Talking IoT Standards With the Open Connectivity FoundationTalking IoT Standards With the Open Connectivity Foundation
Without standards, interoperability among vendor products and services can limit IoT’s growth.
September 5, 2019
There are so many variations of Internet of Things (IoT) technologies that standards are necessary if IoT endpoints are to work with multiple network types and interoperate with different vendors’ devices and network services. One organization, the Open Connectivity Foundation (OCF), has made it its job to provide the means for IoT devices and legacy systems to interoperate with one another, to create a seamless user experience.
History of the OCF
Created by merging the Open Interconnect Consortium, AllJoyn, and UpnP, OCF is led by a guiding principle that IoT will only happen if devices can effectively and securely communicate with each other, said Olivier Carmona, board member, Open Connectivity Foundation (OPC), and director business development, Awox. Among the organization's primary goals include providing connection mechanisms between devices, between devices and the cloud, and managing the flow of information among devices, regardless of form, operating system, service provider, or transport.
Currently, the organization has 400 members who develop global standards for the IoT and includes the smart home, smart building, automotive, healthcare, and other industry verticals, said Carmona.
Where Are OCF and Standards Today?
To learn more about the state of IoT standards and the OCF’s efforts, I recently interviewed Carmona and got his thoughts on the subject and where the field of IoT standards is heading.
Q: What’s the OCF doing to achieve its goals of providing IoT standards?
The OCF has accomplished its first goal of providing a universal, secure communication framework from specifications to source code. This includes a certification program that enables manufacturers to bring OCF-certified products to market. OCF solutions match any device type and offer state-of-the-art security that is tested during certification.
The second goal the OCF reached was to build seamless bridges between current IoT devices, legacy systems, and OCF-certified products. To achieve this goal, we leverage existing industry standards and technologies.
Q: What makes IoT security so important and what has OCF done in terms of delivering it?
Many instances have occurred in which insecure connected devices such as smart toys or thermostats have fallen victim to hackers. Hackers can use these devices to gain access to what would be secured networks and steal information, demand ransom, or worse. Securing each device in your network greatly thwarts these situations.
The OCF applies the security-by-design method (IoT Security by Design) in which IoT security is required from the beginning of device development and throughout its life cycle, implementing identification, network onboarding, communication, and upgrades. Below, I elaborate on these steps:
Identification: The foundation for IoT security is a strong endpoint identity – each endpoint must have an identifier that is immutable, globally unique, and attestable. The OCF supports strong identity through the incorporation of digital certificates in each endpoint – IoT devices, gateways, and cloud services. Using the digital certificate, the identity of each OCF endpoint can be verified and attested using asymmetric cryptography and an ecosystem public key infrastructure (PKI) administered by the OCF. The OCF’s PKI adheres to WebTrust’s principles and criteria for certificate authorities, and the OCF will be regularly audited by an independent third party to ensure compliance with the OCF certificate policy.
Network onboarding: The OCF provides secure mechanisms for authentication and authorization to minimize the potential for compromising an IoT device or service during the onboarding process. The OCF has defined a common process for onboarding a new device or service that identifies the endpoint (device or cloud service) and determines the access that endpoint will have to the other resources that are part of the OCF deployment and vice versa. Additionally, the OCF Specification supports the use of access control lists to manage authorizations.
Communication: Strong confidentially protections ensure sensitive information (rest and in transit) remains private and inaccessible to unauthorized parties. The OCF Specification supports mutual authentication and ensures that communications containing sensitive information are encrypted, using DTLS or TLS. The OCF also requires the use of DTLS and TLS to ensure the integrity of communications between OCF endpoints. A secure IoT device or service is available when it’s needed for its legitimate use and unavailable when it’s not. Moreover, IoT devices and services use restrictive, rather than permissive, default network traffic policies to limit communications to expected norms – guarding against both unintended and malicious denial of service attacks that can disrupt the availability of the device or other devices on the network. By design, the OCF enables access permissions and authorizations to incorporate the principles of least privilege and separation of duties.
Upgrade: IoT security requires vigilance throughout the lifecycle of the device. Vulnerabilities can be discovered, and new exploits can emerge after IoT devices or services are deployed. The OCF Specification supports the evaluation of current software as well as triggering updates for software and firmware. Moreover, the OCF maintains an online repository of OCF device certification results called the OCF Conformance Management System (OCMS). The OCMS can be referenced to determine the most up-to-date certification status of an OCF-Certified device, including security attributes of the device and the version of the OCF Specification against which it was certified.
Q: How are standards and standards bodies helping to secure the IoT? Are the standards groups cooperating or competing?
Developing IoT security can’t be brought by a single actor in the industry. Standards bodies are here to help build a secure framework that everybody can follow, no matter how large or small your device project or deployment might be.
The OCF is here to help every organization in making the IoT a reality. We are offering a common place for organizations to deposit their data models and translate from one IoT language to another. We believe in a future built on the cooperation of different industries.
Q: How can interested organizations get involved with the OCF and learn more?
The OCF public specifications are available on our website, and even better, an open source implementation of the OCF Specification is available at IoTivity.org. The OCF organizes public events every quarter for developers and potential members to learn more about things like how to build working devices together.