Hi all, As Marco promised, here’s an overview of the main topics discussed during yesterday’s IoT BoF at RIPE 74. Please let me know if you have any questions – and by all means, please contribute your own ideas and thoughts to keep the discussion going. ******** Eliot Lear from Cisco Systems kicked off the discussion with an overview of the many factors involved in IoT security, focusing on the existing divide between manufacturers, vendors, service providers, governments and consumers. His main question to the group was whether ISPs want to organise in order to try to tackle the issue of IoT security, and to try to define what part of the problem they could potentially contribute to. A lot of different potential solutions were discussed in terms of what these different stakeholders can do to mitigate the serious security threats that exist across the IoT landscape. On a technical level, these included: - banning the use of default usernames and passwords - the need for cryptographically enhanced protocols and firmware updates - the possibility of disconnecting misbehaving devices - a potential requirement for two-step verification before any new devices connect for the first time - creating “gaps” in the architecture so that things can be shutdown if necessary - intelligent computing that extends all the way to the edge On a non-technical level, ideas debated included: - the extent to which regulation can play a role - the need to educate governments about the technical aspects involved - the viability of shared standards across borders - the need to create market demand for secure devices among consumers The role and responsibility of ISPs as gatekeepers of potentially malicious traffic was also discussed, along with the difficulty in keeping up with security advances when it comes to devices that are likely to exist for years beyond their initial deployment. The group agreed that the technical community could do more to educate manufacturers about what “good security” looks like and share its expertise with them. However, the point was made that network operators may also have a direct role to play and should not simply point fingers elsewhere. What about quarantining bad actors at the ISP level, for example? Another focus was the lack of a clear chain of accountability when it comes to IoT devices that exists, for example, in car manufacturing. Who is responsible when something goes wrong? There are many layers to security, from the control of and access to devices, to what information devices produce and where this is shared. In addition, different approaches will be needed for different types of devices (e.g. light bulbs probably shouldn’t be treated the same way as pacemakers). Paul Rendek from the RIPE NCC urged participants to figure out which piece of the IoT discussion the RIPE community can most effectively contribute to and to “own that space” by actively participating in external fora such as the ITU, the IEEE and others. There was general agreement that the RIPE community should get more involved and help shape the public policy debate before regulation comes into place. The group agreed that there is a lot of interest in the IoT and how the RIPE community can help mitigate security risks, and there was overwhelming support for the possible creation of a new RIPE Working Group focused on IoT. There was also consensus that the group needed to move quickly in light of how fast things in IoT are moving forward. Volunteers came forward to draft a rough outline of a charter, and RIPE Chair Hans Petter Holen offered a slot during the Friday plenary session at RIPE 74 so it could be discussed more broadly. ******** We’ll report back on the outcome of the discussion on Friday…stay tuned! Cheers, Suzanne _____________________ Suzanne Taylor External Relations Officer RIPE NCC