A meeting of global standards bodies in Hamilton last week resolved to initiate work on a set of global security standards for IoT.
The International Organisation for Standardisation and the International Electrotechnical Committee’s joint subcommittee on IT Security techniques (ISO/IEC JTC1/SC27) brought some 300 people from 30 countries to Hamilton at the end of April for the first of its regular plenary meetings ever to be held in New Zealand.
Eric Hibbard, CTO Security and Privacy with Hitachi Data Systems is the US’s international representative officer on SC27. He told Computerworld that the committee’s decision to start work on IoT security standards was one of the most significant to come out of the week long meeting.
“We have been looking at it for three years and now we have very specific marching orders,” he said. “We have made a decision to stop studying it and get on with the work.”
Hibbard said the next stage in the process would be for the committee’s working group 4, which is responsible for security controls and services, to determine between now and the next SC27 meeting in Berlin in the northern autumn exactly how it would go about developing these standards.
“There is a team of four rapporteurs that will be meeting to figure out how we will engage and there are three teleconferences scheduled between now and Berlin to formally look at what we are going to do. I expected on one of these conference calls we will deicide on the structure we are going to go with,” Hibbard said.
While there are many organisations working on IoT standards, Hibbard said those developed by ISO/IEC would be particularly important.
“There are a lot of organisations that claim to be standards organisations but there are three that are special: ISO, IEC and ITU-T [The International Telecommunication Union’s Telecommunications sector]. If an issue goes to the World Trade Organisation those are the only three recognised by the WTO.”
He added: “We know that ITU-T Study Group 30 that is focussed on IoT and smart cities is watching us and whatever comes out of our work we expect SG30 to come to us and say they would like to sign on.”
Hibbard explained that recognised international standards could play a key role in trade protection issues brought before the WTO.
“When a country starts developing domestic standards that have the potential of restricting trade the WTO can lean on the country to adopt standards recognised by the big three. If a country sticks to those standards they cannot really be accused of being anticompetitive.”
Standards New Zealand was the host organisation for the meeting, which was held at the University of Waikato. However it was organised on behalf of the organisation by the US-based Cloud Security Alliance. Auckland based network monitoring technology provider Endace was a gold sponsor. Hibbard said CSA had stepped in because the cost of organising such events could be prohibitive for small organisations.
The event’s co-convenor and head of the University of Waikato’s Cyber Security Lab, Dr Ryan Ko, when he announced the event in January, hailed it as “a great achievement for New Zealand cyber security on the global stage.”
He said New Zealand had been able to win the hosting bid ahead of prominent member nations such as China, thanks to support from Tourism New Zealand.