a one-stop shop for IoT security certification. If this means, you know, we're working with other organizations such as PSA, CSA Singapore, NIST, and others, to map our standards to one another in an effort to harmonize, or maybe equalize, standards around the world. You know, we started a regulatory wizard that aims to illustrate these efforts in our portal. So when you come, you'll be in our portal and you'll say, "Okay, I wanna to be able to sell into Europe. Like, what're the standards that're out there, how much is ioXt coverage?" So we try to make that very easy, and take out the guesswork for our members. And then, you know, we strive to certify the whole ecosystem. So what that means is everything from a module, to a device, to a mobile app, you know, the whole ecosystem needs to be secure, not just one. And, you know, we're even looking into a cloud profile to help round out everything else. You know, cloud is getting bigger and bigger. So, we'd really like to work with more, just, big companies that already have these big ecosystems themselves, and can help drive cybersecurity adoption as well as other regulators that we're not already talking to. But I think, you know, overall, we're just excited to be growing as a company and help elevate cybersecurity of the industry to the next level.
- [Ryan] Yeah, absolutely, that's fantastic. So for our audience out there who wants to learn more, potentially inquire about joining, you know, maybe follow up on this discussion with any questions, what's the best way they can do that?
- [Grace] Yeah, if anyone's interested in certification or learning more, like you said, you can go to our website and join for free, and a representative will reach out to you. Otherwise, definitely feel free to reach out to me on LinkedIn, and we're excited to talk to anybody and everybody. Nothing is too small, no question too weird.
- [Ryan] That's good, that's good, that's good. Well, Grace, thank you so much for taking the time to kind of shed light on what you all are doing, and the importance of standards on the security side of things in IoT. It's been a very enlightening conversation, I think our audience gonna get a lot of value out of this, so thanks again.
- [Grace] Yeah, thank you so much for having me, appreciate it.
- [Ryan] Absolutely, all right, everyone, Thanks again for watching that episode of the IoT for All Podcast. If you enjoyed the episode, please click the thumbs-up button, subscribe to our channel, and be sure to hit the bell notification so you get the latest episodes as soon as they become available. Other than that, thanks again for watching, and we'll see you next time.