The Internet of Things Alliance Australia (IoTAA) has published security guidelines for Australian companies planning or implementing Internet of Things projects.

Entitled the ‘Internet of Things Security Guideline’, the document was launched at KPMG’s new Melbourne offices by the IoTAA’s chairman of the board, and president and chairman of Robert Bosch Australia, Gavin Smith.

The goals of the document are to:

1. Promote a ‘security by design’ approach to IoT
2. Assist industry to understand the practical application of security and privacy for IoT use
3. Help the IoT industry and digital service providers delivering IoT deployments
4. Assist industry to understand some of the relevant legislation around privacy and security.

The document provides top-level guidance to CEOs, CIOs and other executives in industry sectors where significant IoT focus already exists, including:

• Consumer products, such as wearables and home automation
• Industrial sectors, including oil & gas, mining, manufacturing, and utilities
• Enterprise, including retail and insurance
• Healthcare
• Smart cities, including intelligent transport, safety and security
• Agriculture and food services
• Automotive, including aero applications such as drones.

The guideline is the first in a series of documents on IoT security and network resilience that the IoTAA plans to release over the coming months.

Document co-author and outgoing chair of the IoTAA’s cybersecurity and network resilience workstream, Malcolm Shore said in a statement: “IoT is everywhere, and we are already seeing the insecurity that it can bring.”

“We really want the guideline to help industry players understand how to practically apply security and privacy for IoT devices.”

The first step in the IoT journey

IoT Hub sat down with the IoTAA’s CEO Frank Zeichner to talk about the security guideline and where the IoTAA goes from here.

“What we’ve found is that while there’s plenty of stuff out there on security, applying security across IoT is somewhat unique,” he said.

“It’s the end-to-end nature of IoT security that’s unique, and it’s only just started to penetrate people’s consciousness.

“People keep thinking it’s data, and it’s not just data, it’s everything.”

The security guideline is the first document of its kind released by the IoTAA, and Zeichner said that it’s indicative of the alliance’s belief that the security component of IoT represents a unique opportunity for Australian business.

“There’s an industry opportunity for Australia in IoT security as opposed to cybersecurity, which is the application of it across services,” he explained.

“If we apply it to the industries that Australia is strong in, then we’ll be getting a reputation, a capability, and an exportability for IoT security in food systems, or transport, for example.

“That’s where Australian business can become strong and unique, it’s the application of it that’s the key.”

What about consumers?

The security guideline provides information for IoT technology providers and ecosystem builders, but doesn’t contain any information for the end consumer.

While the IoTAA does intend to create a document for consumers, he said that there’s a process that he intends to follow to achieve that goal.

“We want to be able to create a document, transfer the knowledge and make people aware of it, and then make people use and apply it, he said.

“Unfortunately in Australia, we tend to be great at creating, average at transferring, and poor at applying, so we want to fix that problem.

“The IoTAA are going to create documents that we can share and mould with consumer groups like Choice, ACCAN, and the Government departments that have access to consumers, into something that consumers can understand.”

Such a document would contain realistic expectations around security, privacy, and the obligations for service providers and the consumers themselves, according to Zeichner.

Zeichner added that it would focus less on the technical aspects of security, and more on the rights that consumers will have in terms of IoT security.

Evolving the security guideline

The security guideline was published under a creative commons licence, which has allowed the IoTAA to engage with its parent group the Communications Alliance to publish a second version, with the view of turning it into a standardised industry guideline.

“The Comms Alliance will have a process of consultation with the public and their constituencies before they’ll release it as a Comms Alliance document,” he explained.

“We’re essentially doubling up on the document, in that regard, so it will be both an IoTAA document and a Comms Alliance document.

“We’ll also look to do the same with other documents as we create them.”